M Financial Group is a community of leaders comprising the best and brightest minds in our industry. By combining individuals' expertise and skill, M Financial Group has become a powerful force committed to advancing the interests of our industry, communities, and clients for over 40 years. M's solutions are rooted in the diverse expertise of our team, our collaborative approach to innovation and our comprehensive support.

We embrace a progressive, dynamic mindset for every role. M Financial Group provides a professional community that actively supports individuals with diverse backgrounds and perspectives who come together to build and support best-in-class solutions. If you're looking to be a part of a high performing, collaborative, and dedicated team, M Financial Group is in search of our next Security Analyst Sr. to join our team.

The Security Analyst Sr. role is responsible for leading the design, planning, facilitation, evaluation and implementation of information security-related policies, procedures, standards, and controls across M Financial Holdings. Assists in the development of the goals, strategy, methodologies, and outcomes of the MFH and Member Firm Information Security Policy program and related technologies. Provides leadership, expertise, and technical direction in collaboration with Infrastructure peers, junior team members, and colleagues from MFH departments. Responsible for the day-to-day operations of multiple information security-related program areas and technology systems. Prepares and presents detailed high-level reports to internal and external stakeholders at multiple levels. Acts as a subject matter expert in the security and integration of systems, applications, processes, access controls, upgrades, and enhancements for business and technical requirements for the systems M supports. Assigns work, plans, and manages department priorities in coordination with senior management within the Core Technology and Data team. Oversees the information security awareness training program to ensure all staff understands the importance of protecting client data. Mentors junior staff, provides constructive feedback, ensures quality improvement, provides leadership feedback on staff performance, and assists with goal setting for the team. Assists in the recruitment, development, and training of junior security staff.

Essential Functions

• Leads the design, engineering, implementation and operation of information security processes, policies, standards, systems, and controls based on business and technical requirements.
• Analyzes and correlates data from multiple security tools, such as endpoint protection, intrusion detection systems, security event monitors, web application firewalls and SaaS based platforms (e.g. Microsoft Cloud App Security, NetSkope, Rapid7, Cloudflare, MAM, MECM, etc).
• Protects M Financial information and information systems by analyzing public and private information sources to develop effective defensive techniques, policies, procedures, and standards.
• Develops security roadmaps, diagrams, and documentation for increased adoption of cloud platforms (AWS, Azure).
• Coordinate with the Core technology and network teams to reconcile and remediate technology assets with compliance and patching issues. Facilitate and run the Vulnerability management team meetings to discuss the risk and remediation of vulnerabilities in a timely manner.
• Develop annual goals and metrics for patch and vulnerability management program.
• Responsible for the annual compliance of the Member Firm Information Security Policy program for all Member Firms.
• Responsible for the remediation of findings in the annual MFH penetration test.
• Effectively communicates technical issues and investigative findings to technical and non-technical audiences in written and verbal form.
• Leads information sharing and integration procedures across the Core Technology and Data Team through the exchange of threat intelligence and vulnerability assessment data.
• Develop annual goals and metrics for patch and vulnerability management program.
• Coordinate and develop appropriate third-party risk management goals in coordination with Internal Audit.
• Serves as an advisor and subject matter expert on identified projects or any other M Financial initiative that may have an information security implication.
• Develops and leads user access reviews in coordination with the Internal Audit team.
• Develops and generates reports and metrics (e.g. system/control metrics, status updates, risk assessments reports, remediation reports) to support information security measurement and reporting objectives.
• Provides support and assistance across the organization related to information security related technology and programs.
• Triage, investigate, respond to, and escalate security anomalies and alerts.
• Investigates and verifies potential phishing emails for MFH.
• Investigates and provides leadership on Member Firm security incidents. Reports to the compliance and Wealth Solutions department.
• Provides on-call after-hours support as assigned, including evenings, weekends, and holidays.
• Performs other duties as assigned.

Qualifications

Education:

• Bachelor's degree in Computer Science, Information Technology, or relevant field or equivalent knowledge and skills obtained through a combination of education, training, and experience required.

Experience/Training:

• Minimum of five (5) years of experience in IT, of which at least 2 years of experience in information security is required.
• Leadership experience working with project or technical teams required.
• Financial services experience preferred.
• Computer Security certifications, such as CISSP, CISM, CompTIA Security+, Certified Ethical Hacker (CEH), GSEC highly desired.
• If there are no certifications currently, the candidate must obtain CISSP or CISM certification within 6 months of hire.

Knowledge/Skills/Abilities:

• Knowledge of regulatory and compliance standards is required (GDPR, CCPA, HIPAA, GLBA, NIST, ISO27001).
• Expertise with networking protocols and basics of TCP/IP.
• Strong knowledge with Metasploit.
• Expertise with Rapid7, NetSkope and InsightVM platform.
• Familiar with DAST and SAST concepts for web application security testing.
• Excellent project management, written and verbal communication skills.
• Ability to collect and analyze data to guide decision making while under potentially intense pressure to address security incidents.
• Ability to identify and correlate cyber threats and vulnerabilities.
• Strong understanding of adversarial tactics and techniques.
• Hands-on experience with cybersecurity, ethics, and privacy principles.
• Strong knowledge of Microsoft Azure cloud and security services (e.g. MCAS, Azure Information Protection, DLP).
• Strong knowledge of MFA specifically Okta.
• Ability to build trust and credibility with business partners and senior leadership while recommending initiatives and identifying gaps and potential issues.
• Ability to effectively lead others.

Job Conditions and Environment:

• Hybrid work environment offering a blend of virtual/work from home and onsite days designed to support flexibility
• 24/7 On Call for incident response
• Normal office environment/desk assignment
• Eligible for Hybrid work schedule
• Extensive use of PCs, computer terminal, display, keyboard, and mouse
• Extensive close work with documents, publications, databases, and spreadsheets
• Potential for light travel (10%)

This position description is not intended to be and should not be construed as an all-inclusive list of responsibilities, skills or working conditions associated with this position. While this description is intended to accurately reflect the position's activities and requirements, management reserves the right to modify, add or remove duties as necessary.