Cyber and Information Risk, Independent Risk Review Manager (VP)

Cyber and Information Risk, Independent Risk Review Manager (VP)

London, Docklands (Hybrid)

£80,000 - £100,000 per annum + annual discretionary bonus

On behalf of an industry Leading financial services organisation, I am seeking an experienced Cyber and Information Risk, Independent Risk Review Manager at VP level.

The Cyber and Information Risk Independent Risk Review Manager is responsible for independent reviews of the efficacy of the Information Security and Data Management programs, including review and challenge of large-scale risk remediation efforts. The successful candidate will provide review and credible challenge of the effectiveness of information security and data management processes and controls in mitigating key risks to the firm.

The organisation is pleased to offer the role on a hybrid basis, where you must be willing to commit to x2 day per week at their offices, therefore you must be within commutable distance of their London offices.

Responsibilities:

Independent Reviews:

• Execute horizontal reviews of top information security risks, identifying gaps in control coverage and recommending control improvements to address identified gaps.
• Complete thematic reviews of information security and data management operational risk events and associated proposed actions to propose control enhancements that reduce risk of recurrence.
• Work with the Information Security and Data Management teams to review control capabilities against industry standards and lead efforts to strengthen the control environment in line with the evolving threat landscape.
• Review and challenge actions to address gaps, monitor progress of actions, and validate sufficiency of closure evidence.
• Prepare status reports as needed and present to Technology Leadership, Audit, and regulatory bodies as required.

Risk Remediation Oversight:

• Review and challenge the sufficiency of planned actions to address identified problems, provide stated benefits, and meet regulatory expectations.
• Review and monitor the progress of actions and validate sufficiency of closure evidence.
• Prepare status reports as needed and present to Technology Leadership, Audit, and regulatory bodies as required.
• Governance - Actively present to various committees and forums to keep management educated on status of independent reviews, challenges to risk remediation efforts, and progress on control improvements.
• Relationship Management - Be a respected point of contact to stakeholders across the business and technology functions in providing credible operational risk coverage for information security and data management risk.
• Policy & Procedures - Review and challenge relevant policies, standards, and procedures related to company information security and data management processes.

Experience/Skills required:

• 5+ years of experience specifically related to information security and data management risk governance, operations, and risk management functions.
• Broad-based technology experience at substantial scale and complexity in a global, highly regulated, high-volume transaction environment.
• Experience must include time operating within transaction services environments characterized by the need for continuous availability and the highest levels of security.
• Experienced working in a complex matrixed organization, ideally in a global firm with a dynamic and rapidly changing environment.
• Experienced operating within a highly regulated environment, with a preference for experience at the international and federal levels.
• Deep knowledge of information security and data management risk and control frameworks and a strong understanding of related policies, procedures, guidelines, and structure.
• Relevant certification is desirable, eg, CISSP, CISM, CISA.
• Working knowledge of information security and data management life cycles based on an established framework: CRI, NIST CSF, NIST SP 800-53, ORX, ISO 27001, SANS, CERT, ENISA, CSA, OACA, ISACA, DAMA-DMBOK.
• Experience with enterprise GRC tools, eg Archer is a plus.