We are looking for people who are passionate about technology and are excited to create the best experience for our customers. People who want to make an impact. We are looking for people like you. Let's Go!

Your tasks

Key Responsibilities

• Security Risk Exceptions Management

Log and track proposed security risk exceptions in the risk management tool.
Gather and validate all necessary information from requestors, ensuring completeness and accuracy of required fields.
Engage and communicate with Team Leads within both the business and Cybersecurity teams.
Proactively follow up with requestors as due dates for risk exceptions approach.
Create and deliver monthly exception reports and ad-hoc reports as required.
Convert overdue security risk exceptions into documented risks and escalate them to relevant stakeholders.

• Risk Assessments

Document and register proposed risks in the Cyber Risk Register.
Gather and analyze data from various stakeholders to assess the impact and likelihood of identified risks.
Develop and document risk mitigation strategies, capturing stakeholder input and potential solutions.
Prepare and present detailed risk presentations using the MMS risk template.
Communicate assessment findings with Risk Owners and coordinate next steps.
Escalate significant risk acceptance proposals to Vice Presidents and the Chief Information Security Officer (CISO) for review and approval.
Produce and deliver monthly risk assessment reports to the CISO, including ad-hoc reports as necessary.
Track and follow up with risk requestors as due dates approach.

• Security controls testing

Engage in security maturity and Controls testing processes.
Organize interviews with control owners and document results
Collect and review the evidence provided by the control owners
Identify and assign the correct maturity level for each control
Deliver report of the results

• KPI Management

Coordinate with KPI owners to gather monthly Key Performance Indicator (KPI) data.
Update the KPI Register with newly collected data and ensure the accuracy of the records.
Identify and highlight KPIs that show concerning trends or are blocked.
Create and distribute monthly KPI reports to stakeholders, emphasizing key areas that require management attention.

• Third-Party Risk Management (TPRM)

Collaborate with the procurement team and other internal stakeholders to ensure that all vendors meeting TPRM criteria are reviewed and assessed accordingly.
Prepare and distribute weekly and monthly TPRM reports, summarizing completed assessments and identified risks.
Track and follow up on identified risks with vendors and internal teams to ensure timely resolution.

• Reporting and Communication

Develop, produce, and deliver regular reports to various stakeholders, including the CISO and executive leadership, summarizing risk trends, KPIs, and third-party risks.
Support the Risk Management team in creating ad-hoc reports and presentations as requested.
Ensure clear and concise communication of risk exceptions, risks, and recommendations.
Maintain strong working relationships with individuals and groups involved in managing cybersecurity risks across the organization.

Your profile

Education, Training and Previous Experience

Candidates will be evaluated primarily on their ability to demonstrate the competencies required to be successful in the role, as described above. For reference, the typical work experience and educational background of candidates in this role are as follows:

• Bachelor's degree in information security, Risk Management, Business Administration, or a related field. A combination of relevant education and experience may be considered.
• 2-5 years of experience in cybersecurity, risk management, or a related field.
• Desired but not mandatory Certifications:
• Certified Information Security Manager (CISM)
• Certified Information Systems Security Professional (CISSP)
• Certified in Risk and Information Systems Control (CRISC)
• Certified Information Systems Auditor (CISA)

Business and Technical Experience

• Understanding risk assessment methodologies to identify, evaluate, and prioritize cyber risks based on likelihood and impact.
• Understanding of relevant industry regulations and data privacy laws that impact cybersecurity practices.
• Strong understanding of or experience with at least one security framework - ISO 27001, NIST CSF or similar – is mandatory. Experience with multiple frameworks will be an advantage.
• Ability to communicate complex technical concepts to both technical and non-technical audiences and collaborate effectively with IT teams and stakeholders.
• Experience with risk management tools (e.g., OneTrust, ServiceNow, or similar GRC platforms) is preferred.
• Proficiency in creating detailed reports and presentations using Microsoft Excel and PowerPoint.
• Excellent verbal and written communication skills, with the ability to engage and influence stakeholders at various levels.
• Strong analytical skills and attention to detail.

Knowledge and Skills

• Ability to identify and assess the severity and potential impact of risks based on a variety of security assessment data sources. Ability to effectively communicate risk assessment findings to risk owners outside the cybersecurity program in a way that consistently drives objective, fact-based decisions about risk that optimize the trade-off between risk mitigation and business performance.
• An ability to apply original and innovative thinking to produce new ideas.
• An understanding of business needs and commitment to delivering high-quality, prompt and efficient service to the business.
• An ability to effectively influence others to modify their opinions, plans or behaviors.
• Excellent prioritization capabilities, with an aptitude for breaking down work into manageable parts, effectively assessing the priority and time required to complete each part.
• Strong decision-making capabilities, with a proven ability to weigh the relative costs and benefits of potential actions and identify the most appropriate one.
• Strong problem-solving and troubleshooting skills.
• Working knowledge of applicable privacy and cybersecurity regulations
• An ability to work on several tasks simultaneously.
• Ability to work both independently and collaboratively within a team.
• Experience with third-party risk management and vendor assessments is a plus.
  

What's in it for you?

About us