Information Security Risk Manager
- Chicago, IL, USA
- Permanent, Full time
- Chicago Mercantile Exchange
- 21 Apr 19
Information Security Risk Manager
CME Group is the world's leading and most diverse derivatives marketplace. But who we are goes deeper than that. Here, you can impact markets worldwide. Transform industries. And build a career shaping tomorrow. We invest in your success and you own it, all while working alongside a team of leading experts who inspire you in ways big and small. Joining our company gives you the opportunity to make a difference in global financial markets every day, whether you work on our industry-leading technology and risk management services, our benchmark products or in a corporate services area that helps us serve our customers better. We're small enough for you and your contributions to be known. But big enough for your ideas to make an impact. The pace is dynamic, the work is unlike any other firm in the business, and the possibilities are endless. Problem solvers, difference makers, trailblazers. Those are our people. And we're looking for more.
To learn more about what a career at CME Group can offer you, visit us at www.wherefuturesaremade.com .
The Global Information Security (GIS) Risk Manager will work with peers in GIS and across the Technology Division to ensure that Information Security risks are properly identified, assessed, addressed, and communicated in support of the overall GIS Risk Management program. The Risk Manager will report to the Manager of GIS Risk Management, and will assist with the continuous improvement of the InfoSec Risk Management program, including maturation of assessment methods, supporting instrumentation, development and delivery of training to Technology Division peers, registration and tracking of InfoSec risks, maturation and operation of an information management system (e.g., a GRC solution) to support the function, and communicating InfoSec risks to be rolled up into CME Group's broader Enterprise Risk Management (ERM) function.
- Work with peers in GIS, Architecture & Product Management, Execution & Engineering, Infrastructure & Operations, and IT Compliance & Controls to identify and adjudicate InfoSec risks.
- Conduct risk assessments using CME Group's established InfoSec risk management method and instrumentation.
- Collaboratively author and edit various risk-related documents, including Risk Profiles, Risk Advisory Memos, Risk Acceptance Memos, exceptions and exemptions from GIS technical policies and standards, and other related output resulting from risk assessment activities.
- Work with GIS and Technology Division peers to define or refine Standard Operating Procedures (SOPs) to explicitly identify when to invoke CME Group's InfoSec Risk Assessment Process.
- Participate in and contribute to various working groups across the Technology Division, including but not limited to the Enterprise Architecture Board, various change advisory boards, Identity & Access Management working group, Data Protection working group, etc.
- Assist the Manager of GIS Risk Management with:
- Maturation and continued deployment of an information security risk management system (e.g., a GRC solution) that will drive efficiencies and automation in the management of InfoSec risks, rollup into ERM, and the registration, tracking, reporting, and re-assessment of identified InfoSec risks.
- Continuous improvement and maturation of the methods, instrumentation, training, documentation, and processes required to properly manage InfoSec risks.
- Providing advisory and consulting services to the Information Technology Management Team related to InfoSec risks, treatment strategies, and decision-making.
- Preparation of management reports, presentations, metrics, and other documentation required to support governance functions, including the InfoSec Risk Advisory Council, the Enterprise Risk Management Team (RMT), and regular reporting to the Information Technology Management Team, Senior Leadership Team (SLT), and Risk Committee of the Board of Directors.
- Promoting a culture of risk awareness and accountability through training, education, and risk management consultative support.
- Objectively assess the impact, likelihood, velocity, and magnitude of identified risks
- Objectively advise on any number of technical controls that will mitigate risk will not imposing undue burden on those who must implement the controls
- Mediate differing perspectives on risks between a variety of Technology Division stakeholders
- Drive objectivity and build consensus among stakeholders with widely divergent perspectives and drivers
- Rapidly analyze complex technical details
- Synthesize detailed analysis into a "big picture" view that can be easily understood by non-technical stakeholders in order to support risk-based decision-making for senior managers within the Technology Division
- Determines when exceptions, exemptions, and invocation of the InfoSec risk adjudication process are merited
- Recommends risk treatment decisions
- Recommends ranges of controls when risk mitigation is desired
- Recommends improvements to methods, instrumentation, training, documentation, and processes
- Recommends solutions for automating and streamlining InfoSec risk management practices
- Advises on InfoSec risk management program, policies, standards, and procedures
- Works daily with peers across all elements of the Technology Division. Participates regularly in management-level briefings to members of the ITMT.
- Communicates regularly with cross-functional peers outside of the Technology Division, including General Counsel, Data Governance, Global Assurance (internal audit), Enterprise Risk Management, Third Party Risk Management, and other business unit leadership.
- Interacts occasionally with industry peers from other Systemically Important Financial Market Utilities (SIFMUs), research organizations, solution providers, etc.
- Bachelor's Degree.
- Minimum of 5-7 years of experience at director or manager level in publicly traded companies or finance/technology industry operations; OR minimum 7-10 years as a consultant to such companies at a commensurate level.
- Experience in at least three of the following: InfoSec (Operations, Program Management, Governance, Risk Management, etc.), Enterprise Architecture, Identity & Access Management, Application Development, Infrastructure & Operations, IT Compliance, or Internal Audit.
- Experience working with industry based information security and / or control frameworks (NIST Cyber Security Framework, ISO 27002, CobIT, etc.).
- Demonstrable knowledge of a broad range InfoSec technologies and practices.
- Demonstrable, impeccable writing skills for technical, management, and executive audiences.Additional preferred experience:
- Demonstrable knowledge of InfoSec risk management methods and practices
- Experience with a GRC solution's Risk Management functionality
- Experience leading and working with global teams
- Professional certification in InfoSec or Risk Management (such as CRISC, CISM, CISSP, CGEIT, CISA, etc.)