American Express Careers
Director of Information Security Risk Assessments
Why American Express?
There’s a difference between having a job and making a difference.
American Express has been making a difference in people’s lives for over 160 years, backing them in moments big and small, granting access, tools, and resources to take on their biggest challenges and reap the greatest rewards.
We’ve also made a difference in the lives of our people, providing a culture of learning and collaboration, and helping them with what they need to succeed and thrive. We have their backs as they grow their skills, conquer new challenges, or even take time to spend with their family or community. And when they’re ready to take on a new career path, we’re right there with them, giving them the guidance and momentum into the best future they envision.
Because we believe that the best way to back our customers is to back our people.
The powerful backing of American Express.
Don’t make a difference without it.
Don’t live life without it.
The American Express IT Risk and Information Security organization is currently hiring a Director of Information Security Risk Assessments reporting to Vice President of IT Risk Management and Services. This position will be responsible for leading the program that ensures formalized risk management techniques are embedded across all aspects of Information Security.
The person in this position will lead key functions in the Technology Risk Management Lifecycle, working in partnership with security control owners and the Chief Information Security Officer. Specifically:
- Risk Identification:
- Identify and provide insight on top security risks facing American Express
- Maintain the global risk register of top security risks.
- Identify emerging Information Security risks impacting American Express
- Lead and execute periodic processes to identify risks
- Risks and Controls Assessment
- Execute continual cyber risk and controls assessments to establish an accurate view of American Express’s inherent and residual risk posture and determine appropriate risk baselines to manage risk to greater maturity over time
- Lead the team that performs continual information security risk assessment and gap analysis processes, including assessments of new products and applications.
- Execute periodic regulatory assessments (e.g. OSFI, CAT, NYDFS) using structured control documentation
- Leading annual cyber risk assessments in partnership with Information Security leaders.
- Acting as the subject matter expert for process risk self-assessments of processes owned by businesses across enterprise
- Maintain and enhance the Information Security risk assessment methodology and framework. Ensure the methodology is built for efficiency and continuously updated to reflect the ever-changing nature of cyber threats
- Risk Treatment
- Work closely with the Information Security team to provide support and risk guidance in remediating security risks
- Assist Information Security leadership in developing, maintaining, and enforcing policies, guidelines and standards related to IS risk management
Additional Responsibilities include:
- Engaging with Information Security control owners throughout the risk management lifecycle
- Acting as the subject matter expert in Information Security controls, regulatory requirements and industry frameworks, globally.
- Providing expertise and leadership in relevant risk committees as appropriate on behalf of IT Risk and Information Security.
- Building partnerships and managing communication with the Office of the General Counsel, Compliance, Audit, and Risk Oversight organizations.
- Developing and refining Technology Risk Management strategy, in collaboration with the Technology Risk Strategy function
Required Work Experience, Education, Certification / Training:
- Bachelor’s degree
- 12-15 years or more of work experience in risk management and information security
- Experienced people leader with demonstrated ability to recruit and retain high performing talent in support of organizational strategy and objectives
- Certifications in information security, audit or risk management are preferred, e.g. CISSP, CRISC, CISA
Required Knowledge, Skills and Abilities:
- Strong knowledge and experience in risk assessment and relevant methodologies including quantitative risk management techniques
- Proficiency in information security, risk management and audit (risk/security policies, procedures and controls)
- Knowledge of applicable information security standards and regulatory requirements
- Strong analytical skills and thinking, data-driven acumen, proficiency in analysis of risk management data, and knowledge of analytic methods
- Thorough knowledge of IT processes and controls and a deep understanding of risk and control frameworks e.g. NIST, ISO, CIS Critical Security Controls
- Good understanding of the organization’s goals, objectives, and key cyber threats and risks to those objectives
- Demonstrated ability to quickly pick up new functional and technical areas and provide oversight and direction
- Outstanding written and oral communication skills, and ability to adeptly bridge the gap between technical and business context.
- Strong interpersonal skills and ability to collaborate effectively
- Highly self-motivated and directed, and keen attention to detail
Employment eligibility to work with American Express in the U.S. is required as the company will not pursue visa sponsorship for these positions.
Schedule (Full-Time/Part-Time): Full-time
Date Posted: Sep 10, 2019, 4:15:16 PM