• Consults and/or executes third-party vendor due diligence security reviews to ensure compliance with information security policy, security procedures and regulatory requirements.  Identifies and reports deficiencies or risks to the appropriate stakeholders.  Follows up with business teams and third parties to escalate issues when necessary.

• Plans and executes security assessments and penetration testing.  Leads effort to address identified IT audit findings and cybersecurity risks with corrective action plans.  Develops the strategy and drives process/program improvements with IT leadership and compliance teams. Conducts ongoing monitoring of the first-party security posture and performance.  Acts as a liaison with Internal Audit on IT audits.

• Works with stakeholders to plan, develop and deploy a comprehensive vulnerability management program to govern cybersecurity risk to the enterprise.  Builds effective relationships with stakeholders who own and support applications, IT infrastructure and operations to review exposure to threats and drive risk reduction measures.  Establishes and tracks performance metrics and provides regular updates to IT leadership on the status of the vulnerability management program.

• Leads efforts with project teams to ensure PMLC/SDLC tollgates are being met for security and that the appropriate security artifacts are being maintained.  Plans and develops strategy to ensure security is incorporated into the PMLC/SDLC.  Makes certain it assesses the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability.  Develops key performance indicators to measure overall effectiveness and reduction of risk.

• Conducts in-depth research to understand industry best practices, emerging trends and the latest open source methods.  Leads in developing practices and standards that inform design and deliver high-quality solutions that will help address current security challenges and enable new ways of delivering value to the Enterprise.

• Provides leadership to IT and the business with minimal supervision serving as a technical security consultant. Acts as a key contributor to solve complex business problems and deliver solutions that help avoid risks to corporate network and information assets.  Ensures the appropriate level of controls are applied based on industry standards, best practices and cybersecurity regulations by developing repeatable processes to identify, evaluate, and measure IT security risk.

• Plans and delivers training and/or mentoring advice to team members and other IT groups on security topics, risk avoidance, and security best practices.

• Plans and manages the information security policy lifecycle, including policy creation, policy maintenance, policy exception, and policy change requests.  Drives improvement in the overall security policy framework. Leads the effort in working with the business and IT management to ensure that the security policy framework and internal controls are being appropriate followed.  Conducts risk assessments based on policy and control evaluations.

• Is responsible for the development, review, implementation and maintenance of the organization's information security awareness program.  Leads efforts and collaborates with HR and Corporate Communication teams to deliver security training and security awareness to associates and consultants. Develops and executes security training and awareness strategy.

• Helps manage the remediation of audit and security review findings and recommendations.

• Performs other duties as assigned.

• Complies with all policies and standards.

• Bachelor's Degree

In computer science, computer engineering, IT or a related technical field, or commensurate selection criteria experience.

• Demonstrated extensive experience in the areas of information security governance and third-party risk management.

• Proven ability to influence and drive risk reduction measures within IT and across reporting structures.

• Demonstrated understanding of the current security threats, techniques, vulnerabilities, response and mitigation strategies used in cybersecurity.

• Proven extensive experience working with IT risk and compliance frameworks such as NIST (preferred), ISO, COBIT, COSO, COBIT, etc.

• Demonstrated extensive experience working with best practices and industry cybersecurity regulations including NY DFS, HIPAA, and PCI.

• Demonstrated experience with information security, security awareness, and risk assessment and mitigation concepts, methodologies, and processes.

• Demonstrated experience in completing assigned tasks accurately and on a timely basis.

• Proven ability to identify and assess the severity and potential impact of risks.

• Proven inherent passion for information security and service excellence.

• Demonstrated ability to identify project risks and gaps, developing creative and workable solutions to complex problems and policy issues.

• Proven strong team player - collaborates well with others to solve problems and actively incorporate input from various sources.

• Demonstrated strong analytical and problem-solving skills with the ability to grasp new concepts and apply them; effectively evaluates information/data to make decisions; anticipates obstacles and develops plans to resolve.

• Proven excellent verbal and written communication skills with ability to convey information to internal and external customers in a clear, focused and concise manner.

• Demonstrated calm and professional demeanor when handling demanding situations.

• Proven ability to work with a team and multiple stakeholders to provide direction and oversight.

• Demonstrated self-starter with strong internal motivation.

• Proven ability to work under multiple deadlines and with minimal supervision.

• Basic computer, network, and system knowledge and skills with a thorough understanding of security controls.

• Strong proficiency in the use of Microsoft Office, particularly Word, Excel and PowerPoint.