IT Security Manager
IT Security Manager Position Title:
Manager, IT Security & Risk Management What we need
: Cetera Financial Group (CFG or Company) is currently seeking a Manager of IT Security & Risk Management for our company office located in El Segundo, California. This is a unique opportunity to join our Security Services Team and participate in establishing and maintaining a corporate-wide information technology security and risk management program to ensure that IT & IS related risks are identified, inventoried, tracked, and addressed based on risk and company priority. An up-to-date understanding of the latest IT Security related risks, threats, and trends as well as an understanding of security best practice options to address these items is essential. Ability to assist in oversight and execution of the Companys IT/IS related audits, risk assessments, testing, and monitoring efforts to ensure compliance with regulatory requirements and internal policies is needed. Experience with security solution implementations and management in an enterprise environment is important. What you will do:
What you need to have:
- Manages and matures information technology and information security risk management processes, programs and strategies.
- Aligns information technology/information security risk management and control activities as appropriate with NIST, PCI, ICFR, GLBA, and SEC/FINRA guidance/requirements and internal governing enterprise risk management policies.
- Identifies technology gaps and deficiencies by conducting risk assessments; recommends corrective actions of identified control weaknesses.
- Leads the planning, testing, tracking, remediation, and risk acceptance for identified technology and security risks.
- Ensures adequate compliance resources and training, fostering a risk and compliance focused culture and optimizing relations with corporate compliance members and regulators. Escalates pertinent findings in a timely manner.
- Ensures the departments practices and procedures meet risk management policies/standards/procedures and regulator expectations and scrutiny to detect and deter information technology and information security risks.
- Directs the activities of staff in accomplishing corporate business objectives. Sets priorities, provides guidance, secures resources, interfaces with peers and senior leadership and communicates effectively at all levels.
- Builds and maintains high-performance teams within the risk organization to successfully address risk identification, assessment, measurement, mitigation, aggregation and reporting.
- Proactively fosters the development of all team members.
- Promotes implementation of new technology, solutions and methods to improve business processes, quality, efficiency, effectiveness and value delivered to customers. Manages operational and technology design documentation including procedures, task lists, and systems documentation.
- Ensures enterprise due-diligence activities including monitoring, metrics and KRIs to evaluate effectiveness of the enterprise information technology and information security programs, risks and established controls.
- Manages issue management activities and monitors remediation plans. Ensures the clear and professional documentation of root cause and risk analysis of all findings. Reviews and manages action plans for issue resolution.
- Provides oversight as information technology and information security GRC subject matter expert to business areas, project teams and vendors to apply and execute appropriate application of controls in compliance with policies and standards.
- Collaborate with cross-functional stakeholders (e.g., leaders within IT, Legal, Audit, Compliance, HR, ERM, etc.) to help develop consistent processes for identifying, developing, and implementing controls to address information technology and information security risks.
- Leverage Subject Matter Experts for regulatory requirement guidance and training.
- Emerging Risks Continually works to enhance breadth and depth of knowledge and experience.
- Benchmarks technology governance, risk and compliance practices.
- Monitors and anticipates trends and investigates organizational objectives and needs.
- Reports to applicable Management Committee(s) regarding the technology and operations risks (i.e., internal and external), results and remediation to mitigate applicable risks.
- Facilitates the completion of effective regulatory examinations and audit reviews of information risks, when required.
- Escalates emerging risks, non-compliance with policies/standards/controls, policy exceptions and risk tolerance breaches in a timely manner.
- Work and coordinate with management and department heads across the enterprise.
What we give you in return:
- 10+ years of Information Technology, IT Risk Management, Information Security, and/or IT Audit experience, preferably in a highly regulated environment.
- 5+ years of management experience.
- Significant experience in conducting IT Risk and Security Control Assessments, in accordance with NIST 800-53 (A) methodology.
- Knowledge of IT governance, risk and compliance frameworks particularity COBIT, NIST, PCI, SOX, GLBA, CSA, and/or FFIEC is a plus.
- BS, BA in Information Technology, Computer Science, Information Security, or other related degrees; or 4 years of additional work experience in lieu of degree.
- Possess an understanding of concepts related to information systems, information security, general IT controls, application controls and technology risks.
- Experience planning, designing and implementing risk management processes for the organization.
- Experience assessing risk, which involves analyzing risks as well as identifying, describing and estimating the risks affecting the business.
- Experience evaluating risk, which involves comparing estimated risks with criteria established by the organization such as costs, legal requirements and environmental factors, and evaluating the organizations previous handling of risks.
- Ability to align to the organizations 'risk appetite', i.e. the level of risk organization is prepared to accept.
- Experience in reporting risk in an appropriate way for different audiences so they understand the most significant risks, to business heads to ensure they are aware of risks relevant to their parts of the business and to individuals to understand their accountability for individual risks.
- Ability to identify, propose, initiate, and lead significant risk improvement programs.
- Motivation to continually look for opportunities for process optimization, cost avoidance, and cost reductions.
- Sense of urgency in implementing programs and evaluating priorities; decisive, action-oriented and practical.
- Willingness to challenge and question the status quo, making recommendations for options and best solutions.
- Be organizationally astute, with superior influencing, collaboration and communication skills.
- Personal presence, intellect, energy and drive to succeed in a high-performance environment.
- Able to analyze and think through highly complex issues, but then appropriately execute and implement against a well thought through framework in a seamless manner.
- Experience conducting gap assessments, technology service provider risk assessments, application risk assessments, and user access certifications.
- Proficiency with Microsoft Office Suite (MS PowerPoint, Word, Excel, Visio, etc.)
- One or more professional certifications preferred (e.g., Security+, CAP, CISSP, CISA, CISM, CSX, CGEIT, CRISC, G-SEC, etc.) but not required.
- Experience with Identity & Access Management (IAM) and IT Risk Management (GRC) systems.
- Experience conducting Social Engineering Testing Campaigns and Security Awareness Training.
- In-depth knowledge of risk assessment methods and technologies.
- Proficient use of various tools and techniques, including risk, business impact, control and vulnerability assessments, used to identify business needs and determine control requirements.
- Background working with or reviewing Microsoft Windows operating systems, Active Directory, and a wide range of security technologies, such as network security appliances, identity and access management systems, privileged access management systems, anti-malware solutions, automated policy compliance, logging and filtering tools, and desktop security solutions.
- Knowledge of network infrastructure, including routers, switches, firewalls, and associated network protocols and concepts is a plus.
- Experience reviewing risks and assessing policy and control compliance of security tools such as IDS/IPS, SIEM, DLP, CASB, vulnerability scanning, encryption, endpoint protection, application penetration testing.
- Understanding of common operating systems, network devices, databases, web applications, and their vulnerabilities.
- Ability to interact with regulators, auditors, and personnel at all levels and across all business units/organizations, and to understand business and compliance imperatives.
- Detail oriented and organized to accomplished detailed task.
Our competitive Health program offers a comprehensive benefits package that supports healthy lifestyles, preventative care and helps to protect against hardship. Our retirement plan offers our employees the opportunity to plan ahead for a strong financial future well beyond their working years. About Cetera Financial Group
® ("Cetera") is a leading network of independent retail broker-dealers empowering the delivery of objective financial advice to individuals, families and company retirement plans across the country through trusted financial advisors and financial institutions. Cetera is the second-largest independent financial advisor network in the nation by number of advisors, as well as a leading provider of retail services to the investment programs of banks and credit unions. Through its multiple distinct firms, Cetera offers independent and institutions-based advisors the benefits of a large, established broker-dealer and registered investment adviser, while serving advisors and institutions in a way that is customized to their needs and aspirations. Advisor support resources offered through Cetera include award-winning wealth management and advisory platforms, comprehensive broker-dealer and registered investment adviser services, practice management support and innovative technology. "" refers to the network of retail independent broker-dealers encompassing, among others, , , and Fi. Cetera Financial Group is committed to providing an equal employment opportunity for all applicants and employees. For us, this is the only acceptable way to do business. Accordingly, all employment decisions at the Cetera Financial Group, including those relating to hiring, promotion, transfers, benefits, compensation, and placement, will be made without regard to race, color, ancestry, national origin, citizenship, age, physical and/or mental disability, medical condition, pregnancy, genetic characteristics, religion, religious dress and/or grooming, gender, gender identity, gender expression, sexual orientation, marital status, U.S. military status, political affiliation, or any other class protected by state and/or federal law. Agencies please note : this recruitment assignment is being managed directly by Ceteras Talent Acquisition team. We will reach out to our preferred agency partners in the rare instance we require additional talent options. Your respect for this process is appreciated. Please Note
: Cetera does not accept unsolicited Agency resumes. Any unsolicited resumes received from Agencies will be considered the property of Cetera unless specifically requested by Human Resources. Unsolicited resumes will be ineligible for referral fees .
Please reviewour forfurther details on what information we collect and the purposes for collection. Primary Location:
US-CA-El Segundo Work Locations: Job:
Information Technology Organization:
Cetera Financial Group Schedule:
Full-time Job Posting:
Jan 14, 2020, 9:51:39 PM