Role Description

Role Objectives

• Facilitates the management of an enterprise Threat Modeling Assessment program to enhance maturity across the firm.
• Builds Threat Models of enterprise services to identify and refine the attack surface.
• Acts as a Cyber Resilience champion of the Threat Modeling Assessment program and serve a pivotal role in maturation efforts.
• Delivers reports that capture identified risks, controls, assets, trust zones and enhancement requirements.
• Partners with stakeholders on Threat Modeling Assessment Issues to create action plans identified during fieldwork.
• Ability to prioritize engagements using a risk-based-approach.
• Determines alignment of Cyber Resilience controls in practice with those from authoritative sources such as NIST SP 800-53 and ISO 27002 to provide holistic insight into current capabilities and risk themes as well as best practices.
• Develops a deep knowledge of SMBC critical services and dependencies on technology, people, processes and third parties.
• Understands the impact of cyber risks as it relates to both firm and industry wide impacts to technical and security dependencies and single points of failure to enhance mitigation activities.
• Educates and provides subject matter expertise to support the business on cyber hygiene activities and enhancements based on business related impacts.

Qualifications and Skills

• Required experience with Visio. Knowledge of Draw.IO, Irius Risk, or Threat Modeler a plus
• Experience in Risk Assessment and Penetration Testing
• Deep understanding of enterprise architecture and security architectural elements as they relate to risks and controls. Ability to accurately capture and enhance architectural diagrams.
• Well-versed in Cyber Resilience to include technology, incident response and cyber risk practices with the ability to connect and align with the firm’s processes and frameworks.
• 8+ years of direct work experience within the financial services industry with focus on security architecture as it relates to cyber threats.
• Working knowledge of business and cyber risk management process and controls, industry practices, and frameworks (e.g., NIST 800-53, ISO 27000 family).
• Broad knowledge of cloud technologies (AWS, Azure certification a plus)
• Detail oriented, with proven ability to question the status quo and apply resilience activities to enhance capabilities, as appropriate.
• Strong organizational skills, with proven ability to successfully manage multiple, concurrent priorities and team members as the program is built out.
• Ability to communicate and work effectively in a matrixed environment and across various organizational levels, where flexibility, collaboration, and adaptability are important at all levels.
• Strong analytical skills and attention to detail.
• Able to communicate technical issues to a non-technical executive audience.
• Foundational knowledge of banking laws and regulations. (FFIEC, BCBS, FCA, PRA, Bo E, etc.)
• Maintain a business cyber threat mindset to understand underlying risks and weaknesses to properly assist in mitigating and enhancement activities.
• Strong desire to continually deliver a quality and meaningful work product in a timely and efficient manner.
• BA/BS in Computer Engineering, Computer Science, Information Systems, Cyber Security, Business Administration, or demonstrated relevant industry background and/or military experience.
• CCSP Certified Cloud Security Professional (CCSP), Microsoft Certified: Cybersecurity Architect Expert (MS SC-100 Exam), Certified Network Defense Architect (CNDA), CREST Registered Technical Security Architect (CRTSA), Global Information Assurance Certifications Defensible Security Architect (GDSA from GIAC) certifications preferred.

Additional Requirements