Head of Cyber Risk Management

Summary: The Head of Cyber Risk Management is a senior leadership role responsible for establishing, maintaining, and overseeing the organization's comprehensive Cyber Risk Management framework including core components of Governance, Risk, and Compliance. This individual will lead the identification, assessment, mitigation, monitoring, and reporting of cyber risks across the enterprise, ensuring alignment with business objectives, regulatory requirements, and industry best practices. This role requires deep expertise in both cybersecurity principles and risk management methodologies within the context of a complex and highly regulated environment. The Head of Cyber Risk Management will work closely with executive leadership, technology teams, compliance, legal, internal audit, and business units to embed a strong cyber risk culture. The successful candidate will ensure that cyber risk management practices align with the organization's risk appetite, global regulatory obligations (e.g., FFIEC, HIPAA, NYDFS, and DORA), and strategic objectives, ultimately safeguarding sensitive data, intellectual property, and operational continuity. Key Responsibilities: 1. Cyber Risk Framework Leadership: · Own, maintain, and mature the organization's Cyber Risk Management Framework (CRMF), ensuring alignment with industry standards (e.g., NIST CSF, CRI, FFIEC) and specific regulatory frameworks applicable to our industry. · Integrate the Cyber Risk Management program with the overall Enterprise Risk Management (ERM) framework. · Define and implement cyber risk assessment methodologies (qualitative and quantitative) suitable for diverse assets, including IT, OT/manufacturing systems (if applicable), cloud environments, and third parties. · Champion the integration of cyber risk considerations into business processes, technology adoption, and strategic initiatives. · Define the organization's cyber risk appetite and tolerance levels in collaboration with executive management and the Board. · Oversee the implementation and management of tools and techniques for risk analysis, including threat modeling, vulnerability assessments, and potentially quantitative risk analysis (e.g., FAIR methodology). 2. Risk Assessment & Analysis: · Direct and oversee periodic and event-driven cyber risk assessments across the enterprise landscape. · Analyze threat intelligence, vulnerability data, and control effectiveness to provide a clear picture of the cyber risk posture. · Focus specifically on risks related to sensitive data (e.g., client financial data, intellectual property), critical systems (e.g., manufacturing control systems, core financial platforms), and regulatory compliance failures. · Mature the organization's third-party cyber risk management program, ensuring rigorous assessment and ongoing monitoring of vendors and partners. Reporting & Metrics: · Develop, track, and report on Key Risk Indicators (KRIs) and cyber risk metrics tailored to different audiences, from technical teams to the Executive Leadership Team and Board committees. · Maintain an accurate and up-to-date enterprise cyber risk register. · Communicate the cyber risk landscape, trends, and mitigation progress effectively through dashboards and formal reports. · Team Leadership & Stakeholder Engagement: · Build, lead, and mentor a high-performing team of cyber risk professionals. · Foster a culture of risk awareness and proactive risk management across the organization. · Establish strong partnerships with Legal, Compliance, Internal Audit, Risk Management (if applicable), and other key business functions. Core Competencies: Required Qualifications: · Education: Bachelor's degree in Computer Science, Information Security, Risk Management, Business Administration, or a related field. · Minimum of 7-10 years of progressive experience in information security and/or risk management. · Minimum of 5-7 years in a leadership role managing cybersecurity or cyber risk functions. · Crucially: Demonstrable experience working within a highly regulated industry (e.g., finance, banking, insurance, healthcare, energy, defense). Deep understanding of the specific regulatory requirements pertinent to that industry. Required: Bachelor's degree in Cybersecurity, Information Technology, Business Administration, or a related field. Minimum 7-10 years of experience in information security or related field. Preferred: Advanced degree (MBA, MS) is strongly preferred. Relevant industry certifications (CISSP, CISM, GIAC) are strongly preferred. At least 3 years of experience in a senior leadership role within the banking or financial services industry