Director of Technology Risk Strategy

Get Referred

Job Description

Why American Express?

There’s a difference between having a job and making a difference.

American Express has been making a difference in people’s lives for over 160 years, backing them in moments big and small, granting access, tools, and resources to take on their biggest challenges and reap the greatest rewards.

We’ve also made a difference in the lives of our people, providing a culture of learning and collaboration, and helping them with what they need to succeed and thrive. We have their backs as they grow their skills, conquer new challenges, or even take time to spend with their family or community. And when they’re ready to take on a new career path, we’re right there with them, giving them the guidance and momentum into the best future they envision.

Because we believe that the best way to back our customers is to back our people.

The powerful backing of American Express.

Don’t make a difference without it.

Don’t live life without it.


The American Express IT Risk and Information Security organization is currently hiring a Director of Technology Risk Strategy reporting to Vice President of IT Risk Management and Services.  This position will be responsible for leading strategic initiatives that support the mission and vision of Technology and ensuring day-to-day activities support organizations goals.

Responsibilities Include:
  • Ownership and governance of the following strategic initiatives: refining strategy, maintaining alignment between outcomes and evolving business strategy, and actively directing execution to deliver promised outcomes and value.

    • IT Risk and Control Catalog -- including buildout, refinement, and ongoing maintenance of control content against regulations and industry frameworks, in partnership with Information Security and IT subject matter experts.

    • Threat Catalog and Quantification Index -- including maintenance of dynamic threat data, in partnership with Cyber threat Intelligence, to capture emerging threats and evolving control environment.

    • Technology Risk Calculator -- including further development of calculation model, integrations, and capabilities.

    • Risk Treatment policy – including developing the protocols, tooling, and governance processes for risk mitigation and acceptance.

    • Continuous Controls Monitoring (CCM) and Testing – including governance and program management of CCM and testing of IS and IT controls. Partnering with Cyber Analytics team to buildout and leverage platforms to enable CCM and automated control testing.

  • Risk Management Tooling
    • Product ownership of Technology Risk Management tools, responsible for ongoing support and maintenance of tools and utilities and additional development of capabilities.

    • Driving strategy and roadmap for tooling to support Technology Risk functions and strategic initiatives.

  • IT Risk & Control Analytics
    • Partnering with control owners develop and execute strategy for analytics capabilities of IT Risk domains (IT Risk comprises all the non-cybersecurity risk domains of Technology).

    • Partner with Cyber Analytics
    • Risk Assessment Strategy
  • Provide expertise and leadership in relevant risk committees as appropriate on behalf of IT Risk and Information Security

  • Produce meaningful risk metrics that are consumable by multiple levels in the organization including IS & IT management, Enterprise Risk Management, Executive Management and auditor and regulator


    Required Work Experience, Education, Certification / Training:

    • Bachelor’s degree
    • 12-15 years or more of work experience in risk management, information security, compliance, and/or audit
    • Experienced people leader with demonstrated ability to recruit and retain high performing talent in support of organizational strategy and objectives
    • Preferred: certifications in information security, audit or risk management are preferred, e.g. CISSP, CRISC, CISA

    Required Knowledge, Skills and Abilities:

    • Thorough knowledge of IT processes and controls and a deep understanding of risk and control frameworks e.g. NIST, ISO, CIS Critical Security Controls
    • Demonstrated ability to quickly pick up new functional and technical areas and provide oversight and direction
    • Strong analytical skills and thinking, data-driven acumen, proficiency in analysis of risk management data, and knowledge of analytic methods
    • Good understanding of the organization’s goals, objectives, and key cyber threats and risks to those objectives
    • Knowledge of applicable information security standards and regulatory requirements
    • Proficiency in technology risk management and information security
    • Outstanding written and oral communication skills, and ability to adeptly bridge the gap between technical and business context.
    • Strong interpersonal skills and ability to collaborate effectively
    • Highly self-motivated and directed, and keen attention to detail

    Employment eligibility to work with American Express in the U.S. is required as the company will not pursue visa sponsorship for these positions. 

    ReqID: 19016888
    Schedule (Full-Time/Part-Time): Full-time
    Date Posted: Sep 10, 2019, 1:13:36 PM