Reference 24000QM7
Responsibilities
The Risk Management Department contributes to the sustainable growth of the Societe Generale group through its expertise, understanding of risks, and risk management techniques. The department’s mission is to independently analyze, assess, manage and monitor risk-taking activities with the objective of achieving, together with the first line-of-defense, the best possible outcome for the bank. The department oversees the enterprise, strategic, credit, market, liquidity, operational, model, and other risks of the corporate and investment banking business activities.
Independent from the Business Lines, the Risk Management (RISQ) Division's mission is to contribute to the development of the SG Group's activity by facilitating the objectives of the Business Lines while maintaining independent oversight through risk evaluation and monitoring. The RISQ division in the US supports all the activities in the Americas Region (US, Canada and Latin America), which is almost exclusively corporate and investment banking (GBIS) oriented
ABOUT THE JOB:
The Head of Cybersecurity Risk is looking to hire a Cybersecurity Risk Manager that will join the RISQ/OPE organization to help further define the 2nd line of defense processes, policies and tools for SG’s data and technology environments. Cyber risk coverage areas include Reference data, transaction processing, digital transformation (cloud), threat intelligence, Identity and Access Management, data protection and cybersecurity incident/response.
This role is responsible to evaluate overall cybersecurity risk, maintain an active view, and report on the actual, mitigated, and residual cybersecurity risk in the organization. This resource will also help further define the Cybersecurity Risk 2nd line of defense practices including, but not limited to assessments, life-cycle practices, operational incident/response, service delivery, and BCP. This is an individual contributor role.
What will be your DAY-TO-DAY?
Day to day responsibilities include but not limited to:
- Perform full range of technology and information and cyber security risk management lifecycle activities, including risk identification, assessment, reporting and oversight of remediation planning and execution. E.g. third-party, application, database, infrastructure, network penetration testing, etc
- Partner with Chief Information Security Officer (CISO), and IT organizations to establish standards, policies, and develop KRIs and KPIs for measuring and monitoring cyber risks on a continuous basis
- Developing and managing Information Technology & Information Security Risk Program, using standard risk taxonomy, such as FAIR
- Provide and perform independent assurance and validation activities over common cybersecurity controls that include both administrative and technical
- Assess the accuracy, completeness, and sufficiency of the risk management governance framework, processes and methodologies. Identify and define emerging cyber threats and risks to SG’s environment
- Perform effective challenge of all critical and highly sensitive processes & controls, and business continuity
- Develop cyber security risk scenarios to identify potential attack vectors and TTP (tactics, techniques and procedures) to guide the continuous improvement of firm’s cyber defense posture. Lead and support selected cyber security remediation efforts, involved with strategic planning with 1LOD
- Recommend enhancements to data & technology architectures, processes and controls to improve cybersecurity, data and technology risk management capabilities for high-risk processes, regulatory reporting and risk oversight
- Develop and roll-out tools for the aggregation and surveillance of cybersecurity risk, data risk & technology risk
- Identify legal, regulatory, and contractual requirements, and organizational policies and standards related to data management systems to determine their potential impact on the business objectives
- Expand operational risk processes, data collection and issues management tools to track and report data related operational risks and issues
- Participate in and review data breaches and technology incident/response escalation processes
- Develop operational resiliency scenarios for stress testing and capital planning activities
- Lead or support selected cybersecurity remediation efforts
Profile required
Must Have:
- Bachelor and or master’s degree in computer science, Engineering or relevant technical field
- Understanding of financial services specifically within cyber and data privacy related laws, regulations, frameworks and guidelines (NYSDFS - 23NYCRR500, ECB, GDPR, GLBA, Regulation S-P, etc.)
- Experience in assessing design and operating effectiveness of technology controls
- Solid foundation in information technology and information security principles. Familiar with common cybersecurity frameworks and standards such as NIST SP 800-53, NIST CSF, Mitre Attack, FFIEC CAT, CSC Top 20, COBIT, ISO 27000 series
- Previous working experiences in cybersecurity operation and relevant security design knowledge.
- Previous work within Risk and/or Information Security/Cyber Security. Ideally, has worked in a 2 LOD Cyber Security Risk function
- Background in IT Risk Assessment, IT Audit, Information security management
- Experience integrating vulnerability and patch management tools with IT/IS risk program. Furthermore, communicate and determine vulnerability remediation priorities
- Knowledge of US IT Security regulatory requirements and environment in financial services industry a plus (i.e. FFIEC, FINRA rules, SEC, NIST cybersecurity frameworks)
- Strong leadership skills with ability to lead by influence
Nice to Have:
- IT Risk management or governance certifications (CGEIT, CRISC, CISA)
- CISSP, CISM, or CISA certifications
LANGUAGE:
Ability to communicate in English, both orally and in writing, is a requirement as the person in this position will need to collaborate regularly with colleagues and partners in the United States.
Due to US Federal Securities law applying to this position, candidates who will apply for this position will be required to submit to an enhanced background screening, including the collection of their fingerprints by a third-party vendor selected by the Financial Industry Regulatory Authority ("FINRA")