Manager, Cyber Risk

Job Summary & Objectives

The Manager, Cyber Risk, will manage and lead the team for the cyber risk management lifecycle. The person in this role will be responsible for creating, maintaining, and continuously improving the cyber risk management framework including, but not limited to, controls management and testing, documentation framework for policies, standards and procedures, and risk management methodology. The candidate will ensure that the cyber risk management framework aligns with enterprise risk management and industry best practices and facilitate for security awareness training for the Firm.

The ideal candidate is an experienced risk management professional with a strong background in risk and compliance frameworks, controls monitoring and testing requirements and implementation, and the creation, updating and management of security policies and procedures. They will possess deep knowledge of industry frameworks such as NIST, ISO, and SOC, along with strong analytical skills, attention to detail, and the ability to collaborate cross-functionally with other IT security teams and risk areas such as data privacy and enterprise risk. Exceptional communication skills are required to effectively persuade and empower stakeholders with a risk management mindset via strong policies and procedures, controls testing and training and awareness.

Essential Job Duties & Responsibilities

• Create and continuously improve the Firm’s cyber risk management program, aligning with the Firm’s data privacy and data protection program, enterprise risk management framework, and industry standards/best practices.
• Create and manage a controls inventory with associated compliance testing methodology.
• Ensure alignment, consistency, and clarity of controls with policies and standards.
• Manage and continuously improve documentation management framework.
• Create/update cybersecurity policies and standards to align with business objectives and industry best practices.
• Create and maintain a cyber risk register and track mitigation efforts for identified security risks.
• Provide risk reporting metrics for control compliance to leadership including Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs).
• Ensure compliance relevant regulatory and industry requirements e.g., GDPR, ISO 27001, NIST, SOC 2).
• Identify and manage control monitoring metrics (manual and automation)
• Provide recommendations for mitigating and/or compensating controls and strategies in areas of non-compliance.
• Create and implement a cyber risk management framework including risk ranking and risk assessment methodology.
• Create, implement and monitor risks based on defined risk prioritization.

Education

• Bachelor’s degree or related experience required

Preferred

• Professional certifications, such as CISSP, CRISC, CISM, CISA, ISO 27001 Lead Auditor/Implementor.

Skills and Experience

• 8+ years of experience in information security, with at least 5 years of experience in cyber  risk management
• Strong understanding of cybersecurity frameworks (NIST, ISO 27001, SOC, CIS Controls)
• Strong understanding of compliance regulations (GDPR, CCPA, HIPAA)
• Working knowledge of three lines of defense model
• Proven ability to manage all components of risk management framework/ISMS
• Ability to lead a small team with clear expectations and measurable results
• Strong understanding of controls framework and compliance testing programs
• Must be able to work collaboratively in a team environment and independently
• Ability to handle sensitive and/or confidential material and information with suitable discretion

Preferred

• N/A

Physical Demands (required to perform essential job functions)

Sedentary work: Exerting up to 10 pounds of force occasionally and/or a negligible amount of force frequently or constantly to lift, carry, push, pull or otherwise move objects. Sedentary work involves sitting most of the time. Jobs are sedentary if walking and standing are required only occasionally and all other sedentary criteria are met.

• Sitting: Remaining in the seated position, particularly for sustained periods of time

• Walking: Moving about on foot to accomplish tasks, particularly for long distances or moving from one work site to another
• Lifting: Raising objects from a lower to a higher position or moving objects horizontally
• Carrying: Transporting an object, usually holding it in the hands or arms, or on the shoulder
• Pulling/Pushing: Using upper extremities to exert steady force upon an object so that the object moves toward or away from the force
• Bending/Stooping/Kneeling/Crouching: Bending body downward and forward by bending legs and spine, or by bending legs at knees
• Reaching: Extending hand(s) and arm(s) in any direction

Work Environment

The worker is not substantially exposed to adverse environmental conditions as in typical office or administrative work (normal light, air and space in the work environment)

Salary Information

Privacy Notice

For information about how Simpson Thacher & Bartlett LLP collects and processes your personal information, please refer to our Privacy Notice available at https://www.stblaw.com/other/privacy-notice.

Simpson Thacher & Bartlett is committed to a collegial work environment in which all individuals are treated with respect and dignity. The Firm prohibits discrimination or harassment based upon race, color, religion, gender, gender identity or expression, age, national origin, citizenship status, disability, marital or partnership status, sexual orientation, veteran’s status or any other legally protected status. This Policy pertains to every aspect of an individual’s relationship with the Firm, including but not limited to recruitment, hiring, compensation, benefits, training and development, promotion, transfer, discipline, termination, and all other privileges, terms and conditions of employment.