The Information Security Technology Risk Lead is responsible for the development and delivery of First Quality’s Information Security Program which includes information security risk management across First Quality Enterprises. This program ensures that all physical and digital information assets and technologies, as well as employee, client and First Quality data are adequately protected. This role is responsible for defining and maturing the second line of defense and providing management with updates on the overall security posture of the organization. This role will report to the Manager of Information Security Governance, Risk, Compliance and Strategy.
As a Technology Risk Lead, you will play a key role in safeguarding our environment and driving information security initiatives across the organization. In this position, you will help shape and enforce First Quality’s security posture, leveraging security-owned systems and platforms to identify, detect, and remediate security risks and non-compliance with First Quality Policies, Standards, and Procedures, as well as key industry frameworks and applicable laws and regulations.
ESSENTIAL DUTIES AND RESPONSIBILITIES
The Technology Risk Lead will be tasked with leading the following Information Security Programs: Enterprise Technology Risk Management, Data Governance, Security Awareness & Training, and Compliance and supporting daily functions. This position will work alongside the Manager of Information Security Governance and other IS team members to identify ways to innovate and mature the Information Security program. This Lead will be directly responsible for conducting IS technical risk assessment of First Quality systems and platforms against industry standards and frameworks such as the Center for Internet Security (CIS). This is a technical role where the candidate is expected to identify system misconfigurations, weaknesses, gaps, and associated risks across numerous platforms.
The ideal candidate will perform in-depth security evaluations, create risk mitigation plans, and offer expert advice on identified security issues, both proactively and reactively in a potentially fast-paced environment. Beyond working with the security team, this role will also engage with cross-functional departments to advise on best security practices for new and existing business led projects and promote a culture of cybersecurity awareness. The Technology Risk Lead will also focus on continuous improvement by tracking security metrics, analyzing trends, and delivering practical solutions that align with both security and business objectives.
Enterprise Technology Risk Management
- Perform technology risk assessments and control assessments to ensure systems and applications (on-prem and in the cloud) are complying with First Quality policies, applicable regulatory and legal requirements, and leading industry frameworks and practices.
- Assist with the Cyber Business Impact Analysis (CBIAs) process to determine the overall confidentiality, integrity, and criticality of all systems and platforms.
- Mature the Information Security Risk Management Program by managing the IS risk register and ensuring appropriate risk management strategies are in place and followed up on.
- Meet with business stakeholders to quantify risks across the organization and maintain the top board level security risks.
- Develop and drive the implementation of security best practices and standards to mature the overall IS Risk Management Program which includes defining security system and application standards of control.
- Provide GRC advisory services to the business (technical and non-technical) to ensure Information Security standards are implemented and appropriate risk mitigation strategies are implemented.
- Work with the Manager of Information Security Governance, Risk, Compliance and Strategy as well as senior leadership to determine the acceptable level of risk for enterprise computing platforms.
- Liaise with key functional teams such as HR, IT, Digital Marketing, Finance, Internal Audit, Enterprise Risk, Quality, Office of General Counsel, and the Business to identify new applications and service providers in use and the associated security controls necessary to secure the data.
Data Governance
- Investigates incidents and events that include potential HIPAA and other data breaches, data leakage, brand reputational risks, malware propagation, system compromises etc.
- Assist with operationalizing the Data Loss Prevention (DLP) Program by reviewing and enhancing security technologies, configurations, and policy alerts from systems such as MS Purview and Compliance Center, CrowdStrike, Palo Alto, Netskope etc.
- Establish and maintain Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) for the Data Governance Security Program and initiatives.
Security Awareness & Training
- Oversee the enterprise wide IS Security Awareness Program which includes phishing simulations, computer-based training, proactive communications on latest threats, workshops, and newsletters.
- Promote a security mindset through enterprise and functional team specific presentations and initiatives.
Compliance
- Work with the Office of General Counsel and both the Director and Manager of Information Security Governance, Risk, Compliance and Strategy to ensure the Information Security team stays abreast of new regulatory, legal and/or compliance security and privacy requirements to compliance against.
- Ensure compliance with HIPAA and applicable legal and regulatory requirements.
QUALIFICATIONS: To perform this job successfully, an individual must be able to perform each essential duty satisfactorily. The requirements listed below are representative of the knowledge, skill, and/or ability required. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.
- B.S. in a technology discipline (Computer Science, Information Management, Computer Engineering, Cybersecurity or equivalent); Security certifications such as CompTIA Security +, CISSP, CISA, CCNA or equivalent or working towards certification is preferred.
- 6+ years’ experience working directly in an Information Security or Information Technology department with experience in developing testing security frameworks for compliance.
- Hands-on experience with assessing security configurations in Windows/Mac/Linux environments, Azure and other cloud environments, SQL and Oracle databases.
- Experience with Netskope, Azure Purview, OneTrust or similar GRC tools is a plus.
- Experience with Operational Technology (OT) environments and securing manufacturing devices a plus.
- Strong knowledge & understanding of endpoint, server, network design and topologies.
- Strong understanding of a "hacker’s" mentality.
- Excellent written and oral communications skills; ability to lead discussions, present complex ideas to audiences of all sizes, and interact with all levels of the organization.
- Ability to self-manage, work independently with little direction and/or supervision but also work collaboratively in a team environment.
- Working knowledge of the following frameworks and regulations: ISO 27001/2, NIST 800-53, NIST CSF, CIS Benchmarks, ISF Standard of Good Practice, HIPAA Privacy Rule and Security Rule, MITTRE ATT&CK framework.
- Ability to prioritize and multitask and a work approach that supports flexibility and adaptability is paramount.
- Detail oriented and ability to think outside of the box to propose solutions to risks.
- Ability to communicate security risks to non-technical business stakeholders.