How You'll Contribute
As a Consultant on the Information Security Risk team, you will report to the Principal Director of Information Security Risk and play a key role in executing the firm's technology risk management activities. In this role, you will serve as a trusted security subject‑matter expert, providing risk insight, guidance, and hands‑on support across the organization. You will contribute by:
- Perform Security Risk Assessments (SRAs) across applications, infrastructure, cloud platforms, and third‑party integrations to identify threats, vulnerabilities, and business impact.
- Determine inherent and residual risk levels using established risk taxonomies, scoring methodologies, and impact criteria aligned to enterprise standards.
- Evaluate the design and effectiveness of technical, administrative, and operational security controls against identified risks.
- Partner with technology, product, infrastructure, and architecture teams to design, recommend, and refine controls that mitigate risk to acceptable levels.
- Operate and leverage continuous risk monitoring tools (e.g., vulnerability management, configuration and cloud posture monitoring) to detect changes in risk posture.
- Analyze monitoring outputs to identify emerging risks, control degradation, and remediation needs.
- Own the lifecycle of identified risks, including documentation, remediation planning, validation of corrective actions, and risk closure.
- Produce clear, actionable risk reporting, metrics, and dashboards that communicate severity, trends, and priority issues to Information Security and technology leadership.
- Execute firmwide GRC activities such as RCSAs, risk acceptances and exceptions, and policy‑driven risk assessments.
- Maintain accurate and current risk data within enterprise GRC and workflow tooling to support aggregated reporting and second‑line oversight.
- Act as a trusted security risk advisor by translating technical findings into clear business risk context and supporting risk‑informed decision‑making.
- Partner closely with 2nd Line Risk & Assurance functions by providing high‑quality risk artifacts and evidence, without performing independent assurance activities.
What You'll Need to Bring
- Minimum 7+ years of experience in information security, cybersecurity risk management, or technology risk.
- Hands‑on experience performing Security Risk Assessments and documenting risk scenarios, impacts, controls, and conclusions.
- Strong understanding of security control frameworks (NIST CSF, NIST SP 800-53) and risk methodologies.
- Demonstrated experience evaluating control effectiveness and supporting remediation planning.
- Familiarity with continuous monitoring concepts and tools (e.g., vulnerability management, CSPM, configuration monitoring).
- Ability to clearly document and communicate security risk to both technical teams and non‑technical stakeholders.
- Strong analytical, writing, and organizational skills with attention to detail.
- Experience operating in fast‑paced, matrixed environments with multiple stakeholders.
Nice-to-Haves
- Knowledge of Investment Banking or Wealth Management
- Resourceful and proactive in resolving technical challenges.
- Experience working within a Three Lines of Defense operating model, particularly in financial services or other regulated environments.
- Hands‑on experience with Jira‑based risk workflows or enterprise GRC platforms.
- Cloud security and AI risk assessment experience.
- Relevant certifications such as CISSP, CISM, CCSP, or equivalent.
