State Street is a leading provider of financial services to institutional investors around the world.
This role provides highly specialized expertise and assistance to support the execution of Audit’s assurance coverage over enterprise cyber and information security controls, functions and programs. Assurance activities include performing detailed technical design and implementation reviews of existing and transformative initiatives, designing repeatable assessment methods using source security and alternative system data, designing and implementing high level test objectives and detailed testing procedures and assessing risk using industry based approaches. The scope of responsibility will include auditing threat intelligence, threat detection and response, privileged access controls, security event and incident monitoring, application and infrastructure security vulnerability assessments and remediation, secure lifecycle management and development practices and cyber incident response management.
This role is responsible for maintaining effective and productive partnerships with key senior leaders in the security and IT organization and within defined transformation initiatives. As a direct report to the Managing Director for IT Infrastructure and Cyber Assurance, this role will support the annual audit planning and development, risk assessment, scoping and execution of audits related to the global IT processes and risks.
What you will be responsible for:
Key responsibilities include:
- Defining Audit’s annual cyber assurance strategy and plan, and providing quarterly updates and prioritization reviews as needed.
- Designing and executing focused risk-based cyber control and effectiveness assessments and reviews.
- Consulting with IT and Business Audit leads on Cyber and Information Security risks, controls and relevant program coverage.
- Reviewing, approving and if necessary, preparing supporting audit work products to ensure appropriate identified, reporting and escalation of control and operational issues.
- Demonstrating and maintaining up to date knowledge and insights of accepted and leading industry practices, tools and services for:
- threat intelligence,
- threat detection and response,
- privileged access controls,
- security event and incident monitoring,
- application and infrastructure security vulnerability assessments and remediation,
- secure lifecycle management and development practices, and
- cyber incident response management
- Influence effective and sustainable improvements to processes and controls through insights gained based on risk and control expertise
- Manage, coach and develop staff, including participating in the talent management, staff evaluation, and new hire processes.
Additional responsibilities include:
- Participate as a non-voting member of various steering committees, management working groups, promoting balanced discussions and encouraging challenge and debate
- Prepare relevant inputs for management reporting within the department and governance committees
- Provide insight on the evolving technology regulatory environment and interact with regulators.
Skills needed to succeed in this role:
- Ability to manage complexity, to effectively prioritize multiple tasks and work independently in non-routine situations and in a fast-paced environment
- Deep understanding of Cloud-based services and platform operations
- Excellent analytical, problem resolving, communication (written and verbal), interpersonal, organizational and presentation skills
- Experience in data analytics and data visualization
- Strong client relationship and employee management skills
- Fluency in English – written and spoken
Education & Preferred Qualifications
- Bachelor’s degree, preferable in cyber and information systems, computer science, Advanced degree in information technology and/or cyber security or systems engineering
- Demonstrated experience in managing diverse teams, and large-scale projects
- Proficient or knowledgeable in evaluating and testing internal controls and in applying a risk-based audit approach
- One or more industry recognized certification (i.e., CISA, CISSP, CISM, CEH, GSEC, SSCP, CASP, GCIH and OSCP) and the willingness to continue to learn and grow
- 10 plus years of experience in Public Accounting, IT Audit, Consulting, or Business Process Engineering preferred, ideally in the Financial Services industry.
- Strong expertise or experience designing, implementing and evaluation/auditing technology driven cyber and information security programs supporting: threat intelligence, threat detection and response, privileged access controls, security event and incident monitoring, application and infrastructure security vulnerability assessments and remediation, secure lifecycle management and development practices, and cyber incident response management
While majority of the time you will work from your primary location, some domestic and international travel may be required to a variety of locations where State Street operates.
COVID-19 Protocols: Complying with State Street’s COVID-19 protocols is a condition of employment. Those requirements may vary depending on circumstances and legal requirements, and may include, without limitation, a requirement to be vaccinated (or have an accommodation), to disclose vaccination status, to provide evidence of vaccination status, etc.