Deputy Chief Information Security Officer
New York City, NY, USA | Financial Industry Regulatory Authority (FINRA)
IT / Information Technology
Job Description:122 people have viewed this job
FINRA operates regulatory and market systems – such as the Consolidated Audit Trail (CAT), Trade Reporting and Compliance Engine (TRACE), and Central Registration Depository (CRD) – that contain sensitive information that must be accurately stored and processed in a secure manner. If confidentiality, integrity, or availability of these systems is impacted by a cyber-attack or other disruptive event, continued stable and fair operation of the US equities markets could be put at risk. Given the important role FINRA performs in the fair and stable operation of US equities markets, FINRA takes cyber threats very seriously and strives to counter all meaningful risks through sound and effective Cyber and Information Security policies, technical and non-technical controls, risk management functions, governance processes, and awareness training.
The primary role of the Deputy CISO is to support and augment the CISO in all aspects of FINRA’s Cyber and Information Security program and provide security strategy thought leadership. Additionally, the Deputy CISO will directly oversee governance, risk, and compliance functions as well as Application Security (AppSec).
Essential Job Functions:
Develop, support, and advance strategies, policies, programs, and projects designed to continually improve and enhance FINRA’s cyber and information security posture and resiliency.
Oversee FINRA’s compliance with applicable laws, rules and regulations related to cyber and information security – including SEC Regulation SCI, FISMA (where required by contract), NIST 800-53 and companion NIST special publications.
Direct and oversee software security (AppSec) functions including: developer security training, software security engineering, threat modeling, policies/standards/guidelines, penetration testing, system security plans, and other related activities.
Work with the Insider Risk Program Director and establish policies/standards/guidelines to ensure FINRA systems record user activities and access to sensitive data in support of the Insider Risk program.
Develop and implement software security compliance program that takes a risk-based approach to ensuring appropriate compliance to policies/standards/guidelines.
Serve as gatekeeper for issues that would otherwise require the attention or involvement of the CISO.Regularly respond to inquiries and make decisions on behalf of the CISO.Ensure continuity of operations when the CISO is unavailable.
Contribute to awareness and outreach efforts both within FINRA and with our member firms, exchanges, associations (e.g., SIFMA), peer organizations (e.g., DTCC, MSRB, and SIPC) and Financial Services industry groups (e.g., FS-ISAC).
Work closely with the FINRA CISO and in support of the FINRA CAT CISO in all aspects of the CAT system security.
Assist with compliance of the CAT System, in FINRA’s capacity as CAT Plan Processor, including security obligations established by SEC Rule 613, the Plan Processor Functional Requirements (PPFR), the CAT NMS Plan, and the contract under which FINRA operates.
Attend all regular, special and emergency meetings of the CAT Security Working Group as a representative of FINRA SRO.
Regularly review operation of security controls and recommend changes designed to improve effectiveness and/or counter emerging risks.
Maintain threat, attack and risk models and perform regular analysis to ensure FINRA is adequately mitigating risks.
Make appropriate recommendations for security enhancements to the CISO – including tools, technologies, services, policies, procedures, and other areas as needed.
Lead efforts to evaluate and select vendors for security assessments, penetration testing, and other similar security services.
Direct and oversee evaluation of security tools and make acquisition recommendations to the CISO.
Manage budgets, maintain financial forecasts, develop and present business cases.
Establish objectives and milestones and manage activities to deliver high quality results within budget and schedule.
Hire and retain adequate staff, team expertise and other resources (e.g., advisors and counsel) as needed to fulfill obligations.
Other duties and obligations as assigned by the CISO.
Advanced working knowledge of cyber and information security standards, frameworks, technologies, control strategies, compliance practices.
Knowledge of and experience working with government and industry security standards and frameworks commonly used in the financial services industry, especially NIST SP800 series, FISMA, FedRAMP, ISO 2700x, and the NIST Cybersecurity Framework.
Broad and deep knowledge of secure software development, networking, firewalls, load balancers, TCP/IP, web servers, REST APIs, and the other technical underpinnings of modern IT systems.
Broad knowledge of financial service industry security practices.
Strong verbal and written communication skills.
Excellent judgment and interpersonal skills.
Experience presenting to all levels including C-level officers and Board members.
Demonstrated senior leadership experience.
12+ years of cyber and information security experience
8+ years of supervisory experience, at least 2 years at Director level or higher
Financial services industry experience is a plus
Required Education / Certifications
Bachelor’s degree in a related discipline; Master’s or higher preferred
ISC2 Certified Information System Security Professional (CISSP) certification
Additional certifications related to software security, penetration testing, or vendor risk management are highly desired
Normal office environment located in Rockville, Maryland or Reston, Virginia.
Work outside of business hours
Alrdeady a member? Sign In