Overview:
We are seeking an experienced and strategic leader to join our organization as the Head of Cyber Governance, Risk & Compliance. In this critical role, you will be responsible for overseeing and enhancing our third-party cyber risk management program and ensuring the security of our business information assets. You will lead efforts to assess, mitigate, and monitor risks associated with third-party vendors and manage information security across MassMutual critical business units / entities.
Key Responsibilities: Leadership and Strategy:Develop and execute a comprehensive third-party risk management strategy aligned with organizational objectives, regulatory requirements, and industry best practices.Define and implement business information security strategies, policies, and standards to protect company assets and data.Third-Party Risk Management:Lead the assessment and ongoing monitoring of third-party vendors and partners to identify potential risks and vulnerabilities.Establish risk assessment frameworks, methodologies, and scoring models to evaluate the security posture of third parties.Vendor Due Diligence and Contract Management:Implement robust due diligence processes for assessing the security capabilities of prospective vendors and partners.Collaborate with legal and procurement teams to incorporate security requirements into vendor contracts and agreements.Risk Mitigation and Remediation:Develop and oversee the implementation of risk mitigation strategies and controls to address identified vulnerabilities and risks.Monitor and track remediation efforts to ensure timely resolution of security issues impacting third-party relationships.Develop business-relevant metrics to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increase the maturity of the security program.Information Security Governance:Establish and enforce information security policies, standards, and guidelines across the organization.Ensure compliance with regulatory requirements (e.g., GDPR, CCPA) and industry standards (e.g., ISO 27001, NIST) related to information security and privacy.Incident Response and Business Continuity:Develop and maintain incident response plans and procedures for responding to security incidents involving third parties.Coordinate with internal stakeholders to ensure business continuity and minimize disruption in the event of a security breach or incident.Cross-Functional Collaboration:Collaborate with internal stakeholders including IT, legal, compliance, procurement, and senior leadership to integrate third-party risk management and information security into business processes.Communicate security risks and recommendations to senior management and board of directors, advocating for necessary investments and resources.Required Skills and Qualifications: Bachelor's degree in computer science, Information Technology, Business Administration, or related field; advanced degree preferred.Proven experience (10+ years) in third-party risk management, information security, or related cybersecurity roles, with at least 5 years in a leadership capacity.Deep understanding of third-party risk management frameworks (e.g., NIST SP 800-161, ISO 27001), regulatory requirements, and industry standards.Strong knowledge of information security principles, practices, and technologies, including data protection, encryption, access control, and identity management.Excellent leadership and people management skills, with the ability to lead and mentor a diverse team of professionals.Experience working with business process reengineering and IT solutioning; experience working on project teams bringing together both business & technology. Capable of explaining technical concepts to a non-technical audience.Effective communication skills, with the ability to articulate complex security concepts to non-technical stakeholders and influence decision-making at all levels.Preferred Qualifications: Industry certifications such as CISSP, CISM, CRISC, or related certifications in risk management and cybersecurity.Experience in financial services, healthcare, or other regulated industries with stringent security and privacy requirements.Familiarity with emerging technologies and trends in cybersecurity, such as cloud security, IoT security, and DevSecOps practices.
#J-18808-Ljbffr
