The Cybersecurity & Technology Controls (CTC) group at JPMorgan Chase aligns the firm’s cybersecurity, access management, controls and resiliency agenda.
The group proactively and strategically partners with all lines of business and functions to enable them to design, adopt and integrate appropriate controls;
We aim to balance these sound controls with efficiency, through smart process and automation. The group’s number one priority is to enable the business by keeping the firm safe, stable and resilient.
Role Details :
The prime responsibilities of the Information Security Manager (ISM) role is to identify, quantify and proactively address security issues and changes in the businesses risk profile.
The ISM will focus on improving the end-to-end risk posture for the assigned LOB, and ensure appropriate controls are implemented across the technology landscape to operate within risk appetite.
This includes secure from the start adoption of emerging technology and application development. The ISM will be expected to drive effective risk & controls management and support the business through identification of control weaknesses and recommendations for improved security;
articulation of the business impact and associated risk; and educate the business on proactive measures to remediate.
Build and cultivate a culture focused on partnership, collaboration and transparency with the business and technology teams to deliver customer value and improve security posture of the firm.
Ensure technology risk impacting the business is effectively identified, quantified, communicated and managed, including recommendations for resolution and identifying the root cause / key themes.
Embed threat modelling, solutions architecture, secure code review into product and application teams so they are secure from the start and compliant with risk policies and regulatory obligations.
Serve as a point of escalation and subject matter expert for IT Risk and Cyber domains, including vulnerability management, data protection, cloud and application security.
Partner with Third Party Oversight teams to ensure effective technology risk management of vendors engaged by technology partners, with a focus on Cloud computing / emerging technologies.
Interface with Lead ISMs, Technology Leadership and Application Development teams on an on-going basis for business as usual risk activities, reporting and project initiatives.
Preferred Experience :
Strong written and verbal communication skills with ability to effectively communicate and present security risk concepts with business and technology partners, peers and executive leadership
Strong personal leadership, collaboration, influencing, negotiation skills and experience working within fast paced, complex and high performing Digital / Agile / Scaled Agile teams
Strong analytical skills including solving and communicating complex problems, data analytics, measurement and reporting needed to drive continuous improvement.
5+ years of experience in Security and / or Risk Management and / or Corporate Technology with an aptitude in application and platform security
2+ years of experience designing and implementing cloud services (e.g., IaaS, PaaS, SaaS, etc.) offered from public cloud service providers (e.
g., AWS, Microsoft Azure, Google etc.)
2+ years of experience supporting business and technology teams providing consulting and strategic advisory services on a broad range of security topics.
2+ years of experience in multiple security domains (e.g., application security, vulnerability reduction, data protection, encryption, logging and monitoring, network security)
Preferable Certification in Public Cloud Technology from one of the major Cloud Service Providers (e.g. AWS Certified Solutions Architect, Microsoft Azure Architect, Google Cloud Architect)
Preferable experience in multiple modern development practices (e.g. microservices, containers, orchestration, continuous integration & delivery pipelines, API first, service delivery & integration)
Preferable experience of Secure Software Development Life Cycle (SSDLC) (e.g. code review, risk assessments, threat modeling, static code analysis, and dynamic application scanning)
Preferable experience in enterprise Identify and Access Management solutions, (e.g. Federated Identity, Privileged Access management, Active Directory, Role Based Access Control)
Preferable experience working in regulated industries, in particular leveraging technology standards, frameworks, compliance, and industry recognized best practice / standards (e.
g. NIST, ISO, PCI, SOC)
Preferable experience working in a matrix management model across globally diverse, virtual teams to deliver strategic initiatives and commitments, ideally leveraging product and Agile principles.
Understanding of the external threat landscape, threat actors, adversary tactics & techniques, and industry trends