Senior Specialist - Technology and Cybersecurity Risk - Enterprise Data

Leads risk analysis for complex initiatives within the Enterprise Data division, serving as the primary First-Line risk representative for this space. This role influences the overarching risk framework, drives data‑centric risk governance, and provides advanced guidance to leadership to support informed decision‑making aligned with organizational imperatives. The individual must bring strong experience in process mapping, audit practices, data governance, and the DCAM framework, with the ability to independently evaluate data processes, identify control gaps, and recommend corrective actions.

• Develop and implement strategic approaches for in‑depth risk assessments across Enterprise Data, ensuring comprehensive coverage of all data‑related capabilities, processes, and governance functions.
• Create, maintain, and analyze detailed process maps to identify points of failure, operational inefficiencies, control gaps, and potential risks; translate findings into actionable remediation plans and new or enhanced controls.
• Apply audit‑driven methodologies to evaluate Enterprise Data processes, ensuring alignment with regulatory expectations, internal standards, and industry best practices.
• Leverage the DCAM framework to assess data management maturity, identify capability gaps, and guide the Enterprise Data organization toward stronger governance and compliance.
• Develop and execute sophisticated risk management frameworks and programs that align Enterprise Data practices with business objectives and regulatory requirements, including leading risk and control self‑assessments and summarizing complex findings for leadership.
• Drive enforcement of risk and governance frameworks, providing expert guidance and continually assessing regulations, standards, and emerging risks to achieve industry‑leading compliance across data operations.
• Act proactively as the first‑line risk owner, independently identifying emerging risks, control weaknesses, and areas requiring improvement across Enterprise Data—without waiting for issues to be escalated or discovered by second‑ or third‑line functions.
• Spearhead collaboration among cross‑functional teams and senior/executive leadership, ensuring Enterprise Data practices align with broader business goals, regulatory requirements, and enterprise risk expectations.
• Coordinate preparation and response to regulatory engagements, including reviewing responses for accuracy, organizing documentation, and leading exam management activities (e.g., first‑day letters, follow‑up requests).
• Encourage innovation in risk management strategies by identifying advanced methodologies to address evolving data‑related risks and recommending implementation paths to Technology and Enterprise Data leadership.
• Provide advanced mentorship to mid‑level analysts, fostering professional growth and ensuring a high standard of risk analysis and data governance expertise across the team.
• Contribute to the design and delivery of training programs to strengthen organizational knowledge of data risk management, data governance, and associated regulatory expectations.
• Understand and adhere to the Company’s risk and regulatory standards, policies, and controls in accordance with the Company’s Risk Appetite. Identify risk‑related issues requiring escalation.
• Promote an environment that supports belonging and reflects the M&T Bank brand.
• Maintain internal control standards, including timely remediation of audit points and regulatory issues.
• Complete other related duties as assigned.

• This role primarily interacts with senior people leaders within the Technology and Cybersecurity teams, senior people leaders of Technology and Cybersecurity Risk, and internal partners such as the Risk Division, Internal Audit, and Regulatory Affairs. 
• Work is accomplished with periodic direction.  The position exercises judgement in selecting methods, techniques, and evaluation criteria in obtaining results. It exerts significant latitude in determining objective of assignment and takes calculated risks with consultation from expert. 
• This role may present to Regulators under direction of senior Technology and Cybersecurity Risk leaders.

• Bachelor's degree and a minimum of 7 years’ relevant work experience, or in lieu of a degree, a combined minimum of 11 years’ higher education and/or work experience
• Demonstrated expert knowledge of Technology and/or Cybersecurity risk principles
• Minimum of 6 years' relevant work experience in or with the specific Technology, Cybersecurity risk area and/or business unit

• Master's degree in Information Technology, Computer Science, Cybersecurity, Law, Business Administration, or related field
• Applicable certification align to function or domain such as Certified in Risk and Information Systems Control (CRISC®), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP)
• Ability to lead critical analysis of work and problem solve
• Excellent communication and interpersonal skills
• Experience partnering with leadership to design solutions aligned with business needs
• Excellent ability to strategically seek critical information, and apply across a broad array of processes
• Prior experience prioritizing across competing priorities and quickly changing landscape, and execute outcomes aligned with priorities
• Experience effectively influencing peers and leaders
• Ability to train and mentor peers