Cyber Assurance Program Assessment Lead - VP
- New York, NY, USA
- Permanent, Full time
- Morgan Stanley USA
- 17 Oct 18
Cyber Assurance Program Assessment Lead - VP
Morgan Stanley is a leading global financial services firm providing a wide range of investment banking, securities, investment management and wealth management services. The Firm's employees serve clients worldwide including corporations, governments and individuals from more than 1,200 offices in 43 countries.
As a market leader, the talent and passion of our people is critical to our success. Together, we share a common set of values rooted in integrity, excellence and strong team ethic. Morgan Stanley can provide a superior foundation for building a professional career - a place for people to learn, to achieve and grow. A philosophy that balances personal lifestyles, perspectives and needs is an important part of our culture.
The mission of the Global Technology Department is to provide a highly reliable and commercial technology platform, which supports the Firm's strategy, delivered by an innovative, world-class team of professionals.
Technology & Information Risk (TIR) is part of the Global Technology organization. Its mission is to enable proactive, comprehensive, and consistent technology and information-related risk management practices across the Firm and to protect Firm information, systems, and associated infrastructure from Cyber Threats.
A position is available within the Morgan Stanley Global Risk Governance group for a Cyber Assurance Assessment Lead. This is an excellent opportunity for a candidate who is ambitious, experienced, and highly-skilled to join a dynamic global function within our New York office.
The Cyber Assurance program focusses on ensuring the firm is adequately protecting its vital assets against those threats most likely to succeed (based upon internal and external threat intelligence). The program evaluates the firm's exposure to successful real world cyber-attacks by reviewing the effectiveness of those controls employed to counter these threats. To achieve this, Cyber Assurance employs various methods such as technology configuration reviews and data analytics.
The program identifies focus areas based on a set of likely adversarial campaign objectives (e.g. Payment Fraud). For each campaign objective, a set of end-to-end threat scenarios are defined, following each step within the cyber kill chain. The ideal candidate will have the ability to identify methods an adversary would take for each step, together with a defense-in-depth strategy of controls to mitigate risk to the environment.
The primary focus of the role is to:
- Define the assessment strategy for each scenario by understanding potential adversarial methods and respective key controls for defense.
- Identify cyber threats and incidents at similar organizations for potential inclusion in the assessment calendar.
- Determine likely methods based on publicly known breaches and incidents that align to the threat scenario scoped.
- Determine an effective controls assessment plan over the controls in place to mitigate the likelihood and impact of a successful cyber-attack in relation to the threat scenarios scoped.
- Evaluate process flows of key cyber control processes and identify potential design gaps.
- Produce a structured process to assess current cyber maturity, risk level and trending maturity that demonstrates cyber assurance as a measurable process.
- Develop a dashboard to visualize current state to Senior Management
- Plan and perform and/or supervise the assessment of identified cyber controls.
- Review requirements and planning of solutions targeted for control remediation in collaboration with the Cyber Program Management Office.
- Engage in toll-gate reviews of key project milestones pre-deployment to ensure successful remediation.
- Leverage Indicator of Compromise (IoCs), Tools, Techniques and Procedures (TTPs) created to define a defensive strategy.
- Produce recommendations for review and develop a documented defensive playbook.
- Prepare documentation of identified risks and issues for reporting in centralized issue / risk tracking applications. Produce or review work paper documentation to standards suitable for use by auditors.
- Present overview / results of Cybersecurity Posture to stakeholders, senior management and other relevant parties.
- Coordinate stakeholders across Firm departments to scope and perform relevant cybersecurity assurance e.g. IT Security, Operational Risk and Internal Audit.
- Build strong positive relationships with the local cyber security community, within Technology.
Skills Required (essential)
- Experience with Cyber programs within a large institution (preferably financial)
- Strong awareness of Industry Standards, best practices and regulatory expectations in respect to Cyber (CIS, NIST Cybersecurity and ISO 27001 and 27002)
- Ability to identify effective security controls aligned to people, process and technology
- Proven effectiveness in delivering successful control assessment to validate and measure the effectiveness of controls.
- Proven cybersecurity analytical skills.
- Ability to recognize potential threats to the network and systems connected to the network from the Internet and Intranet.
- Hands on technical experience (e.g. software development, infrastructure support).
- Organizational skills as reflected through a methodical/organized approach to analysis and documentation and the ability to manage multiple tasks simultaneously.
- Significant discretion and respect for confidentiality of sensitive information
- Proficiency in Microsoft Office suite.
- Proactive self-starter who can identify opportunities for improvement and operate autonomously.
- Experience in Incident Response triage and analysis in a CIRT/SOC environment, Red Teaming or Threat Hunting.
- Experience with network packet capture
- Understanding of how malware works and its behaviors through analysis in malware reverse engineering.
- Any of the below (or industry equivalent) would be of benefit:
- Certified Information Systems Security Professional (CISSP)
- SANS/GIAC Certifications
- Certified Internal Auditor (CIA)
- Certified Information Systems Auditor (CISA)
- Certified in Risk and Information Systems Control (CRISC)
- Certified in the Governance of Enterprise IT (CGEIT)