Director, Cyber Risk Management

ICMA-RC - Richmond, VA3.5

Full-timeEstimated: $110,000 - $160,000 a year
Reach Your Peak with ICMA-RC, a FINANCIAL SERVICES LEADER in public sector employee retirement products and services. Headquartered in Washington, DC, our Financial Services corporation administers over $50 billion in retirement plan assets for more than one million participant accounts. We are constantly looking for ways to create new opportunities to serve our participants. We have an extraordinary talent base and invite you to consider joining ICMA-RC's Enterprise Security.

Provide leadership for the Enterprise Security (ES) and Risk Management Program. The program should ensure that ICMA-RC’s systems and information assets are adequately protected and ensure compliance with regulatory and contractual obligations and advise senior management of business risks associated with ES. The program must ensure appropriate Cyber Risk governance (policy, procedures, baselines and monitoring); assess current controls and residual risk for appropriateness, and test compliance of policies, procedures and monitoring, and identify/reduce the potential audit issues. The director will serve as subject matter expert for best practices and security technical controls, whom will also work with the various units to implement safeguards appropriate for ICMA-RC’s ES program. The director is the “process owner” for all ICMA-RC’s ES related risk assessments, third party due diligence efforts, and remediation activities. The position is also responsible for coordinating the process of mitigating audit findings and gathering management responses.

The director will work with the various business units to implement practices that meet ICMA-RC’s defined policies and standards for ES risk management. A critical element of the risk director’s role is working with the senior management in Information Technology (IT), ES, Enterprise Risk Management (ERM) and Internal Audit.

The director will also be responsible for establishing an organizational cyber threat profile used for optimizing all aspects of ES control framework protecting information systems and its data within. This will include identifying system objectives and vulnerabilities; countermeasures to prevent, or mitigate the effects of, threats to the business system.

Essential functions for this role include:
Manage the personnel, tools and processes involved in ES risk assessment, management and governance.
Conduct ES risk assessments including and documenting controls, creating detailed process flows, identifying potential gaps and or inconsistencies and making sound recommendations for improvement and/or migration. Work directly with the various business units within IT, ES, and other areas to facilitate ES risk analysis and risk management processes; identify acceptable levels of residual risk. Assist with action plans, policy and procedural changes for risk avoidance and mitigation.
Develop metrics and reporting to demonstrate organizational cyber risk posture. Communicate risk posture to ES, IT, and ERM on a scheduled basis.
Test areas within ES and IT for adherence to controls, policy, procedures and standards. Follow up on deficiencies identified in monitoring reviews, self-assessments, automated assessments, and internal and external audits to ensure appropriate remediation measures have been taken. Track mitigation steps (from self-assessments & Internal Audit) and ensure that risks are remediated appropriately and in a timely manner. Perform mitigation steps identified in reviews, self-assessments, automated assessments, and internal and external audits.
Interface with Internal Audit to provide a centralized point-of-contact from IT (IT & ES) for communication regarding ongoing audits, audit information requests, and audit finding updates.
Manage daily operation of unit including the management of all personnel actions (hires, terminations, promotions). Responsible for establishing and evaluating staff training and staff performance; serve as backup role to ES leadership as needed.
If you have the following credentials, we encourage you to apply:

BA/BS or equivalent experience; 5-7 years of overall supervisory/management experience
7-10 years working experience within Enterprise Security and Technology. 3-4 years of experience focused on Security Risk Management disciplines preferable in the financial services industry.
At least one of the following: CISA (Certified Information Systems Auditor) Certified, Certified Enterprise Security Manager (CISM) Certified Information Systems Security Professional (CISSP), or Certified in Risk and Information systems Control (CRISC)
Thorough knowledge of risk management disciplines
Thorough knowledge of technology processes and controls and a deep understanding of security, risk, control, and reporting frameworks; Gramm-Leach-Bliley Act (GLBA), Service Organization Control reporting (SOC1 & SOC2), NIST 800-53 & CFS, CIS Critical 20, CoBIT, ITIL
Strong understanding of application, network, operating system and core infrastructure security concepts and concerns
Effective leadership, coordination and operations planning expertise in cross-divisional environment.
Effective negotiating skills
Strong process orientation and understanding of Enterprise Security, technology and financial services, enabling candidate to provide support in the analysis, development and monitoring of controls
Problem solver
Excellent written and verbal communication skills
Experience with security/technology metrics aggregation, collection and presentation

For your well-being, we offer a solid compensation and benefits package that features a competitive salary, a straight-forward incentive plan that rewards results, and a 401(k) Plan. For your career, we offer tuition reimbursement, professional development courses, seminars, career enrichment assignments, mentoring programs and a record of enterprise growth that creates continuing opportunities for career advancement. Consider ICMA-RC, and respond in strictest confidence. ICMA-RC is an Equal Opportunity Employer that values diversity in the workplace. Minorities and women are encouraged to apply. We look forward to hearing from you.

Bachelors Degree or better
Licenses & Certifications
See Job Description