BNY
Senior Director, Head of Cyber Assessments (Pipeline)
Join to apply for the Senior Director, Head of Cyber Assessments (Pipeline) role at BNY. At BNY, our culture allows us to run our company better and enables employees’ growth and success. As a leading global financial services company at the heart of the global financial system, we influence nearly 20% of the world’s investible assets. Every day, our teams harness cutting‑edge AI and breakthrough technologies to collaborate with clients, driving transformative solutions that redefine industries and uplift communities worldwide. Recognized as a top destination for innovators, BNY is where bold ideas meet advanced technology and exceptional talent. Together, we power the future of finance – and this is what is all about. Join us and be part of something extraordinary. We welcome you to apply! When applying to this pipeline/general posting, our expert BNY Talent Acquisition Team may also review your resume for consideration across other open roles within the company. We’re seeking a future team member for the role of Senior Director, Head of Cyber Assessments (Pipeline) to join our Information Security team. This role can be located in New York, Pittsburgh, or Lake Mary. Strategy & Vision
Define and execute a multi‑year offensive security strategy aligned to enterprise risk, threat landscape, and business priorities. Establish a risk‑based testing portfolio and annual plan spanning application, infrastructure, cloud, OT/IoT, mobile, and third‑party environments. Integrate threat intelligence and MITRE ATT&CK‑informed adversary emulation to prioritize impactful scenarios. Program Delivery & Operations
Lead a high‑volume, global pipeline of tests: scoping, SOWs/LOEs, scheduling, resourcing, change control, and post‑engagement validation. Oversee control testing schedules, exam management, and timely closure of audit and regulatory issues; ensure QA/QC, independence, and separation‑of‑duties. Drive purple‑team exercises and continuous validation (e.g., BAS) to measure control effectiveness and reduce attacker dwell time. Ensure high standards for methodology, reporting quality, reproducibility, and remediation guidance. Implement robust metrics, dashboards, and OKRs that show coverage, risk reduction, and time‑to‑remediate. Key Performance Indicators (KPIs) Risk‑based coverage across critical assets and high‑value targets (HVTs). Reduction in control drift and purple‑team dwell time; measurable uplift in detection/response efficacy. Audit and regulatory exam outcomes (on‑time, no/low‑severity issues, rapid issue closure). Program throughput and on‑budget delivery; vendor performance against SLAs. Stakeholder satisfaction (BU/Tech leaders) and talent retention/engagement. People Leadership & Culture
Recruit, develop, and retain top talent across pen test, red team, cloud/offensive engineering, and program management disciplines. Build a high‑performance culture with clear career paths, mentoring, and communities of practice. Stakeholder Communication
Brief executives, Audit Committees, and regulators using clear risk language and defensible evidence. Partner with Product & Engineering, IT, and Business Units to prioritize remediation and track measurable risk reduction. Financial & Vendor Management
Own budgets, strategic vendor relationships, and SOW negotiations; optimize insource/outsource mix. Establish scalable catalog services, rate cards, and standard scoping templates to improve predictability and throughput. Governance, Risk & Compliance (GRC)
Govern end‑to‑end regulatory assessment obligations (e.g., SOX, GLBA, GDPR/CCPA, NYDFS, ISO/IEC 27001, MAS TRM), ensuring scope alignment, evidence lifecycle management, and audit readiness. Maintain policy, standards, and playbooks for penetration testing and red team operations mapped to NIST SP 800‑115, PTES, OWASP ASVS/MASVS, MITRE ATT&CK/D3FEND. Qualifications
15+ years of progressive experience in Information Security or related fields, including a specialization in offensive security (penetration testing, ethical hacking, red team/adversary emulation). 7+ years leading large, multi‑regional teams (direct leadership of managers and senior ICs). 5+ years owning audit‑facing or regulator‑facing security programs, including evidence management and exam coordination. Evidence lifecycle governance (from scoping approvals to final reports and remediation validation) with strong documentation and version control. RASCI models, QA/QC gates, and repeatable playbooks to ensure consistent, audit‑ready outcomes. Preferred
Experience in highly regulated industries (e.g., financial services, healthcare, critical infrastructure, technology/SaaS). Experience with cloud, containers/Kubernetes, network segmentation, microservices, and modern SDLC/DevSecOps patterns. Familiarity with identity and access attacks (SSO/OAuth/OIDC), data security, SaaS attack surfaces, and supply‑chain testing. Hands‑on understanding of offensive tooling and frameworks, with rigorous safety and legal controls. Benefits
BNY offers highly competitive compensation, benefits, and wellbeing programs rooted in a strong culture of excellence. Generous paid leave, including paid volunteer time; comprehensive health and wellness programs; competitive total compensation; company‑sponsored benefit programs. BNY is an Equal Employment Opportunity/Affirmative Action Employer – Underrepresented racial and ethnic groups/Females/Individuals with Disabilities/Protected Veterans.
#J-18808-Ljbffr
Join to apply for the Senior Director, Head of Cyber Assessments (Pipeline) role at BNY. At BNY, our culture allows us to run our company better and enables employees’ growth and success. As a leading global financial services company at the heart of the global financial system, we influence nearly 20% of the world’s investible assets. Every day, our teams harness cutting‑edge AI and breakthrough technologies to collaborate with clients, driving transformative solutions that redefine industries and uplift communities worldwide. Recognized as a top destination for innovators, BNY is where bold ideas meet advanced technology and exceptional talent. Together, we power the future of finance – and this is what is all about. Join us and be part of something extraordinary. We welcome you to apply! When applying to this pipeline/general posting, our expert BNY Talent Acquisition Team may also review your resume for consideration across other open roles within the company. We’re seeking a future team member for the role of Senior Director, Head of Cyber Assessments (Pipeline) to join our Information Security team. This role can be located in New York, Pittsburgh, or Lake Mary. Strategy & Vision
Define and execute a multi‑year offensive security strategy aligned to enterprise risk, threat landscape, and business priorities. Establish a risk‑based testing portfolio and annual plan spanning application, infrastructure, cloud, OT/IoT, mobile, and third‑party environments. Integrate threat intelligence and MITRE ATT&CK‑informed adversary emulation to prioritize impactful scenarios. Program Delivery & Operations
Lead a high‑volume, global pipeline of tests: scoping, SOWs/LOEs, scheduling, resourcing, change control, and post‑engagement validation. Oversee control testing schedules, exam management, and timely closure of audit and regulatory issues; ensure QA/QC, independence, and separation‑of‑duties. Drive purple‑team exercises and continuous validation (e.g., BAS) to measure control effectiveness and reduce attacker dwell time. Ensure high standards for methodology, reporting quality, reproducibility, and remediation guidance. Implement robust metrics, dashboards, and OKRs that show coverage, risk reduction, and time‑to‑remediate. Key Performance Indicators (KPIs) Risk‑based coverage across critical assets and high‑value targets (HVTs). Reduction in control drift and purple‑team dwell time; measurable uplift in detection/response efficacy. Audit and regulatory exam outcomes (on‑time, no/low‑severity issues, rapid issue closure). Program throughput and on‑budget delivery; vendor performance against SLAs. Stakeholder satisfaction (BU/Tech leaders) and talent retention/engagement. People Leadership & Culture
Recruit, develop, and retain top talent across pen test, red team, cloud/offensive engineering, and program management disciplines. Build a high‑performance culture with clear career paths, mentoring, and communities of practice. Stakeholder Communication
Brief executives, Audit Committees, and regulators using clear risk language and defensible evidence. Partner with Product & Engineering, IT, and Business Units to prioritize remediation and track measurable risk reduction. Financial & Vendor Management
Own budgets, strategic vendor relationships, and SOW negotiations; optimize insource/outsource mix. Establish scalable catalog services, rate cards, and standard scoping templates to improve predictability and throughput. Governance, Risk & Compliance (GRC)
Govern end‑to‑end regulatory assessment obligations (e.g., SOX, GLBA, GDPR/CCPA, NYDFS, ISO/IEC 27001, MAS TRM), ensuring scope alignment, evidence lifecycle management, and audit readiness. Maintain policy, standards, and playbooks for penetration testing and red team operations mapped to NIST SP 800‑115, PTES, OWASP ASVS/MASVS, MITRE ATT&CK/D3FEND. Qualifications
15+ years of progressive experience in Information Security or related fields, including a specialization in offensive security (penetration testing, ethical hacking, red team/adversary emulation). 7+ years leading large, multi‑regional teams (direct leadership of managers and senior ICs). 5+ years owning audit‑facing or regulator‑facing security programs, including evidence management and exam coordination. Evidence lifecycle governance (from scoping approvals to final reports and remediation validation) with strong documentation and version control. RASCI models, QA/QC gates, and repeatable playbooks to ensure consistent, audit‑ready outcomes. Preferred
Experience in highly regulated industries (e.g., financial services, healthcare, critical infrastructure, technology/SaaS). Experience with cloud, containers/Kubernetes, network segmentation, microservices, and modern SDLC/DevSecOps patterns. Familiarity with identity and access attacks (SSO/OAuth/OIDC), data security, SaaS attack surfaces, and supply‑chain testing. Hands‑on understanding of offensive tooling and frameworks, with rigorous safety and legal controls. Benefits
BNY offers highly competitive compensation, benefits, and wellbeing programs rooted in a strong culture of excellence. Generous paid leave, including paid volunteer time; comprehensive health and wellness programs; competitive total compensation; company‑sponsored benefit programs. BNY is an Equal Employment Opportunity/Affirmative Action Employer – Underrepresented racial and ethnic groups/Females/Individuals with Disabilities/Protected Veterans.
#J-18808-Ljbffr