Sr Associate, Cloud Risk Management
Dallas, United States of America
The Senior Associate, Cloud Risk Management is responsible for the strategic development, implementation, and effective execution of the Operational Risk (OR) program, the key program elements of which cover: internal loss, external loss, risk assessment, business impact assessments, KRIs, scenario analysis / stress testing, training, awareness, and communication, issues and remediation planning, tracking, MIS and reporting, testing, compliance, and monitoring.
Monitors activities to minimize the company's exposure to technology and information risk associated with the adoption and deployment of cloud technologies. Activities may include technical risk analysis, risk identification and remediation. Represents or supports the reputation of the company to minimize compliance and regulatory risk by resolving issues and ensuring adherence to regulatory requirements, industry good practice frameworks and company and legal standards. Responsible for ensuring that all of the company's activities adhere to the necessary rules and regulations, and that the company complies with legal/regulatory statutes and jurisdictions.
The Senior Associate, Cloud Risk Management within the Technology and Information Risk Management organization reports to the Director - Emerging Technology Risk and is responsible for ongoing oversight, assessment, management and reporting of technology and cybersecurity risks associated with the adoption and implementation of Cloud, across all operating entities. This role is established in the second line of defense and requires collaboration across IT, CISO, Data Office, Operational Risk, Internal Audit and other relevant functional stakeholders within the organization in the management of Emerging Technology risks. An excellent understanding of the evolving regulatory landscape in the US and EU are vital for success in this role.
The day-to-day focus may vary depending on the requirements of the overall second line of defense program priorities directed by the Head of Technology Risk and may include: planned or ad-hoc technical risk reviews, technical review of cloud security architectures, review and challenge activities of IT or Business initiatives, Risk reporting, development as well as review and challenge of technical risk framework and methodologies.
Essential Functions/Responsibility Statements:
- Establish themselves as the second line of defense subject matter expert on Cloud technology and security risk management
- Identify and assess technology and cybersecurity risks associated with the adoption and deployment of Cloud, on risk management issues to ensure awareness and accountability for emerging technology risks
- Participate in the independent and ongoing risk oversight of key technology components of the firm's digital transformation initiatives.
- Participate in evaluation of new products / Business changes / projects and assess related emerging technology risks and impact to the technology risk profile
- Participate in the evaluation and management of risks related to third-party suppliers involved in technology projects related to the deployment of emerging technology or where emerging technologies introduced by third parties are a key component of the business activities
- Perform review and challenge of first line of defense risk management processes, data and outcomes (e.g. risk assessments, control evaluations, risk metrics, mitigation plans, risk acceptances etc.) and communicate risk opinions at various levels of management
- Analyze risk data from various sources (e.g. external events, control deficiencies, risk register etc.) to identify and measure levels of risk, concentration, trends and patterns
- Support process for constructive engagement across the Lines of Defense regarding differences or conflicts in risk appetite, risk metric determination or evaluation, issue severity or other areas of dispute
- Advises on remediation of regulatory findings, correction of any inconsistencies and monitors resolution
- Prepare information to enable governance committees / working groups in the management oversight of Cloud risks
- Initiate timely escalations to the Technology Risk leadership team
- Work across the lines of defense to recommend strategies that effectively treat risks within the risk appetite
Qualifications: To perform this job successfully, an individual must be able to perform each essential duty satisfactorily. The requirements listed below are representative of the knowledge, skill, and/or ability required. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.
Education:
- Bachelor's Degree in a technical discipline or equivalent work experience: Computer Science, Information Technology, Information Systems, Information Security. Req
- Master's Degree in related technical disciplines. Pref
- Professional Certifications in Cloud Security. Req.
- Professional Certifications in one or more Emerging technology areas. Pref
Work Experience:
- Practitioner experience in Cloud Security Risks with expertise in securing cloud environments (AWS pref) and understanding cloud service models (IaaS, PaaS, SaaS)
- In-depth knowledge of cloud computing platforms such as AWS (Pref) / IBM / GCP / Azure
- Cloud Networking standards and best practices
- Overall professional experience of 5+ years or more in Cloud architect or risk management roles in a matrix organization
- Experience within a highly regulated environment such as the financial services industry
- Experience performing Cloud assurance activities
Technical Skills:
- Cloud Security Architecture
- Hybrid network interconnectivity with on-premises data centers and cloud resources
- Experience with containerization technologies such as Docker and Kubernetes, including securing Kubernetes clusters and containerized workloads
- Identity and Access Management design, including hybrid IAM
- Cloud security standards and best practices, including secure access, PAM, hybrid credential management, SSO, federated IAM, etc.
- Secure Application Development / DevSecOps / Containerization
- Familiarity with microservices security principles and best practices
- Encryption / Tokenization
- Identity and Access Management
- Software-as-a-Service Platforms
Competencies and Abilities:
- Demonstrated expertise and track record in Cloud risk management, and ability to perform at an advanced level of competence.
- Strong risk, process, and control validation and/or assessment skills.
- Advanced knowledge of technical risk management best practices and how to implement them.
- A keen sense of attention to details with a passion for impeccable documentation while having the ability to multi-task and adapt/adjust to multiple demands and competing priorities
- A team player who can coordinate and drive consensus among different teams and stakeholders having varying view points
- Ability to convey a sense of urgency and drive issues/projects to closure.
- Excellent written and oral communication skills.
- Excellent analytical, organizational and project management skills.
Diversity & EEO Statements: At Santander, we value and respect differences in our workforce and strive to increase the diversity of our teams. We actively encourage everyone to apply.Santander is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, genetics, disability, age, veteran status or any other characteristic protected by law.Working Conditions: Frequent Minimal physical effort such as sitting, standing and walking. Occasional moving and lifting equipment and furniture is required to support onsite and offsite meeting setup and teardown. Physically capable of lifting up to fifty pounds, able to bend, kneel, climb ladders.Employer Rights: This job description does not list all of the job duties of the job. You may be asked by your supervisors or managers to perform other duties. You may be evaluated in part based upon your performance of the tasks listed in this job description. The employer has the right to revise this job description at any time. This job description is not a contract for employment and either you or the employer may terminate at any time for any reason.
Primary Location: Dallas, TX, Dallas
Other Locations: Texas-Dallas,New York-New York,New Jersey-Florham Park,Massachusetts-Boston,Florida-Miami