Cybersecurity Risk Management Lead
The Cybersecurity Governance, Risk, and Compliance (GRC) team handles a wide range of cross-functional activities, from security risk management, security policies and standards, inbound and outbound due diligence, third party risk management, compliance certifications and audits, security awareness, and more.
Each of these ongoing parallel activities entails interpreting and setting requirements, risk-based decision making, cross-functional collaboration and communication, assessing the effectiveness of security controls, and staying up-to-date on security best practices and how changes in the evolving threat landscape need to inform our strategy.
We are seeking an experienced and driven Cybersecurity Risk Management Lead responsible for identifying, measuring, reporting, and treating cyber risks, both internally and externally with partners, vendors, and customers. This position will work cross-functionally to establish and mature the cybersecurity risk management program. This will be an individual-contributor role reporting to the Senior Manager of Cybersecurity Risk and Governance. This position requires a mix of business and technical understanding to connect with various internal and external partners.
Responsibilities
- Support the evolution of SoFi's cyber risk management framework and processes.
- Design and execute cyber risk assessments in alignment with regulatory requirements and industry best practices (i.e. FFIEC, NIST, etc.).
- Define, manage, and lead risk register, risk treatment, and risk reporting process.
- Identify, implement, and maintain policies, standards, and procedures required to protect SoFi's information system assets.
- Work with teams in operations, product security, and GRC to build security metric reporting and leadership dashboards to measure success of the cybersecurity risk program.
- Identify opportunities to deploy standards and assessments to improve the security posture (i.e. FFIEC, NIST, etc.).
- Assist in developing security and cyber risk management strategies, roadmaps, and project portfolio plans.
Minimum qualifications
- Bachelor's Degree, Computer Science Degree or equivalent from a fully-accredited college or university
- Minimum 7+ years of technology experience with a focus on cybersecurity, including governance and cyber risk management
- Knowledge utilizing / assessing against common security and controls frameworks: NIST CSF, NIST 800-53, NIST 800-37, ISO27001 (or equivalent).
- Experience performing cyber risk assessments, risk quantification, and risk prioritization.
- Experience in establishing and operationalizing security metric and risk reporting programs.
- Experience leading cyber risk management processes including risk register, treatment, and reporting.
- Experience utilizing common risk management tools such as IBM OpenPages, OneTrust, MetricStream, Archer or similar.
- Strong written and verbal communication skills, with an attention to detail and a sense of curiosity.
- Self-starter with strong interpersonal and communication skills
- Demonstrates ability to assimilate new knowledge
- Ability to multitask, prioritize work, and meet deadlines in a fast paced environment
- Knowledge of, or experience working with, Cloud technologies/environments, AWS or other related cloud experience
Preferred qualifications
- MS in a technical field or equivalent experience
- Experience working for a financial services and/or finance technology (FinTech) company
- Big 4, or management/IT consulting experience
- Security certifications e.g. CISSP, CISM or other relevant certifications
- Experience assessing security in a cloud-hosted environment