Security GRC Specialist - Regulatory Lead
Responsibilities
The Security GRC Specialist - Regulatory Lead is an experienced professional in Information Security Governance, Risk management and Compliance functions. The role involves performing security risk assessments and assessing compliance against cybersecurity related external (laws and regulations), internal (company policies) requirements and industry frameworks (NIST CSF, ISO 27001, FFIEC CAT) as well as working with other IT and security teams to implement security solutions, test the effectiveness of security controls, and document the compliance levels. It is a key role to develop, deploy, and manage the security GRC framework for SG AMER.
ESSENTIAL JOB FUNCTIONS
Cybersecurity Regulatory Lead
- Manage the regional cyber regulatory compliance program including: assessing requirements, communicating and working with internal stakeholders to ensure required controls are in place and supporting documentation is maintained. Review controls implemented for appropriateness, effectiveness, and completeness. Assist, follow-up and report on any necessary remediation actions.
- Act as a subject matter expert for all DFS500-related matters and ensure the bank maintains and enhances its level of compliance with DFS500 requirements
- Assist during cyber regulatory examinations by preparing presentations, responses and associated artifacts
- Act as the subject matter expert to develop and maintain an effective FFIEC CAT framework for the bank
- Manage the FFIEC CAT inherent and maturity assessments
- Develop related reports and metrics
Security GRC Framework Contributor
- Maintain an in-depth understanding of the broad regulatory landscape impacting business and IT areas
- Understand the impact of laws and regulations on company systems and technology
- Map external and internal requirements against security controls in place
- Develop and implement the components of the security GRC Framework for SG AMER mapping threats, vulnerabilities, risks, assets, stakeholders, assessments, standards, policies, controls into a holistic lifecycle to achieve Assess and Test Once, Report Multiple Times
- Actively manage the security GRC framework by:
- Performing various security risk assessments to identify residual risks and control gaps
- Ensuring clients, regulatory, and internal requirements are being met consistently and effectively
- Ensuring the required and expected controls are in place and working as they should
- Reviewing, and maintaining security policies, standards and procedures as needed
- Recommending tooling and process improvements of the Security GRC function, including automation
- Providing multi-level reporting to stakeholders in the company
- Build partnerships across the organization: Audit, Legal, Compliance, Information Technology, business operations, Risk management, etc. to ensure the security GRC program is aligned with business objectives and requirements
Documentation, Reporting & Analytics
- Contribute to the reporting framework that will provide regular metrics about our business and IT environment; analyze trends in security events, activities, etc. to better understand risks, and current gaps.
Profile required
KNOWLEDGE AND EXPERIENCE
- 8-10 years’ demonstrable experience in security GRC, security project management, and other security practices
- Working knowledge of relevant cybersecurity and data privacy regulations
- Knowledge of common security frameworks (NIST CSF, ISO 27001, COBIT, FFIEC CAT, etc.)
- Proficient with MS Office, project management processes, and at least one GRC tool (highly preferred to have experience with RSA Archer)
- Solid understanding of common security topics (e.g., application security, infrastructure security, vulnerability management, Identity and Access Management, data protection, cyber incident response, cloud security, etc.)
- Requires strong analytical skills, oral and written communication skills including documentation of requirements, problem solving skills, and project/program management skills and presentation skills
- Experience in managing risk and compliance (IT audit, IT or cyber risk management, regulatory compliance)
EDUCATION/CERTIFICATIONS
- Degree in IT, Computer Science, Cybersecurity, or related subject required
- Certified training in security management, risk and compliance solutions and practices
- Ability to work towards or has achieved at least one Information Security or Risk Management Certification (Security+, CISSP, CCSP, CCSK, CISA, CISM, GSEC, CRISC, etc.)
Business insight
OUR CULTURE:
At Societe Generale, we live by our 4 core values of commitment, responsibility, team spirit and innovation. We are engaged and demonstrate consideration for others. We act ethically and with courage. We focus our talent and energy on collective success. We experiment and propose new ideas. This way, we maximize our ability to serve client needs and anticipate market changes. Societe Generale is committed to strengthening bonds with colleagues, communities, and the world in which we live, because relationships are at the heart of how we operate.
For more information about our Culture and Conduct initiatives, please visit this link (https://americas.societegenerale.com/en/careers/get-know-culture/)
D&I:
Our Diversity & Inclusion Mission: Recruit, develop, advance, and retain a diverse workforce that is united in our efforts to enhance our competitive position and deliver innovative solutions to our clients.
Our Diversity & Inclusion Vision:
• Engaged workforce that is demographically diverse in a way that reflects the communities in which we operate
• Inclusive culture and workplace that recognizes employees' unique needs and utilizes their diverse talents
• Engage our community and marketplace, and position the organization to meet the needs of all its clients
For more information about our D&I initiatives, please visit this link (https://americas.societegenerale.com/en/societe-generale-about/diversity-and-inclusion/)
HYBRID WORK ENVIRONMENT:
For most positions, Societe Generale offers a hybrid work arrangement that offers employees the flexibility to work remotely, as well as on-site, in order to promote interaction and collaboration with colleagues while adhering to all SG standard protocols. Hybrid work arrangements vary based on business area. The applicable Business lines will determine and communicate the work arrangements that best meet their business needs.
COMPENSATION & SALARY RANGE:
Base salary range does not include overtime pay, bonus and/or other benefits, where applicable. Actual base salary offer will vary based on skills and experience.
Societe Generale is an equal opportunity employer, and we are proud to make diversity a strength for our company. We are committed to recognizing and promoting the talents and achievements of our employees and staff, regardless of race, religion, color, national origin, sex, disability, age, gender, sexual orientation, and any other characteristic or status protected under applicable law.