Technology and Cybersecurity Risk Director
The Technology & Cyber Risk Director is responsible for providing oversight, guidance, and independent challenge to the first line of defense regarding the management of technology and cyber risks. This position involves developing and implementing risk management frameworks, policies, and procedures, conducting risk assessments, and ensuring compliance with regulatory requirements. The director will collaborate with various stakeholders to enhance the Bank's cybersecurity posture and technology risk management practices.
Position Responsibilities
Plan
- Develop and implement comprehensive technology and cybersecurity risk management frameworks and policies.
- Ensure alignment with regulatory requirements and industry best practices.
- Develop and deliver training programs to enhance awareness of technology and cybersecurity risk across the Bank.
- Provides oversight of the creation and implementation of compliance technology and cybersecurity policies and procedures, technology and tools and governance processes for technology and cybersecurity.
- Provides oversight of planning and implementation of technology and cybersecurity programs including their governance, identification of risk and controls.
- Oversee the implementation of technology and cybersecurity policies and standards.
- Ensure compliance with relevant regulatory requirements and internal policies.
- Coordinate with internal and external auditors for technology and cybersecurity risk audits.
- Implementation of guidance for overseeing technology and cyber operational risk, aligned with OCC Heightened Standards and other regulations.
Assess
- Responsible for providing effective challenge to the first line with respect to the technology and cyber security program that includes technology and cybersecurity, policies, compliance, and governance with the expanded scope to include internal employees, external customers (retail, small business and commercial), financial and regulatory agencies, and supplier partners.
- Conduct regular risk assessments and evaluations of technology and cybersecurity risks and provides appropriate challenge.
- Analyze potential threats and vulnerabilities, and their impact on the organization.
- Provide independent challenge to risk assessments conducted by the first line of defense/business risk control office.
- Provides counsel on best practices leveraging expertise and industry insights.Assess risk when business decisions are made, demonstrating knowledge for the Bank's reputation, and safeguarding the Bank, it's customers and assets, by driving compliance with applicable laws, rules, and regulations, and adhering to policy.
Monitor and Report
- Evaluates the design of controls and communicate the impact of control weaknesses to first line teams.
- Establish key risk indicators (KRIs) and metrics to monitor technology and cybersecurity risks.
- Prepare and present risk reports to senior management and the board of directors.
- Monitor current and emerging risks and changes to laws and regulations.
- Ensure timely escalation of critical risks and incidents.
- Oversee the incident response process and ensure effective management of technology and cyber incidents.
- Conduct post-incident reviews and recommend improvements to prevent future occurrences.
Leadership
- Lead oversight of the Technology Risk Pillar, to support heightened focus on technology risk management enterprise wide; and to ensure appropriate engagement of second line of defense with first line, to provide effective independent risk review, credible challenge, monitoring and oversight of technology and cybersecurity risk.
- Provides leadership to the second line to influence, advise and challenge operational security capability, including security incident management, vulnerability management and technology and cybersecurity threat intelligence.
- Represents in various steering committees and working groups.
- Present and lead discussions with key regulators, and internal and external auditors.
- Actively engaged in the industry on the latest in technology and cybersecurity risk and emerging operational risks.
- Promote a risk aware culture through regular communication and education initiatives.
- Participate on the Information & Risk Committee.
- Participate on the Technology Risk Committee.
Position Qualifications
- Bachelors degree from an accredited university in information technology, Cybersecurity, or a minimum of four years in working directly in Technology and/or Cybersecurity field
- 10 or more years Experience in technology and/or cybersecurity risk management
- 10 or more years Managing multiple technology systems and processes. Including the analysis of complex system architecture, data warehouses, and third-party applications and applicable controls
- 8 years Experience in developing and administering information security policies, required working knowledge of Sarbanes-Oxley, ISO Certifications and Data Privacy laws and regulations
- 5 years Experience in developing and implementing risk management frameworks and policy in the technology and/or cybersecurity area of responsibility
- 5 years Effective communication and interpersonal skills, with the ability to influence and collaborate with stakeholders at all levels
- 5 years Leading a team through a fast-paced dynamic environment and shifting priorities
- 5 years Experience in a financial services or other highly regulated industry
Position Qualifications
- Bachelors degree from an accredited university in information technology, Cybersecurity, or a minimum of four years in working directly in Technology and/or Cybersecurity field
- 10 or more years Experience in technology and/or cybersecurity risk management
- 10 or more years Managing multiple technology systems and processes. Including the analysis of complex system architecture, data warehouses, and third-party applications and applicable controls
- 8 years Experience in developing and administering information security policies, required working knowledge of Sarbanes-Oxley, ISO Certifications and Data Privacy laws and regulations
- 5 years Experience in developing and implementing risk management frameworks and policy in the technology and/or cybersecurity area of responsibility
- 5 years Effective communication and interpersonal skills, with the ability to influence and collaborate with stakeholders at all levels
- 5 years Leading a team through a fast-paced dynamic environment and shifting priorities
- 5 years Experience in a financial services or other highly regulated industry
Licenses/Certifications
- Preferred: CISSP (Certified Information Systems Security Professional)
- Preferred: CISM (Certified Information Security Manager) CRISC
- - Certified Risk Information Systems Control
Category C - Days in the office will either be designated days or will vary week to week from 2-5 days
8:00am - 5:00pm Monday - Friday
To Be Determined Based on Individual Experience
About Comerica
We know our employees are critical to our overall success and we are dedicated to investing in their future. One of the ways we do this is to offer a comprehensive Total Rewards package designed to recognize and reward individual performance, as well support health, well-being, development and security for our colleagues and their family. Total Rewards consists of cash compensation, development and flexible benefit programs designed to meet individual needs today and in the future. Your salary will be commensurate with your work experience and our programs are reviewed regularly to ensure each remain competitive. We are proud to offer benefits such as health and welfare programs, strong retirement benefits, and generous paid time off programs. You and your eligible family members, including domestic partners and their children, can participate in medical, dental, and vision benefits, 401(k) and pension, income protection benefits such as life insurance, AD&D, and supplemental health programs to offset unexpected health care expenses. We also have a variety of time off programs for things like vacation, sick time, disability, and parental leave. Eligibility for some programs varies based on employment status and tenure.
Upon offer, Comerica conducts a comprehensive background and fingerprint check.
NMLS certification requirement: where applicable, a favorable background check screening, credit check, fingerprint check, and NMLS certification is required in accordance with the SAFE Act.
Comerica Incorporated (NYSE: CMA) is a financial services company headquartered in Dallas, Texas, and strategically aligned into three major business segments; the Commercial Bank, the Retail Bank, and Wealth Management. Comerica's colleagues focus on relationships, and helping people and businesses be successful. In addition to Texas, Comerica Bank locations can be found in Arizona, California, Florida and Michigan, with select businesses operating in several other states, as well as in Canada and Mexico.
Comerica is proud to be an Equal Opportunity Employer - veterans/individuals with disabilities, committed to workplace diversity.
