This position is responsible for leading the execution of internal audit examinations over the Bank's cybersecurity, physical security, privacy, fraud risk management, and business continuity management programs ensuring the timely and professional execution of the examinations in accordance with professional standards. Primary Responsibilities:
Scope of Responsibilities:
- Plan, coordinate and maintain full ownership over execution of audit examinations and validation procedures in accordance with the Internal Audit Department's audit methodology and professional standards. Work with the Enterprise Security Audit Manager to establish appropriate budgets and time frames for these examinations;
- Independently document and communicate recommendations to Bank Management in order to improve internal controls and reduce risk to the organization;
- Supervise other IT Audit staff as needed, per audit engagement;
- Responsible for becoming intimately familiar with the organization's cybersecurity program and cyber risk management practices. Also responsible (in collaboration with the Enterprise Security Audit Manager) for understanding cybersecurity risks that may exist across the enterprise and ensuring the Audit Department's overall Audit Plan effectively accounts for these risks;
- Working with the Enterprise Security Audit Manager to keep abreast of emerging cyber and privacy threats and risks both within and outside of the organization, and apply gained knowledge to audit practices;
- Responsible for establishing appropriate relationships to fully understand the key products being delivered in the Enterprise Security organization. Function as one of the 'go to' individuals for the IT Audit group in regards to security product delivery and participate within these initiatives as necessary; and
- Directly communicate with Middle and Line Management to discuss audit approach, identified risks, and proposed recommendations; and
- Maintain ongoing communication with the 1st and 2nd line Risk Management/Oversight organizations to align assurance activities, share risk information, etc.
This role is responsible for leading, planning and executing the delivery of high quality, value-added audit services for a variety of business activities, which meet the requirements of the Audit Committee and regulatory expectations. Ensures ongoing conformance with professional auditing standards.
This position directly communicates with Middle and Line Management and External Auditors.Supervisory/ Managerial Responsibilities:
This position will have certain audit personnel oversight responsibilities on audits in which they function as Lead Auditor. This role may also provide coaching opportunities on other engagements. Education and Experience Required:
Bachelors' degree in Technology/Accounting/Finance/Business or related discipline and a minimum of 4 years' experience in a related role,
or in lieu of a degree,
a combined minimum of 8 years of higher education and/or work experience, including a minimum of 4 years' experience in a related role.
Ability to develop and coach others.Education and Experience Preferred:
- Experience in cybersecurity auditing (preferably in the banking/financial services sector);
- Working knowledge and experience in auditing the following security technologies/services:
- Firewall systems, intrusion detection/prevention systems, data loss prevention (DLP) technology, anti-malware solutions, security information and event management (SIEM) and incident response solutions, threat intelligence platforms, vulnerability management solutions, identity and access management platforms, proxy services solutions, DDoS mitigation services, UBA and EDR solutions.
- Understanding of security risks specific to emerging technologies enabling digital banking (e.g. cloud computing, AI, blockchain, etc.). Also a plus having knowledge of how security controls should be integrated into agile delivery and DevSecOps release processes;
- Working knowledge of information security/cybersecurity frameworks/standards such as the NIST Cybersecurity Framework);
- Understanding of cybersecurity risk governance and cybersecurity risk management concepts;
- Understanding of supervisory expectations, regulations, and tools specific to cyber risk management practices (e.g. FFIEC IT Handbooks, FFIEC Cyber Assessment Tool, NYSDFS NYCRR 500 - Cybersecurity Requirements for Financial Services Companies, GLBA 501B Requirements, etc.)
- Excellent verbal and written communication skills. Ability to convey complex conceptual information/ideas on issues requiring extensive interpretation and opinion. Experience in applying appropriate discretion when dealing with sensitive issues and conveying technical concepts in an easy to understand manner;
- Proven ability in managing multiple audits, projects and initiatives simultaneously under tight deadlines;
- Proven leadership skills, with the ability to develop and motivate teams;
- Strong PC skills; and
- Strong organizational and resource management skills