The Enterprise Information Risk Management Officer serves as a key authority in technology and Cybersecurity risk management, acting as an independent second line of defense, overseeing the effective identification, mitigation, monitoring, and reporting of enterprise technology and cybersecurity risks. As a subject matter expert (SME), advise first-line leaders and technical teams, ensuring alignment with the bank's risk appetite and objectives. Actively influences cybersecurity strategies by providing recommendations to senior leadership and the board. Critically reviews first-line risk and security assessments, Policies, Standards and Risk Acceptances, ensuring their adequacy. Plays an active role in technology risk committees, upholding regulatory requirements, and guiding the formulation and oversight of enterprise-wide technology risk policies. This includes active and independent oversight of the First Line's Governance, Risk and Compliance (GRC) function, which includes review and acceptance of all reporting to Executive Management and the Board Risk Committees. This role reports to the Enterprise Risk Management Director.

Principal Duties & Responsibilities:

• Provides independent risk oversight (second line of defense/2 LOD) ensuring effective identification, mitigation, monitoring and reporting of enterprise technology and cybersecurity risks.
• Serves as SME; provides risk advisory to 1 LOD leaders (Chief Information Security Officer, Chief Information Officer, Chief Technology Officer) and technical teams, supporting the bank's strategies and objectives to operate within established risk appetites.
• Influences cybersecurity management through recommendations to the bank senior leadership, including the Board of Directors, Senior Management and other CNB executives to form decisions on risk prioritization to close identified gaps.
• Reviews and challenges adequacy of risk and information security assessments and testing produced or contracted by first line of defense (RCSAs, FCAT, Pen Testing, others).
• Ensures enterprise technology risks are properly recorded on the bank’s enterprise risk management platform.
• Ensures proper strategies are in place to bring risks to acceptable levels.
• This includes ensuring proper remediation actions are properly implemented, such as adoptions of new security technologies and platforms, business processes, third-party contracts, among others.
• Ensures enterprise technology risks are properly reported to Sr. Management and Board of Directors, including but not limited to KRIs and other metrics.
• Serves as member of the technology risk committee and participate in the enterprise management and board risk committees when applicable for technology risk related topics.
• Upholds regulatory requirements for technology risk.
• Ensure regulatory changes affecting the technology landscape are effectively understood, represented in policies and procedures and properly implemented.
• Provides direction and guidance in the development, implementation and maintenance of policies, procedures and standards.
• Executes oversight of multiple enterprise-wide policies affecting technology risk.
• In the event of significant cybersecurity incidents, performs oversight ensuring 1 LOD incident response plan activities are executed accordingly.

• 8-10 years of work experience in the fields of cybersecurity, information technology, or risk management required. 
• 5-7 years of experience with analysis emerging threats and reports that describe the implications of threat(s) and opportunities to executives or senior decision-makers preferred. 
• In-depth knowledge and ability to effectively manage all major aspects of IT, Data and Information, Security, as well as Risk and Compliance within the IT organization.
• Demonstrated experience overseeing IT and Cyber-related risk assessments in a complex technical environment.
• Excellent verbal and written communication skills.
• Must possess strong analytical capabilities and have a desire to learn new things.
• Ability to communicate clearly and to interact effectively at all levels of the organization, and to influence as warranted and appropriate.
• Passion and expertise in cybersecurity, with an ability to be confident, respectful, and articulate when registering dissenting or unpopular opinions.
• Ability to manage multiple projects while maintaining superior results.
• Ability to work cross-functionally, individually, and to lead work among a team.
• Execution oriented and a self-motivator.

• Bachelor's Degree in Cyber Security or related field. 

• Equal Opportunity Employer/Protected Veterans/Individuals with Disabilities.
• Please view Equal Employment Opportunity Posters provided by OFCCP here.
• The contractor will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant. However, employees who have access to the compensation information of other employees or applicants as a part of their essential job functions cannot disclose the pay of other employees or applicants to individuals who do not otherwise have access to compensation information, unless the disclosure is (a) in response to a formal complaint or charge, (b) in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by the employer, or (c) consistent with the contractor's legal duty to furnish information. 41 CFR 60-1.35(c)
• Reasonable accommodation may be made to assist individuals with disabilities to complete the online application process. Please contact our Human Resources Department at 305-577-7680 or by e-mail at employment@citynational.com.