Director, IT & Security Risk Management

The Director of IT & Security Risk Management is responsible for developing and implementing the first line of defense for an end-to-end IT risk management program in alignment with Flagstar’s Enterprise Risk Management program driving the identification, assessment, and prioritization of existing and emerging IT risks across the organization.

Lead and execute on the coordination, management, and monitoring of all IT and Cybersecurity regulatory matters. Monitor and report on the IT risk posture of the firm and drive escalation of IT risks to executive management committees.

Providing strong leadership, vision, and guidance to IT risk management teams. This role will work in conjunction with IT senior management to oversee the strategy and direction of the governance, risk, and compliance activities impacting Information Technology.

This director leads a team that works with the IT organization to ensure effective risk management and escalation to IT senior leaders.

Additionally, the Director will have responsibility to oversee the first line of defense IT risk team to monitor performance of controls, maintain documentation and support IT in risk identification, mitigation, and reporting.

Director will partner with IT risk teammates and IT leaders to conduct operational controls and regulatory self-testing, issue management, risk, and control self-assessments, third party, application, and cloud cybersecurity risk assessments as well as security awareness and phishing management program.

Apply promptly! A high volume of applicants is expected for the role as detailed below, do not wait to send your CV.

Develop and maintain a comprehensive IT risk strategy, program, and governance frameworks in alignment with Enterprise Risk Management.

Oversee the execution of all IT Risk related activities including RCSA, risk reporting, issues management, metrics, analytics, KRIs, security awareness and cybersecurity risk assessments related to third parties, on-prem, public cloud environments.

• Prepare and deliver IT and Cybersecurity Risk reports, metrics, KRIs to Technology Management Committee and finalize IT Risk materials for the CIO to present to the Technology Committee of the Board.
• Receive, track, coordinate, manage and report on all IT and Cybersecurity regulatory matters, audit, 2LOD findings and IT self-identified issues.

Continuously monitoring the state of all matters to ensure closure in a timely manner and escalation appropriately when remediation efforts are at risk.

Proactively lead the IT Risk department, continuously providing vision and guidance to the IT Risk leads within the department.

Assist with career development and enhancement of the team. Responsible for talent management functions including : employment, performance evaluations, staff development / training, disciplinary actions, succession planning and ensuring all staff comply with compliance requirements.

• Performs special projects, and additional duties and responsibilities as required.
• Ensure compliance with applicable federal, state and local laws and regulations. Complete all required compliance training.

Maintain knowledge of and adhere to Flagstar's internal compliance policies and procedures. Take responsibility to keep up to date with changing regulations and policies.

Job Requirements :

• Bachelor’s Degree in Information Security, Computer Science or related field required.
• Master's Degree preferred.
• CISA, CISM, CRISC, CISSP certifications preferred.
• 12+ Years of overall IT experience with a minimum of 10+ years in cybersecurity, governance, risk and compliance.
• 8+ years of experience directly leading and developing team(s) of IT professionals with a large span of control.
• Proven experience in RCSA, issue management, risk acceptance management, configuration baseline management, regulatory management, security awareness, phishing campaign management, third-party cyber risk assessments, application, public cloud, infrastructure, and PCI risk assessments.
• Strong knowledge of cybersecurity frameworks and standards (e.g., NIST, ISO 27001, CIS).
• Deep understanding of IT risk frameworks, methodologies (e.g., ISO 27005, NIST SP 800-30), and best practices.
• Comprehensive knowledge of information security principles, practices, and technologies.
• Familiarity with IT governance frameworks (e.g., COBIT) and their application in risk management.
• Expertise in regulatory requirements relevant to IT and Cybersecurity (e.g., FFIEC, SOX, GLBA).
• Understanding of cybersecurity threats, vulnerabilities, and incident response.
• Ability to conduct thorough risk assessments and prioritize risks based on potential impact and likelihood.
• Skill in developing and implementing risk mitigation strategies and controls.
• Strong leadership skills to guide and motivate teams in managing IT risks effectively.
• Ability to align IT risk management strategies with organizational goals and objectives.
• Experience in managing change related to IT risk initiatives within the organization.
• Skill in managing relationships with stakeholders, including senior management, IT teams, and external auditors.
• Excellent verbal and written communication skills to convey complex IT risk concepts to non-technical stakeholders.
• Ability to negotiate and influence stakeholders to implement necessary risk management measures.
• Experience in fostering collaboration and teamwork across departments to achieve IT risk management goals.
• Strong analytical skills to assess and interpret data related to IT risks.
• Ability to identify root causes of IT risk issues and develop effective solutions.
• Sound judgment and decision-making skills to make timely and informed risk management decisions.
• Experience in managing IT risk management projects and initiatives from inception to completion.
• Skill in developing comprehensive IT risk management programs aligned with organizational strategy.
• Commitment to upholding ethical standards and maintaining confidentiality in IT risk management practices.
• Continual learning and professional development to stay updated on emerging IT risks and industry trends.
• Experience in assessing and managing IT risks associated with vendors and third-party relationships.
• Skill in developing and delivering IT risk management training programs for employees at all levels.
• Ability to recruit, develop, and retain skilled IT risk management professionals.
• Ability to innovate and implement new approaches to mitigate emerging IT risks.
• Essential Travel as required .
13 hours ago