Organization: Risk Division, Operational Risk 

Team / Role: Information and Cybersecurity

Level/Location: Vice President, Dallas - Salt Lake City

The Operational Risk Department at Goldman Sachs is an independent risk management function responsible for developing and implementing a standardized framework to identify, measure, and monitor operational risk across the firm. 

This Information and Cybersecurity role is for a professional with technology subject matter expertise dedicated to strengthening the components of the firm’s operational risk management framework relating to information and cybersecurity risks.  This role will be responsible to continuously identify, monitor, measure and assess operational risk for the Engineering division and Engineering elements of other divisions.    

Responsibilities:

• Identify, monitor, and analyze operational risks arising from the execution of technology operations including but not limited to cybersecurity, cloud security, patch management, data protection/privacy, identity access management, etc. and develop evidence-based challenges focused on improving such operations
• Monitor the control inventory for sufficiency and completeness and challenge the absence of controls and implementation of controls within engineering standards
• Propose qualitative and quantitative operational risk appetite/tolerance and monitor risk taking trends through bespoke metrics at firmwide and divisional/sub-divisional levels, escalating concerns to senior management when warranted
• Conduct scenario analysis by working with stakeholders to develop plausible tail risk scenarios used in quantifying specific businesses exposure to potential risk
• Facilitate operational risk event and data collection; perform detailed reviews of trends to identify significant risks and ensure monitoring and remediation 
• Review New Activities and ensure operational risks arising from acquisitions, new products and/or business, and migrations, etc. are properly considered
• Contribute to divisional and functional risk profile assessments by highlighting risk issues and trends to senior divisional managers and senior Operational Risk management team 
• Conduct quarterly triggered assessments for the division to ensure the divisions risk and control self -assessment outcome are consistent, credible, and underpinned by appropriate evidence
• Remain current on business drivers, regulatory and industry changes impacting the firms information and cybersecurity activities and obligations
• Contribute to the advancement of operational risk methods and practices and the operational risk management framework 
• Identify and drive initiatives that improve the risk management activities at the firm
• This role requires an energetic self-starter that can liaise with Engineering teams both regionally and globally.  Experience and knowledge in a regulated enterprise network, preferably financial institution’s technology infrastructure/applications and control requirements are required together with strong interpersonal and analytical skills for this role.

Qualifications

• Strong business acumen with general awareness of technology related processes, risks and business flows
• 8+ years of relevant experience, which could include working in operational risk; in a financial institution’s technology division; a technology company that builds or maintains enterprise systems, like cloud services; offensive or defensive cybersecurity; or IT or Information Security/Cybersecurity auditors.
• Strong verbal and written communication skills with the ability to present with impact and influence
• Experience with frameworks like NIST (Cybersecurity Framework, 800-53), COBIT, Cloud Security Alliance Cloud Controls Matrix ,and/or ISO 27001
• Ability to work in a fast-paced environment with a strong delivery focus
• Strong organizational skills (project management experience a plus)
• Ability to work in a team environment and knowledge share with other colleagues within team
• Proficiency in World, Excel, PowerPoint, SharePoint/OneDrive – SQL, graph databases and Tableau (would be a plus)
• Familiarity with enterprise risk management best-practices and controls
• Possess a Bachelor's Degree in Computer Science, Cybersecurity, Business and Technology Management, Finance, Data Science, or related disciplines
• Technology skills including substantive subject matter expertise in several areas, including:
• Deep understanding of Linux and Windows operating systems
• Internet infrastructure design and installation and support of network devices and firewalls
• Cloud computing concepts, technologies, risks and mitigating controls
• Systems and security administration and configuration of servers and desktops (UNIX, Windows, directory services etc.)
• Security risks related to web, mobile, web services, and client/server architectures
• Encryption schemes (symmetric, asymmetric, and hashing) and how they may be applied in an application architecture
• Vulnerability assessment and penetration testing methodologies and processes for web, thick client and mobile applications
• Experience with Splunk and/or other SIEM platforms would be useful but not required
• Threat modelling, intelligence and incident response
• Management, monitoring and operations of technology (backups, change management, system monitoring, incident/problem Management)
• Business continuity planning and disaster recovery design and implementation
• Security within the software development lifecycle