Sr. Information Security Officer, Managing Director

State Street Bank International GmbH (‘SSBI’) seeks to recruit a Senior Information Security Officer, Managing Director (Sr. ISO) to improve the overall protection of SSBI, its customers and partners from an evolving and sophisticated threat landscape.

The candidate should have a proven track record in global cyber security and as a risk leader who has experience in delivering on strategic outcomes with business operational quality and a focus on business needs. The candidate should have experience in large scale cyber transformations and execution.

The SSBI Sr. ISO reports to the SSBI Chief Governance Officer and closely cooperates with the SSBI Head of IT and the wider management team. Key stakeholders include:

• Information Security Officers
• Business and Functional Leaders
• Cyber Fusion Center
• Cyber Architecture & Security Engineering
• First Line Risk and Controls
• 3LOD Partners

The SSBI Senior Information Security Officer (Sr. ISO) will drive compliance with GCS security controls in their business unit/region/country/functional area which they represent. The Sr. ISO will serve as a trusted and influential information security advisor to senior-level business management in a large organization.

The SSBI Sr. ISO roles and responsibilities are defined under five domain areas with the following objectives and specific responsibilities for each domain:

Information Security Program Development and Management

Objective: Develop and manage the information security program within the business unit to drive compliance with information security supplemental requirements and reduce risk.

• Identify senior business management and build relationships to ensure effective information security governance is established.
• Understand context of the business unit - internal and external issues, organizational structure, organizational drivers, geography, strategy, legal and regulatory requirements.
• Develop an information security strategy aligned to the business unit strategy, defining the goal of information security, objectives and the desired state.
• Develop and maintain an information security policy, associated standards and procedures.
• Define the activities to be performed within the information security program, and assign ownership.
• Establish relevant metrics to evaluate the effectiveness of the information security program.
• Monitor and review information security program, to ensure continual development and improvement.

Risk and Incident Management

Objective: Manage information security risk and incident response, from assessment through mitigation of risk, and throughout the entire lifecycle of incident management.

• Support the business unit in identifying high risk/critical processes and technology.
• Assess information security risk associated with high risk/critical business processes and technology.
• Integrate information security risk review into lifecycle processes.
• Attend risk and technology committees, identifying, documenting and communicating Information Security risks.
• Act as Information Security representative during regulatory and statutory engagements.
• Review and approve non-standard access for high risk access.
• Participate in security incident response program representing the business area.

Measurement

Objective: Develop metrics for measuring the information security program and related activities.

• Establish and agree on appropriate reporting with senior management.
• Complete the quarterly ISO maturity assessment.
• Identify failed business controls and provide support on remediation.
• Create development plans for all information security resources.

Communication

Objective: Establish internal and external communication channels that support information security.

• Report on potential business impact of proposed new information security supplemental requirements.
• Report significant changes in information security risk to appropriate level of management.
• Provide regular communication on threat intelligence relevant to the business unit.
• Report on impact or potential impact of security incidents to senior management.

Education

Objective: Maintain up to date knowledge of evolving information security threat landscape and provide information security awareness, training and education to key stakeholders.

• Design and develop an interactive and engaging program for information security awareness and training.

Furthermore, the Sr. ISO (MD) is responsible for:

• Global collaboration with Global Cyber Security and assigned business partner teams.
• Team management to create a high performing team and environment.

Education & Preferred Qualifications

The Sr. ISO (MD) should possess the following skills/experience:

• 12+ years of experience in cyber security risk and controls.
• Experience with communicating with the European Central Bank.
• Modern technical aptitude and experience developing and implementing large-scale innovation.
• Interaction with governing bodies, i.e. ECB, Bafin, Bundesbank, Prüfungsverband, etc.
• Depth with modern technology stacks.
• Project Management experience leading large and small technical teams.
• Experience operating in a regulated environment.
• CISA, CISM, CISSP or similar certification required or an agreed upon plan to achieve this certification within 1 year of hire.
• Bachelor’s degree or equivalent in a relevant field.

Critical Leadership Capabilities

• Driving results
• Strategic Thinking
• Collaborating & Influencing
• Change Management
• Senior Executive communication
• Personnel Management
• Project Management