VP – Application Security Risk Manager

Job Description

Who we are looking for

We are looking for a highly skilled and experienced Cybersecurity Risk Manager to perform Second line Risk Oversight over State Street’s Application Security Program. You will be collaborating with peers in Global Cyber Security to ensure risk are being reduced through Static Code & Dynamic Application Security scans together with Open Source Scanning and Vulnerability Management.

The Application Security Risk Manager will be part of a high performing Second Line of Defense team focused on reducing cyber security risk and maturing State Streets application security capabilities and reporting. This position will report directly to the Cyber Technology Risk Managing Director under the Chief Technology Risk Officer (CTRO).

What you will be responsible for

• Perform cyber security risk management for State Streets application security capabilities.
• Review and analyze reports provided by application security tools to and ensure application owners are complying with Application Security Standards.
• Build and nurture positive working relationships with the intention to exceed stakeholder expectations.

Basic Qualifications:

• 5+ years of application security testing experience
• Foundational understanding of risk management tools (Material Risk Identification, Risk and Control Self Assessments, and Key Risk Indicator Methodology)
• Bachelor's Degree in computer science, information technology, information systems, or equivalent
• Relevant certifications, such as CISSP, CRISC, GPEN, or OSCP highly preferred.

Preferred Qualifications:

• 8 + years of application security testing experience (Veracode, Qualys WAS, BlackDuck)
• 5+ years of experience with threat modeling concepts and Cyber Security frameworks (CVSS, MITRE ATT&CK, DREAD, or STRIDE)
• Knowledge and working experience of NIST Cybersecurity Framework (CSF) and NIST 800-53
• Good understanding of state-of-the-art IT & Cyber Security products, services and technologies, as well as their respective impact on the organization’s risk profile as scale.
• Ability to translate technical issues into risk terms that business can understand is absolutely necessary.
• Experience managing a global team of risk professionals.
• Good understanding and knowledge of IT infrastructure, systems, processes and emerging technologies such as cloud, converged infrastructure etc.
• At least two of the following relevant certifications, such as CISSP, CRISC, GPEN, or OSCP highly preferred.

Salary Range:

The range quoted above applies to the role in the primary location specified. If the candidate would ultimately work outside of the primary location above, the applicable range could differ.