Click here to apply!
Basic Purpose
The Principal, Information Security Governance & Risk Management supports Navy Federal Credit Union’s (NFCU) Information Security Division in effectively managing the Enterprise’s Information Security risks and overall program. Responsible for the strategy, management and the overall execution of first line of defense information security risk management and governance activities at the enterprise. This role will collaborate with NFCU business unit Sr. leaders across the enterprise to identify, mitigate and manage information security risks. Uses extensive industry and real world experience to lead information security governance and risk management activities, developing pragmatic solutions to address gaps in line with established risk appetites. Ensure information security governance and risk management activities align with strategic business initiatives, achieve business and quality objectives, mitigate risk and enhance operating procedures. Develop dashboards, metrics and reporting data to provide consultative guidance during monthly and quarterly governance committees. Promote operational efficiency and service excellence through appropriate risk controls, process improvements and training while reducing and mitigating financial losses.
Responsibilities:
• Lead the Information Security Standards Management and Assurance program across the enterprise to ensure right sized compliance and alignment to industry best practices.
• Develop and lead a comprehensive Information Security Program Maturity Assessment and Risk Assessment initiatives in line with the enterprise goals and regulatory expectations.
• Oversee the PCI Security Standards program ensuring compliance and/or assurance with the data security standards.
• Lead the Information Security Governance Function’s Change Management practices, ensuring the delivery of a consistent framework, supporting other pillars including, but not limited to, RCSA, Issues and Events, Controls Testing, GRC and Third Party Risk Management.
• Develop a best in class emerging industry risks program to comprehensively and proactively identify trends, regulatory changes, reputational challenges and misinformation that could affect NFCU or its members.
• Ensure the effective identification, mitigation and management of information security risks arising from business activities. In addition, provide guidance and advice to senior management on the status of their control environment related to standards compliance, risk identification and control issues. Identify critical areas to monitor and escalate issues and findings to appropriate stakeholders and governance committees.
• As applicable, articulate implications of risks and issues related to data management and protection to sponsors and risk owners and, if necessary, assist with security exceptions or issue management
• Translate control deficiencies into action plans and provide recommendations to enhance governance practices in alignment with risk and compliance frameworks.
• Participate in Security-related special projects, councils, working groups, etc. as a Risk SME Text here
• Perform other duties as assigned
Qualifications and Education Requirements:
• Bachelor's degree in Information Systems, Computer Science, Engineering, Business, Mathematics, Economics, or related field, or the equivalent combination of education, training and experience
• A minimum of 12-15 years of experience leading risk and/or compliance related activities in financial services or other relevant industry, especially Operational Risk Programs
• Deep knowledge of federal banking safety and soundness regulations and extensive familiarity of CAMELS, FFIEC and examination approaches from NCUA, OCC, FHFA and the CFPB.
• Extensive knowledge of industry leading risk management frameworks such as COSO, COBIT, NIST CSF, ITIL)
• Advanced knowledge of the PCI standards framework
• Working knowledge of at least one data protection and/or privacy framework (e.g. DMM, DMBOK, NIST Privacy Framework)
• Working knowledge of the MITRE attack framework
• Extensive experience in the development of risk management frameworks along with the requisite implementation
• Advanced knowledge of information technology systems, project processes, and application development
• Advanced organizational, planning and time management skills
• Advanced research, analytical, and problem solving skills
• Advanced skill developing and implementing programs in a leadership role
• Advanced skill building effective relationships with all levels of staff, management, stakeholders, and vendors, through rapport, trust, diplomacy and tact
• Advanced verbal, written, interpersonal, and presentation skills to communicate clearly and concisely technical and non-technical information to all levels of management and a strong EQ
• Effective skill to influence, negotiate and persuade to reach agreeable exchange and positive outcomes
• Advanced skill exercising initiative and using good judgment to make sound decisions
Desired Qualifications and Education Requirements:
• Graduate education in Business, Cyber/Information Security Risk, Information Systems, Computer Science, Engineering, Quantitative discipline or related field
• Professional certifications including, but not limited to any of the following: FRM, PRM, CISA, CISM, CISSP, CGEIT, CRISC, CFE, CPA, CIA, CIPP, ISA, AWS and etc.
• Professional or planned date for certification in Operational Risk, and/or specialized in Technology or Information Security
• Knowledge of Navy Federal Credit Union instructions, standards, and procedures
Hours: Monday - Friday, 8:00am - 4:30pm
Location: 820 Follin Lane, Vienna, VA 22180
External salary range: $130,500 - $184,400
*Due to COVID-19 and social distancing, this position will be temporarily working from home with plans to return to campus at the desired location listed once Navy Federal is back to normal operations. The specific logistics for returning to campus will be determined at a future date by individual leadership*
