Third Party Cyber Resilience-Director - New York, United States - SMBC Group

Description

The anticipated salary range for this role is between $194,000.00 and $224, The specific salary offered to an applicant will be based on their individual qualifications, experiences, and an analysis of the current compensation paid in their geography and the market for similar roles at the time of hire. The role may also be eligible for an annual discretionary incentive award. In addition to cash compensation, SMBC offers a competitive portfolio of benefits to its employees.

Role Description

• Responsible for building a Third-Party Cyber Resilience program designed to increase planning and crisis response capabilities supporting third party risk management, vendor management, information technology, data management, cybersecurity, cyber resilience, and operational resilience management across various businesses, group companies, and functions of the bank and reporting to executive leadership, as necessary.

• Design and participate in cybersecurity exercising involving 3rd party incident and crisis response engagement.

• Identify and implement cyber incident readiness and third-party cyber resilience related improvements in alignment with regulatory expectations.

• The Cyber Resilience department is a 1st Line of Defense (LOD) in its role of monitoring and assessing business practices, security, and technology as it related to Resilience. The Information Security Group implements a framework designed to protect data and information assets from a wide range of threats to ensure resilience, business continuity, minimize disruption, and to maximize returns on investments and business opportunities.

• Reporting to the Director of Cyber Resilience Governance, the Director supports the 1st LOD Information Security Group Department Americas Division's (GPDAD) managing activities related to Cyber Incident Readiness focusing on Third-Party Resilience for the Combined U.S. Operations (CUSO) in accordance with US Regulations, Head Office policies and industry practices for Information Security and Operational Resilience

Role Objectives

• Maintain approved annual budgetary amount for the approved cyber incident readiness and third-party cyber resilience related projects.

• Maintain interfaces /relationships with Business, Technology, Operational Resilience including Business Continuity, other SMBC AD entities and other SMBC regions' key stakeholders

• Develop, enhance, and implement cyber incident readiness and third-party resilience processes, policies, standards, and controls aligning with and complementing the existing business and technology incident response processes and plans.

• Lead cyber incident readiness maturity related projects to achieve organizational objectives.

• Actively participate in Cyber Incident Response Team in managing third-party incidents to provide resilience guidance and management through resolution including post analysis review of vendor and remediation activities.

• Review vendor (third-party) contracts and recommend changes to improve third-party cyber resilience capabilities, incident response communication, and increased visibility with third parties.

• Support communication with third parties during cyber incident, zero-day threat or high vulnerability environment event. Obtain third-party situational awareness and status on threat mitigation instructions.

• Design and participate in cybersecurity exercising involving third-party incident and crisis response engagement. Coordinate continuous improvement of third-party incident response coordination.

• Support group companies and Incident Response SOC in the creation of scenario-based workarounds, communications, and cyber playbooks for critical vendors and important business services.

• Partner with Third Party Risk Management, Vendor Management and Threat & Vulnerability Management to create resilience alignment to include information sharing, controls aggregation, risk management, data management, creation of real time data analysis and threat statistic to the Information Security Group and Operational Resilience functions.

• Support coordination of cyber resilience related diagnostic statements during the annual Cyber Risk Institute (CRI) profile validation effort including reporting status, maturity determination, evidence gathering from internal stakeholders and identifying improvement recommendations/new projects.

• Develop cyber incident readiness and third-party cyber resilience readiness related reporting to support cyber resilience governance executive reporting.

• Plan and deliver cyber incident readiness and third-party resilience related education to the cross-functional and cross-entity stakeholders.

• Understand the impact of third-party risk as it relates to both firm and industry wide impacts to technical and security dependencies and single points of failure.

• Understand changes related to regulatory, new product/initiative, processes, controls, events, issues, etc., in the IT, data management, cybersecurity, third party, and operational resiliency domains that may impact the operational risk profile of the bank.

• Develop increased awareness of third-party resilience working with business, functional and SMBC AD entity stakeholders.

Qualifications and Skills

• Well-versed in Third Party Resilience to include technology, incident response and cyber risk practices with the ability to connect and align with the firm's operational resilience processes and framework.

• Significant direct work experience within the financial services industry with focus on incident management, risk management, regulatory, information technology, data management, cybersecurity, operational resilience, compliance, or audit experience.

• Foundational knowledge of enterprise risk management industry practices

• Working knowledge of Third Party/ Vendor/Supplier related technology and cyber risk management process and controls, industry practices, and frameworks (e.g., NIST, ISO).

• Detail oriented, with proven ability to question the status quo and apply resilience activities to enhance capabilities, as appropriate

• Strong organizational skills, with proven ability to successfully manage multiple, concurrent priorities and team members as the program is built out.

• Demonstrated ability to influence a group of diverse stakeholders

• Ability to communicate and work effectively in a matrixed environment and across various organizational levels, where flexibility, collaboration, and adaptability are important

• Ability to work independently and attention to detail

• Foundational knowledge of banking laws and regulations (FFIEC, BCBS, FCA, PRA, BoE, etc.)

• Maintain a cyber threat mindset to understand underlying risks and weaknesses to properly assist in mitigating and enhancement activities
Education & Qualifications

• Bachelor's/University degree

• Professional certifications such as Certified Cloud Security Professional (CCSP), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), AWS Certified Practitioner, Microsoft Certified Azure Fundamentals etc. are preferred