Data Security & Information Protection Manager
The Regulatory Oversight and Cyber Security group (ROCS) is responsible for the identification, assessment, monitoring, remediation and reporting of operational risks within the Global Banking Investor Solutions division(GBIS). The Data & Cyber Security group is responsible for management of Information Security and Cyber Security frameworks for the entire perimeter.
The Data Secuity & Information Protection Manager provides leadership and direction to three key areas of security: Identity and Access Management (IAM), Data Security & Protection (DSP), and Application Security (AppSec). In addition to providing strategic input to the security strategy and roadmap in the Americas region, the position is hands-on and requires tactical management of IAM, DSP, and AppSec processes, frameworks, and tools working with a team of security professionals .
It is essential that the candidate be able to demonstrate practical and in-depth knowledge of IAM practices and processes including the use of IAM tools such as MFA, SSO, and PAM/PUM. The same applies to SDP practices and processes (e.g., DLP) and Application Security (e.g., Top Ten OWASP, Threat Modeling).
It is preferred that the candidate possess a solid knowledge of the regulations (e.g., FFIEC, FDIC, SEC, DFS500) and best security practices (e.g., NIST, ISO) applicable to the financial industry. The position also assists with the development of capital and operating funding requirements for all Data Security and Information Protection programs and projects.
The ideal candidate is a leader of people and provides mentoring and coaching to their team of security professionals to ensure they perform optimally and are able to achieve their professional goals. Furthermore, this individual is a strong collaborator with the Americas CISO, all the security team members, and across the organization (regionally in the Americas and globally). Mission Day-to-Day Responsibilities: Act as the main point of contact for all Data Security/Information Protection-related matters in the Americas region covering: User certification/compliance, Web SSO, Enterprise SSO, provisioning/de-provisioning, Privileged Access/User Management (PAM/PUM), biometric DLP management, email surveillance, DLP policy/rule management, web proxy management Secure coding, threat modeling, application security assessments and pentesting, code reviews Oversee and actively maintain the methodology and program in each aspect of the activities, i.e., IAM, DLP, and AppSec Establish all required activities to ensure that the Data and Information Protection program is sustainable and effective year after year and can achieve a high-level of efficiency in terms of people, processes, and tools Offer consultation once a DLP incident has occurred and must be involved in relevant issues in a timely manner and report directly to highest management level Foster a data protection culture within the bank and help implement essential elements of the data security and protection strategy (e.g. principles of data processing, data subjects' rights, data protection by design and by default, security, DLP incidents) Participate in "routing meetings" to ensure data security and protection controls are embedded in new applications/systems before going into production Provide support in all aspects of the Data and Information Protection program during audit and regulatory exams; actively contribute as needed Develop and deliver application security focused training in coordination with our global teams Collect and automate (whenever possible) metrics to demonstrate risk reduction for the bank and to produce reports for multiple audiences such as executive management (board of directors, e.g.), auditors, technical staff, etc. Contribute to the global strategy and roadmap to ensure all activities are effectively reducing the bank's risk exposure due to, for instance, confidentiality issues, data leakages/thefts, unsecure applications Contribute to the design and implementation of an operational reporting framework that will provide regular metrics and statistics about our business and IT environment; analyze trends in security events, activities, etc. to better understand risks, insufficiencies in our solutions, staffing shortages, etc.; report security metrics and statistics to the CISO and other key stakeholders throughout the bank Manage any security business practice irregularities, violations and infractions including exceptions, risk memos, security position memos Prepare annual detailed plans for security reviews/audits and any other compliance tasks required internally or externally (e.g., user access reviews) Act as a subject matter expert and advisor with regards to requirements for all stakeholders Profile Technical Skills: Solid command of networking and general IT, network security architecture, encryption, operating systems, message transfer agents, Web Proxies, Host Intrusion Detection/Prevention Systems (IDS/IPS) Experience in multiple Symantec security products a strong plus Proficient with MS Office, project management software, and several IAM/DLP/AppSec tools Strong understanding of application security, including secure coding practices and standards, security testing, and overall secure SDLC practices (e.g. OWASP, CoBIT) Solid understanding of common security tools (e.g., vulnerability scanners, firewalls, IDS/IPS, AV software) strongly recommended Competencies: Strong analytical skills, problem solving skills, and project/program management skills Extensive training and experience in computer disciplines such as application and data security, systems programming, systems design, computer technology or software disciplines Excellent communication skills working with all levels of management across the entire organization Experience Needed: 10-12 years' demonstrable experience in data security and protection management, security project management, security policy management, and other security practices Hands-on experience with designing, implementing and managing data security and protection programs Past experience managing small to mid-sized teams Educational Requirements: Bachelor's degree or equivalent experience in Computer Science, Business Management, or MIS required; MS preferred Certified training in security management, risk and compliance solutions and practices CISSP, CISA, CISM, GSEC, CRISC, or related certification(s) required