Information Security Governance, Risk and Compliance Manager Société Générale
New York, NY

Job Description

Environment

The Regulatory Oversight and Cyber Security group (ROCS) is responsible for the identification, assessment, monitoring, remediation and reporting of operational risks within the Global Banking Investor Solutions division(GBIS). The Data & Cyber Security group is responsible for management of Information Security and Cyber Security frameworks for the entire perimeter.

The Information Security GRC Lead (Governance, Risk & Compliance) provides senior leadership and direction to all security GRC-related initiatives. In addition to providing strategic input to the security strategy and roadmap in the Americas region, the position is hands-on and requires tactical management of the security GRC processes, frameworks, and tools working with a team of security professionals. The position also requires an in-depth knowledge of the regulations (e.g., FFIEC, FDIC, SEC, DFS500) and best security practices (e.g., NIST, ISO) applicable to the financial industry.

It is essential that the candidate be able to demonstrate practical and in-depth knowledge of security GRC practices and processes including the use of GRC tools such as Archer, reporting tools such as Tableau. The position also assists with the development of capital and operating funding requirements for all security GRC programs and projects as part of the annual budget process and monthly financial reporting.

The ideal candidate is a leader of people and provides mentoring and coaching to their team of security professionals to ensure they perform optimally and are able to achieve their professional goals. Furthermore, the Security GRC Lead is a strong collaborator with the Americas CISO, all the security team members, and across the organization (regionally in the Americas and globally).

Mission

Day-to-Day Responsibilities:

NYSDFS 500 Cybersecurity Regulation Management

* Act as the main point of contact for all DFS500-related matters to ensure the bank maintains and enhances its level of compliance with DFS500
* Establish all required activities to ensure that the program is sustainable and effective year after year and can achieve a high-level of efficiency in terms of people, processes, and tools
* Oversee and actively maintain the DFS500 methodology and program such as a charter, team profile, scope statement, program requirements, periodic review of required controls, annual attestation (including periodic sub-certifications), monitoring costs, securing acceptance of deliverables and other evidential documentation as needed
* Lead the DFS500 exams as requested by the NYSDFS regulators
* Collect and automate (whenever possible) DFS500 metrics to demonstrate risk reduction for the bank and to produce reports for multiple audiences such as executive management (board of directors, e.g.), auditors, technical staff, etc.
* Act as a subject matter expert and advisor with regards to DFS500 requirements for all stakeholders

Security GRC Framework Management

* Act as the main point of contact for the design and deployment of the security GRC framework
* Partner with all team members in the CISO's organization to build an integrated end-to-end security GRC framework to provide a "one-stop shop" shop for all security activities and controls
* Manage all security policies, standards, procedures, and guideline, and any related GRC issues with stakeholders including the management of exceptions to policies and standards
* Manage the security GRC component of the bank's GRC portal (Archer) to ensure it is aligned with our security GRC framework
* Manage the security GRC framework to:
* Ensure controls are in place and working as they should
* Ensure policies, standards, procedures, and guidelines are updated to reflect changes in the business and IT environment
* Ensure clients, regulatory, and internal requirements are being met consistently and cost-effectively
* Automate and streamline all processes related to managing the bank's security GRC framework
* Provide multi-level reporting to all stakeholders in the company: Executives, clients, business leads, IT leads, audit and regulatory representatives
* Manage all security assessments required internally or externally including the consulting firms and/or contractors engaged to support such assessments
* Build partnerships across the organization in all disciplines: audit, legal, information technology, financial management (treasury, for instance), business operations, sales and marketing, corporate communications, risk management, etc. to ensure the security GRC program is aligned with business objectives and requirements
* Develop an audit engagement model and a regulatory engagement model
* Manage the security awareness program throughout the bank in the Americas region:
* Educate end-users and IT staff in security threats, risks, policies, and security best practices
* Define end-users responsibilities in safe and secure computing

Documentation, Reporting & Analytics

* Contribute to the design and implementation of an operational reporting framework that will provide regular metrics and statistics about our business and IT environment; analyze trends in security events, activities, etc. to better understand risks, insufficiencies in our solutions, staffing shortages, etc.; report security metrics and statistics to the CISO and other key stakeholders throughout the bank
* Manage any security business practice irregularities, violations and infractions including exceptions, risk memos, security position memos
* Prepare annual detailed plans for security reviews/audits and any other compliance tasks required internally or externally

Profile

Technical Skills:

* Proficient with MS Office, project management software, and at least one GRC tool (highly recommended)
* Solid understanding of common security tools (e.g., vulnerability scanners, firewalls, IDS/IPS, AV software) strongly recommended
* Extensive training and experience in computer disciplines such as application and data security, systems programming, systems design, computer technology or software disciplines

Competencies:

* Strong analytical skills, problem solving skills, and project/program management skills
* Excellent communication skills working with all levels of management across the entire organization

Experience Needed:

* 10-15 years' demonstrable experience in security GRC management, security project management, security policy management, and other security practices
* Hands-on experience with designing, implementing and managing security GRC programs
* Past experience managing a small to mid-sized team

Educational Requirements:

* Bachelor's degree or equivalent business experience in Computer Science, Business Management, or MIS required
* Certified training in security management, risk and compliance solutions and practices. CISSP, CISA, CISM, GSEC, CRISC, or related certification(s) required