Principal Technology Risk & Control

25 Nov 2024

Vacancy expired!

Overview

Principal Technology Risk and Control

Who we are: For over 235 years, Bank of New York Mellon (BNY Mellon) has been at the center of the global financial markets, providing the world-s leading institutions the tools, capabilities, and services to be distinctive investors. BNY Mellon has approximately $16.5 billion in revenues and a 23% return on tangible common equity. BNY Mellon is a leader in the world of investment services and investment management, and our businesses support the full range of stakeholders of the financial system including:
  • Managing the custody of approximately $37 trillion financial assets of the world-s leading institutional investors, hedge funds, sovereign wealth funds, and corporates
  • Investing approximately $2 trillion as one of the largest global asset managers across a wide range of asset classes
  • Providing collateral, liquidity, and funding for the world-s largest banks through our markets franchise
  • Serving family offices and high net worth individuals through our wealth management franchise
  • Providing a full suite of solutions to advisors, broker-dealers, family offices, hedge and '40 Act fund managers, registered investment advisor firms and wealth managers
  • Advising large global corporations on a range of trust and other solutions
  • Providing integrated managed data services to asset managers

What we do: BNY Mellon Technology's mission is to provide our business partners with technology-based solutions that enhance their ability to be successful through world-class software solutions maintained on a stable and secure infrastructure, and to provide our employees with the tools and means to enhance their professional qualifications and careers. We made risk management agile. We believe that unrestricted collaboration and continuous conscious reprioritization are key to effective execution, so we took an innovative approach to risk management applied agile practices to manage our daily work. Here your work makes impact every day. Non-hierarchical organization supports free-flowing communication and empowers employees to take initiatives. Your voice is heard, and your actions seen.

Within this role you will form part the 1st line of defense Technology team responsible for driving IT and cyber risk management practices across the Asset Servicing Technology. Accountable to lead the assessment, monitoring and reporting on technology, cyber, and information security risks inherent to business activities. You will provide technical and thought experience through effective challenge, sound advice and material support across the full range of risk management lifecycle activities, including risk identification, assessment, and oversight of remediation planning and execution. Building strong relationships by serving as a prime lead for Technology Risk interface with Audit, Compliance, Legal, 2nd Line Risk Management, Technology (including Information Security) and Business stakeholders across Asset Servicing lines of business. Facilitate the timely sharing of emerging regulations, technology and information security risks, and operational changes across these teams. . Partnering with Internal Audit to help facilitate Internal Audit engagements to ensure audit requests are timely met and potential issues are properly vetted, while working together to ensure efficiency and effectiveness throughout the engagement. This role engages information security teams to maintain situational awareness, and proactively identify risk issues, drive remediation activities, and continuously reduce Asset Servicing Technology Risk. Interpreting and drives enforcement of technology risk and information security policies, standards, regulatory requirements, and a consistent technology risk management. You will manage regulatory interactions while partnering with Technology (including Information Security), Compliance, Legal and 2nd Line Risk. This includes oversight of general queries, consultations, inspections, incident reporting, as appropriate. Prior direct experience with regulators is essential. Responsible for supporting the execution of Risk framework practices. Uses knowledge of information technology, risk and control frameworks, risk and control theory and practice, and controls implementation and assessment to determine potential risks to the organization. Manages analysis and draws conclusions in order to recommend and direct any resulting change needed to mitigate risk. Responsible for implementing risk framework and identifying, analyzing, monitoring, reporting, and minimizing information technology risks. Consult and advise on all technology risk matters. Supports related risk programs: audit response, regulatory inquiry and response, etc. Manages complex projects that involve working with the businesses to improve controls to mitigate any deficiencies. Strong written and verbal communication. Communications and organization skills; team work skills ; possess strong interpersonal skills to support mentoring. Ability to work independently or with a team.

The successful candidate will:
  • Have the skills in risk identification and management of process across all aspects of Technology and cyber related risks and controls.
  • Have ability to support the effectiveness of enterprise-wide information security strategy including related programs, processes, and initiatives.
  • Have the ability to provide consultative guidance around sound risk management practices, frameworks (ISO, NIST CSF, COBIT, COSO, SOX, SOC, etc.) to technology and business stakeholders in order to guide them through managing risks within the risk appetite thresholds.
  • Have the knowledge and ability to monitor and assess the potential impact of technology and information security emerging technologies, laws, regulations, and/or policies on the Asset servicing operations and business.

In this role you will:
  • Assess the adequacy of the security strategy, business continuity/disaster recovery plans, threats to systems, and then calculating the impact of potential adverse events for Asset Servicing technology.
  • Assist with management and coordination of Audits, regulatory responses and assessments focusing on a broad scope of technology and information security topics. This includes understanding International Auditing Standards as well as understanding process for documenting self-assessment evidence and records retention practices.
  • Implement continuous control monitoring on behalf of the 1st line of defense and understand that assessment must be continual, as the risk profiles change constantly.
  • Ensure management is kept up to date on the results of the risk assessment and make recommendations for mitigations, or projects to protect their systems or cover potential losses.
  • Continually improve the quality of the risk management - through evaluation of communication of security, data vulnerability, business continuity and compliance risks.
  • Self-identification of technology and cyber risks even before it occurs
  • Stay knowledgeable of current advances in all areas of information technology concerning vulnerabilities, security breaches or malicious attacks
  • Identify vulnerabilities or weaknesses in systems and facilitate collaborate sessions to remediate these issues.
  • Examine employee compliance with security controls and deficiencies escalating issues to Information Security and business contacts, as appropriate.
  • Evaluate security policy, processes, and procedures for completeness
  • Work with business leads and information security to ensure that controls are adequate to protect sensitive information systems
  • Clearly document and define risks and potential impacts along with the statistical probability of such an event and identify systems affected by the defined risk
  • Provide thought leadership on mitigation/damage reduction proposals
  • Manage and resolve escalations focused on delivering consistent stakeholder satisfaction and responsiveness.
  • Participate as a Technology point of contact for robust technology risk and control support and engagement activities on technical incidents / risk / controls matters with the aim of reducing risk and increasing resiliency in operational processes.
  • Identify technology risk (e.g. End of Life) proactively and addresses through a structured delivery plan along with the regional service owners.

Experience & Qualifications:
  • Bachelor's degree or equivalent combination of education and work experience required. 10-12 years of total work experience preferred.
  • Experience in the securities or financial services industry is a plus. CISA, CISSP or CRISC and ISACA certifications preferred. N/A. Contributes to the achievement of area objectives.
  • 10 to 12 years of total experience in IT Risk and/or Information Security
  • Experienced team player with the ability to work independently to organize, manage and complete projects within tight deadlines
  • Significant knowledge in 2 or more: Application Security, IT Governance, IT Compliance & Audit, Identity & Access Management, Cloud Security, Asset Security, Threat/Vulnerability Management, BCM & DR
  • Analytical skills with the ability to provide practical solutions for effective risk management
  • Results oriented and assertive (ability to tackle challenging situations)
Experience managing a 1st, 2nd, or 3rd line function responsible for technology and information security related risks and controls
  • Excellent stakeholder management and ability to communicate (verbal and written) with different levels of seniority as well as able to communicate technical issues in business language within a global organization
  • Confidence to respectfully challenge stakeholders
  • Ability to quickly adopt to quick changes
  • A self-motivator who has solid track record of local and regional delivery in a global organization
  • Prior experience in dealing with regulators in the Asia Pacific Region
  • Experience in the securities or financial services industry

Plus, optionally:
  • IT Audit experience
  • Project Management experiment
  • Information risk and/or security qualification (CISSP, CRISC, CISM or equivalent)

  • ID: #23469237
  • State: Pennsylvania Pittsburgh 15201 Pittsburgh USA
  • City: Pittsburgh
  • Salary: USD TBD TBD
  • Job type: Permanent
  • Showed: 2021-11-25
  • Deadline: 2022-01-23
  • Category: Security