Director of Security Risk, Governance and Compliance

  • Request Technology - Stephanie Baker
  • San Francisco, CA, USA
  • Nov 01, 2017
Full time Information Technology Telecommunications

Job Description

Seeking an individual to head the Cyber Risk and Assurance team for a prestigious Financial Services Client in San Francisco. This role will be instrumental in building and leading a team of senior Cyber Risk Assurance experts to develop and maintain an innovative cyber risk control framework for the organization's business partners (framework must be built from scratch, not a modification of BITS SIG, NIST CF, HITRUST CSF, ISO 270XX, or similar), harmonize and map requirements from current and future laws, regulations, customer contracts, and business mandates, evaluate cyber risk management capabilities of potential business partners, develop and negotiate appropriate business agreement language, and plan, scope and conduct formal monitoring and validation of business partner cyber risk management capabilities with varying levels of assurance.

Responsibilities will include:

  • Collaborate closely with the leader of the Cyber Risk Solutions organization to form and lead a team of physical facility continuity experts to plan and execute live simulations of facility continuity risk events in order to test and measure company's ability to restore business processes to the appropriate level of functionality in accordance with business requirements.
  • Build and lead a team of security marketing specialists and assurance analysts to create and maintain standard audit response database, coordinate internal and external (regulators, customers, etc.) audits of the IT organization, respond to auditor requests for information and control testing, develop management responses to audit findings, track and report audit finding resolution, create and maintain standard RFP response database, respond to RFPs from current and prospective customers, coordinate availability of cyber risk management SMEs to participate in customer visits, address ad-hoc inquiries from customers on cyber risk management topics.
  • Build and lead a team of senior security assurance experts to participate in merger an acquisition due diligence projects and formally compare the risk appetite and cyber risk management capabilities of potential merger targets to those of the company.
  • Establish and sustain strong working relationships with the organization's customers and stakeholders.
  • Partnering closely with the HR team hire, mentor, coach, train and manage the performance of the organization's leaders and individual contributors.
  • Develop and continuously evolve the organization's processes/methodologies, structure, culture, skills/experience, process support tools, knowledge resources, and other components.
  • Partnering closely with the procurement and legal teams identify, select and actively manage the organization's suppliers, service providers and business partners.
  • Partnering closely with the Compliance and Audit teams ensure adherence to all applicable legal, regulatory and contractual requirements in all activities of the organization.
  • Manage the organization's operating and project budgets and ensure executive leadership's support for appropriate funding levels.
  • Instill and promote a strong results-oriented culture centered on business value creation, collaboration, commitment, merit-based recognition, personal development and external benchmarking.
  • Promote the company's image as a leader in setting strategy and developing services and capabilities as compared to competitors and peers in other industries.
  • Share leading practices and lessons learned in managing customer engagements, delivering services, and operating solutions with industry peers, other industries, professional consortia, and relevant government organizations.


  • At least 2 to 5 years of senior leadership experience in information security or other cross-functional IT discipline (eg IT architecture) in Fortune 100 size organizations.
  • Exceptional written, visual and verbal communication skills and experience communicating effectively with executive business leaders and external customers.
  • Proven track record of identifying, hiring and retaining the top talent in cyber security, survivable system engineering, and IT risk management resource markets.
  • Industry-recognized experience in designing and building from scratch innovative risk control frameworks that overcome the limitations of prevailing checklist-based approaches to risk control evaluation and monitoring.
  • Exceptional sales and marketing skills applied in pre-sales and post-sales interactions with Fortune 100-scale organizations.
  • Experience in staffing, mentoring, coaching, and managing leadership teams consisting of multiple directors and senior managers.
  • Minimum 3 years of experience in working at a Big Four or equivalent advisory organization in support of multinational enterprises across several industries.
  • Demonstrated track record of successfully developing and maturing cyber risk organizations with the emphasis on delivering results.
  • Deep understanding of and prior hands-on experience in all major information security, appropriate use, and survivable system engineering functions and activities including policy setting, vulnerability/risk research, security/availability architecture, system security/survivability engineering, incident response, cyber risk operations, cyber risk audit/compliance.
  • Track record of successfully executing profound organizational changes while maintaining support, buy-in and commitment from all stakeholders.
  • Complete architecture-level understanding of all major information security and appropriate use enforcement technology solutions including advanced malware detection/prevention, mobile device virtualization/MDM, cloud security management, structured and unstructured database encryption, mobile application and remote API security, fine-grained application authorization and access control, security event visualization, big data user and entity behavior analytics, active adversary deception, and others.
  • Deep understanding of all applicable regulatory standards and requirements, including HIPAA, NAIC ORSA, FISMA, NAIC MAR, and others, and experience in interpreting the requirements in the context of different industries.
  • Demonstrated ability to influence business leadership and cross-functional teams.
  • Proven track record of managing all aspects (scope, budget, schedule, quality) of cross-functional large-scale IT/business projects in Fortune 100 scale global environments.
  • Externally recognized information security and IT risk management industry thought leadership and innovation accomplishments.
  • Strong skills and experience in designing and documenting complex processes, and identifying and eliminating deficiencies in existing process designs.
  • Understanding of contemporary security vulnerabilities, exploitation techniques and attack vectors.
  • Demonstrated ability to establish and maintain strong working relationships with external customers, suppliers, business partners, industry peers.
  • A widely-recognized professional certification such as CISM or CISSP is strongly preferred.