State Street
Head of Cyber & Information Security Oversight (SVP)
State Street, Boston, Massachusetts, us, 02298
Head of Cyber & Information Security Oversight (SVP)
SVP, Head of Cyber & Information Security Oversight
Why this role is important to us
Enterprise Technology Risk Management (ETRM) is responsible for thought leadership, oversight, monitoring, and advisement around the discovery and remediation of Cyber and Technology Risks across the enterprise. ETRM plays an important role in the overall success of the organization, and our mission is to establish a world‑class Technology Risk Management program that aligns business and technology risk to enable effective decision‑making. The organization is going through a significant transformation, and you will lead key cyber risk assessments on material projects and ensure the identified risks are being prudently managed. This position will also include providing thought leadership and support to both your peers in ETRM and your stakeholders in the business and corporate areas. You will need to periodically participate in meetings with our key regulators and provide support and advice to your stakeholders during regulatory exams and regulatory finding validations.
Who We Are Looking For
We are looking for a proven Cyber and Information Security Risk Leader with more than 15 years of experience in the financial services and/or technology industry. The qualified candidate will have a combination of:
Deep Technical Experience:
Hands‑on Cybersecurity leadership in roles such as CISO or CTRO at comparable organizations with a global footprint or at a Deputy CISO level in a G‑SIB. The candidate will be well‑versed in identifying, assessing, managing and monitoring cyber risks across several domains such as Identity and Access, Information Protection, Threat and Vulnerability Management, Cyber Incident and Response, Application Security, Secure Configuration, Security Architecture and Cyber Risks related to third parties.
Strong Business Background:
Proven capability for translating technical understanding into business risk to advise and challenge senior‑level IT executives such as the group‑level State Street CIO, CISO and CTO. The individual will also serve as an advisor to the Head of ORM, Group CRO, regional CROs and the State Street Board of Directors to manage Cyber Risk adequately.
Strong Executive Presence:
Effectively communicate with senior executives at the EVP and C‑level, the Board and with regulators globally to foster confidence in the Bank’s risk‑management capabilities and to drive enhancements where needed. Candidates must demonstrate strong initiative, be able to perform well under pressure and manage multiple and diverse assignments.
The successful candidate will report into the Global Head of Technology and Cyber Risk, who reports to the Chief Operational and Technology Risk Officer within the Operational Risk Management second‑line function. They will lead, guide and mentor a team of seasoned ETRM Cyber risk professionals to provide Second Line of Defense (SLoD) oversight, review and challenge on Global Cybersecurity and Global Technology Services First Line Organization. The ETRM function is currently being enhanced, and the role is expected to provide significant expertise and experience to shape the Cybersecurity governance function, aligned to industry peers and leading practices.
What You Will Be Responsible For
Establish and Operate the global Cybersecurity Risk Oversight function in ETRM.
Be a risk advisor and challenge function to the State Street Global CISO function and program.
Establish State Street’s Cyber Risk Appetite, with corresponding policies and metrics and thresholds, reporting breaches, escalating exceptions and challenging risk acceptances and providing guidance on improving the risk position to support the business.
Be an acknowledged thought leader in the industry, with a strong understanding of attributes of an effective Cybersecurity program at peer organizations.
Analytics and Reporting
Establish an analytics capability to provide cyber risk insights, leveraging AI for greater effectiveness.
Develop risk reports customized to the business needs of legal entities and regions to drive risk reduction in a cost‑effective way.
Cyber Risk Governance
Lead or co‑Chair various senior governance forums like the Cybersecurity Risk Committee and the Vulnerability Governance Forum that manage Cybersecurity risk to State Street.
Communicate and drive effective implementation of ETRM risk‑management policies, framework, tools, guidelines and standards across the business ensuring cyber risks are identified and managed effectively.
Ensure cyber risks and non‑compliance with internal and external standards are proactively identified, prudently managed and effectively challenged.
Identify, assess, control and monitor risks and support FLOD in planning and executing controls and additional compensating controls.
Review and challenge the first‑line cyber controls assurance program and the constituent cyber processes.
Provide challenge to EVPs leading the Cyber Enterprise Processes and foster deeper and integrated FLOD/SLOD relationships and embedded, proactive risk management.
Advise FLOD in prioritization of risks, risk initiatives, risk mitigation alternatives.
Regulatory
Lead second‑line regulatory interaction for Cyber Risk with regulators, including the FCA/PRA, HKMA, MAS, APRA and ECB, including resolution of issues and concerns.
Be a thought leader for managing emerging Cybersecurity risks to provide credible risk‑management guidance to the regulators.
Consistent, Global Risk Management
Collaborate with and support regional and Business Unit Risk Management peers in matters related to cyber and information security risks.
Develop and deliver the ETRM Cybersecurity annual Book of Work (risk assessments, continuous monitoring, issues management and reporting) through the established risk leads within the team while leveraging the ETRM India GCC.
Coordinate across multiple risk types in Operational Risk Management, like Data Risk, Fraud and Third‑Party Risk programs. Utilize available Enterprise Risk and Operational risk management tools (NBPRA, MRI, RCSA, KRI’s, Incident data, Loss event data) to proactively monitor the control environment and identify and address potential weaknesses and/or gaps in a timely manner.
Keep abreast of new products, services, technologies and applications and their respective impact on the organization’s risk profile.
What We Value
Strong ability to collaborate effectively.
Superior communication, interpersonal, negotiation, presentation and intergroup skills are critical for success with C‑level stakeholders.
Ability to translate technical issues into risk terms that business can understand.
Experience with regulatory exams and responses is strongly desired.
Being an effective mentor and coach.
Ability to be a strong voice for review and challenge while maintaining positive relationships with business stakeholders.
Leadership within their team and among peers.
Education & Preferred Qualifications
Minimum 15 years of experience in the financial and/or technology industries, with at least 5 years in executive roles as a CISO, Deputy CISO or equivalent in a G‑SIB.
Advanced degree or undergraduate degree in technology/cyber discipline or equivalent.
Experience in first‑line cybersecurity operations.
CISSP or equivalent is required.
Working knowledge of industry and regulatory risk and control standards and frameworks such as FFIEC, DORA, NIST‑CSF, 800‑53, COBIT, CCM and MITRE ATT&CK.
Salary Range:
$225,000 – $337,500 Annual
Employees are eligible to participate in State Street’s comprehensive benefits program, which includes: retirement savings plan (401K) with company match; insurance coverage including basic life, medical, dental, vision, long‑term disability, and other optional additional coverages; paid‑time off including vacation, sick leave, short‑term disability and family care responsibilities; access to our Employee Assistance Program; incentive compensation including eligibility for annual performance‑based awards (excluding certain sales roles subject to sales incentive plans); and eligibility for certain tax‑advantaged savings plans. For a full overview, visit https://hrportal.ehr.com/statestreet/Home.
As an Equal Opportunity Employer, we consider all qualified applicants for all positions without regard to race, creed, color, religion, national origin, ancestry, ethnicity, age, disability, genetic information, sex, sexual orientation, gender identity or expression, citizenship, marital status, domestic partnership or civil union status, familial status, military and veteran status, and other characteristics protected by applicable law.
It is unlawful in Massachusetts to require or administer a lie detector test as a condition of employment or continued employment. An employer who violates this law shall be subject to criminal penalties and civil liability.
Job ID: R-780933
#J-18808-Ljbffr
Why this role is important to us
Enterprise Technology Risk Management (ETRM) is responsible for thought leadership, oversight, monitoring, and advisement around the discovery and remediation of Cyber and Technology Risks across the enterprise. ETRM plays an important role in the overall success of the organization, and our mission is to establish a world‑class Technology Risk Management program that aligns business and technology risk to enable effective decision‑making. The organization is going through a significant transformation, and you will lead key cyber risk assessments on material projects and ensure the identified risks are being prudently managed. This position will also include providing thought leadership and support to both your peers in ETRM and your stakeholders in the business and corporate areas. You will need to periodically participate in meetings with our key regulators and provide support and advice to your stakeholders during regulatory exams and regulatory finding validations.
Who We Are Looking For
We are looking for a proven Cyber and Information Security Risk Leader with more than 15 years of experience in the financial services and/or technology industry. The qualified candidate will have a combination of:
Deep Technical Experience:
Hands‑on Cybersecurity leadership in roles such as CISO or CTRO at comparable organizations with a global footprint or at a Deputy CISO level in a G‑SIB. The candidate will be well‑versed in identifying, assessing, managing and monitoring cyber risks across several domains such as Identity and Access, Information Protection, Threat and Vulnerability Management, Cyber Incident and Response, Application Security, Secure Configuration, Security Architecture and Cyber Risks related to third parties.
Strong Business Background:
Proven capability for translating technical understanding into business risk to advise and challenge senior‑level IT executives such as the group‑level State Street CIO, CISO and CTO. The individual will also serve as an advisor to the Head of ORM, Group CRO, regional CROs and the State Street Board of Directors to manage Cyber Risk adequately.
Strong Executive Presence:
Effectively communicate with senior executives at the EVP and C‑level, the Board and with regulators globally to foster confidence in the Bank’s risk‑management capabilities and to drive enhancements where needed. Candidates must demonstrate strong initiative, be able to perform well under pressure and manage multiple and diverse assignments.
The successful candidate will report into the Global Head of Technology and Cyber Risk, who reports to the Chief Operational and Technology Risk Officer within the Operational Risk Management second‑line function. They will lead, guide and mentor a team of seasoned ETRM Cyber risk professionals to provide Second Line of Defense (SLoD) oversight, review and challenge on Global Cybersecurity and Global Technology Services First Line Organization. The ETRM function is currently being enhanced, and the role is expected to provide significant expertise and experience to shape the Cybersecurity governance function, aligned to industry peers and leading practices.
What You Will Be Responsible For
Establish and Operate the global Cybersecurity Risk Oversight function in ETRM.
Be a risk advisor and challenge function to the State Street Global CISO function and program.
Establish State Street’s Cyber Risk Appetite, with corresponding policies and metrics and thresholds, reporting breaches, escalating exceptions and challenging risk acceptances and providing guidance on improving the risk position to support the business.
Be an acknowledged thought leader in the industry, with a strong understanding of attributes of an effective Cybersecurity program at peer organizations.
Analytics and Reporting
Establish an analytics capability to provide cyber risk insights, leveraging AI for greater effectiveness.
Develop risk reports customized to the business needs of legal entities and regions to drive risk reduction in a cost‑effective way.
Cyber Risk Governance
Lead or co‑Chair various senior governance forums like the Cybersecurity Risk Committee and the Vulnerability Governance Forum that manage Cybersecurity risk to State Street.
Communicate and drive effective implementation of ETRM risk‑management policies, framework, tools, guidelines and standards across the business ensuring cyber risks are identified and managed effectively.
Ensure cyber risks and non‑compliance with internal and external standards are proactively identified, prudently managed and effectively challenged.
Identify, assess, control and monitor risks and support FLOD in planning and executing controls and additional compensating controls.
Review and challenge the first‑line cyber controls assurance program and the constituent cyber processes.
Provide challenge to EVPs leading the Cyber Enterprise Processes and foster deeper and integrated FLOD/SLOD relationships and embedded, proactive risk management.
Advise FLOD in prioritization of risks, risk initiatives, risk mitigation alternatives.
Regulatory
Lead second‑line regulatory interaction for Cyber Risk with regulators, including the FCA/PRA, HKMA, MAS, APRA and ECB, including resolution of issues and concerns.
Be a thought leader for managing emerging Cybersecurity risks to provide credible risk‑management guidance to the regulators.
Consistent, Global Risk Management
Collaborate with and support regional and Business Unit Risk Management peers in matters related to cyber and information security risks.
Develop and deliver the ETRM Cybersecurity annual Book of Work (risk assessments, continuous monitoring, issues management and reporting) through the established risk leads within the team while leveraging the ETRM India GCC.
Coordinate across multiple risk types in Operational Risk Management, like Data Risk, Fraud and Third‑Party Risk programs. Utilize available Enterprise Risk and Operational risk management tools (NBPRA, MRI, RCSA, KRI’s, Incident data, Loss event data) to proactively monitor the control environment and identify and address potential weaknesses and/or gaps in a timely manner.
Keep abreast of new products, services, technologies and applications and their respective impact on the organization’s risk profile.
What We Value
Strong ability to collaborate effectively.
Superior communication, interpersonal, negotiation, presentation and intergroup skills are critical for success with C‑level stakeholders.
Ability to translate technical issues into risk terms that business can understand.
Experience with regulatory exams and responses is strongly desired.
Being an effective mentor and coach.
Ability to be a strong voice for review and challenge while maintaining positive relationships with business stakeholders.
Leadership within their team and among peers.
Education & Preferred Qualifications
Minimum 15 years of experience in the financial and/or technology industries, with at least 5 years in executive roles as a CISO, Deputy CISO or equivalent in a G‑SIB.
Advanced degree or undergraduate degree in technology/cyber discipline or equivalent.
Experience in first‑line cybersecurity operations.
CISSP or equivalent is required.
Working knowledge of industry and regulatory risk and control standards and frameworks such as FFIEC, DORA, NIST‑CSF, 800‑53, COBIT, CCM and MITRE ATT&CK.
Salary Range:
$225,000 – $337,500 Annual
Employees are eligible to participate in State Street’s comprehensive benefits program, which includes: retirement savings plan (401K) with company match; insurance coverage including basic life, medical, dental, vision, long‑term disability, and other optional additional coverages; paid‑time off including vacation, sick leave, short‑term disability and family care responsibilities; access to our Employee Assistance Program; incentive compensation including eligibility for annual performance‑based awards (excluding certain sales roles subject to sales incentive plans); and eligibility for certain tax‑advantaged savings plans. For a full overview, visit https://hrportal.ehr.com/statestreet/Home.
As an Equal Opportunity Employer, we consider all qualified applicants for all positions without regard to race, creed, color, religion, national origin, ancestry, ethnicity, age, disability, genetic information, sex, sexual orientation, gender identity or expression, citizenship, marital status, domestic partnership or civil union status, familial status, military and veteran status, and other characteristics protected by applicable law.
It is unlawful in Massachusetts to require or administer a lie detector test as a condition of employment or continued employment. An employer who violates this law shall be subject to criminal penalties and civil liability.
Job ID: R-780933
#J-18808-Ljbffr