Summary:
The Head of Cyber Risk Management is a senior leadership role responsible for establishing, maintaining, and overseeing the organization's comprehensive Cyber Risk Management framework including core components of Governance, Risk, and Compliance. This individual will lead the identification, assessment, mitigation, monitoring, and reporting of cyber risks across the enterprise, ensuring alignment with business objectives, regulatory requirements, and industry best practices. This role requires deep expertise in both cybersecurity principles and risk management methodologies within the context of a complex and highly regulated environment. The Head of Cyber Risk Management will work closely with executive leadership, technology teams, compliance, legal, internal audit, and business units to embed a strong cyber risk culture. The successful candidate will ensure that cyber risk management practices align with the organization's risk appetite, global regulatory obligations (e.g., FFIEC, HIPAA, NYDFS, and DORA), and strategic objectives, ultimately safeguarding sensitive data, intellectual property, and operational continuity.

Key Responsibilities:

1.     Cyber Risk Framework Leadership:
·         Own, maintain, and mature the organization's Cyber Risk Management Framework (CRMF), ensuring alignment with industry standards (e.g., NIST CSF, CRI, FFIEC) and specific regulatory frameworks applicable to our industry.
·         Integrate the Cyber Risk Management program with the overall Enterprise Risk Management (ERM) framework.
·         Define and implement cyber risk assessment methodologies (qualitative and quantitative) suitable for diverse assets, including IT, OT/manufacturing systems (if applicable), cloud environments, and third parties.
·         Champion the integration of cyber risk considerations into business processes, technology adoption, and strategic initiatives.
·         Define the organization's cyber risk appetite and tolerance levels in collaboration with executive management and the Board.
·         Oversee the implementation and management of tools and techniques for risk analysis, including threat modeling, vulnerability assessments, and potentially quantitative risk analysis (e.g., FAIR methodology).
2.     Risk Assessment & Analysis:
·         Direct and oversee periodic and event-driven cyber risk assessments across the enterprise landscape.
·         Analyze threat intelligence, vulnerability data, and control effectiveness to provide a clear picture of the cyber risk posture.
·         Focus specifically on risks related to sensitive data (e.g., client financial data, intellectual property), critical systems (e.g., manufacturing control systems, core financial platforms), and regulatory compliance failures.
·         Mature the organization's third-party cyber risk management program, ensuring rigorous assessment and ongoing monitoring of vendors and partners.

3.     Mitigation Strategy & Control Assurance:

·         Integrate the Issue Management Policy and Procedure into the Cyber Risk Mangement Program; ensure the team  through reporting remains on-track for all issues

·         Collaborate with security architecture, engineering, operations, IT, and business units to recommend and prioritize risk mitigation activities and control enhancements.

·         Provide expert risk-based guidance on security investments and control design.

·         Oversee processes for tracking risk mitigation efforts and validating control effectiveness.

·         Develop and manage a process for formal risk acceptance, ensuring appropriate sign-off based on risk severity and potential impact.

4.     Regulatory Compliance & Audit Liaison:

·         Ensure cyber risk management activities directly support and provide evidence for compliance with relevant regulations (e.g., HIPAA Security Rule, NYDFS Cybersecurity Regulation).

·         Serve as a key subject matter expert and point of contact for cyber risk during regulatory inspections and internal/external audits.

·         Support validation and qualification activities by providing cyber risk expertise.

Salary Range: $150K- $180K. 

#LI-DNI

Required: 

Bachelor’s degree in Cybersecurity, Information Technology, Business Administration, or a related field.

Minimum 7-10 years of experience in information security or related field.

Preferred:

Advanced degree (MBA, MS) is strongly preferred.

Relevant industry certifications (CISSP, CISM, GIAC) are strongly preferred.

At least 3 years of experience in a senior leadership role within the banking or financial services industry.

Reporting & Metrics:

·         Develop, track, and report on Key Risk Indicators (KRIs) and cyber risk metrics tailored to different audiences, from technical teams to the Executive Leadership Team and Board committees.

·         Maintain an accurate and up-to-date enterprise cyber risk register.

·         Communicate the cyber risk landscape, trends, and mitigation progress effectively through dashboards and formal reports.

·         Team Leadership & Stakeholder Engagement:

·         Build, lead, and mentor a high-performing team of cyber risk professionals.

·         Foster a culture of risk awareness and proactive risk management across the organization.

·         Establish strong partnerships with Legal, Compliance, Internal Audit, Risk Management (if applicable), and other key business functions.

Core Competencies:

Required Qualifications:
·         Education: Bachelor's degree in Computer Science, Information Security, Risk Management, Business Administration, or a related field.
·         Minimum of 7-10 years of progressive experience in information security and/or risk management.
·         Minimum of 5-7 years in a leadership role managing cybersecurity or cyber risk functions.
·         Crucially: Demonstrable experience working within a highly regulated industry (e.g., finance, banking, insurance, healthcare, energy, defense). Deep understanding of the specific regulatory requirements pertinent to that industry.

 Skills & Knowledge:

·         Expert knowledge of cyber risk management principles, methodologies, and frameworks (NIST CSF, CRI, ISO 27001/5, COBIT, etc.).

·         In-depth understanding of cybersecurity domains: network security, application security, cloud security, data protection, identity and access management, incident response, vulnerability management, third-party risk.

·         Proven ability to translate complex technical issues into understandable business risks and impacts for non-technical audiences.

·         Strong understanding of relevant laws, regulations, and industry standards (specify key ones like HIPAA, NYDFS Part 500, CRI, CMMC as applicable).

·         Excellent leadership, communication (written and verbal), presentation, and interpersonal skills.

·         Strong analytical, strategic thinking, and problem-solving abilities.

·         Experience interacting with regulators and auditors.

·         Certifications: One or more relevant professional certifications required (e.g., CRISC).

Preferred Qualifications:

·         Master's degree in a relevant field.

·         Experience implementing quantitative risk analysis models (e.g., FAIR).

·         Experience with Governance, Risk, and Compliance (GRC) platforms.

·         Direct experience managing regulatory examinations focused on cybersecurity.

·         Proven track record of developing and implementing successful enterprise-wide cyber risk programs in complex organizations.

Soft Skills & Leadership:

·         Strong executive presence with the ability to engage and influence C-suite leaders and board members.

·         Proven ability to lead cross-functional teams and drive enterprise-wide resilience initiatives.

·         Excellent verbal and written communication skills, with experience presenting to regulators, auditors, and senior stakeholders.

·         Ability to thrive in a high-pressure environment, managing crises and business disruptions with a structured and strategic approach.

Incident Management: Ability to analyze, prioritize, and manage security incidents effectively.

Strategic Thinking: Ability to align cyber risk initiatives with business objectives

Communication and Documentation: Strong ensure thorough documentation and clear communications over security operations activities.

Leadership and Team Management: Proven track record of building and leading high performing teams

Regulatory Compliance: Expertise in navigating banking regulations

Technical Knowledge: Strong knowledge with information security technologies  such as vulnerability scanning tools, and threat intelligence tools, etc.

Investigations: Strong knowledge with leading security investigations.

Cybersecurity Frameworks: Deep understanding of frameworks such as NIST Cybersecurity Framework

Policy and Procedure Development: Proficiency in drafting and enforcing policies, procedures, and playbooks.