Principal Information Security Governance & Risk Management

The Principal, Information Security Governance & Risk Management supports Navy Federal Credit Union's (NFCU) Information Security Division in effectively managing the Enterprise's Information Security risks and overall program. This position will oversee Information Security Risk and Governance Risk Reporting. This role will also be responsible for the Enterprise's Information Security risk reporting to senior leadership, front office, and board level audiences. The governance reporting will include responsibility for strategy, management and execution of information security reporting that adheres to NF policies, instructions and standards as required by the National Credit Union Administration (NCUA) 12 CFR Part 748, Appendix A requirement. This position will be responsible for the strategy, management and the overall execution of first line of defense information security risk management and governance activities at the enterprise. This role will collaborate with NFCU business unit Sr. leaders across the enterprise to identify, mitigate and manage information security risks. Uses extensive industry and real world experience to lead information security governance and risk management activities, developing pragmatic solutions to address gaps in line with established risk appetites. Ensure information security governance and risk management activities align with strategic business initiatives, achieve business and quality objectives, mitigate risk and enhance operating procedures. Develop dashboards, metrics and reporting data to provide consultative guidance during monthly and quarterly governance committees. Promote operational efficiency and service excellence through appropriate risk controls, process improvements and training while reducing and mitigating financial losses.

• Information Security Risk
• Lead the Information Security Standards Management and Assurance program across the enterprise to ensure right sized compliance and alignment to industry best practices
• Develop and lead a comprehensive Information Security Program Maturity Assessment and Risk Assessment initiatives in line with the enterprise goals and regulatory expectations
• Oversee the PCI Security Standards program ensuring compliance and/or assurance with the data security standards
• Lead the Information Security Governance Function's Change Management practices, ensuring the delivery of a consistent framework, supporting other pillars including, but not limited to, RCSA, Issues and Events, Controls Testing, GRC and Third Party Risk Management
• Develop a best in class emerging industry risks program to comprehensively and proactively identify trends, regulatory changes, reputational challenges and misinformation that could affect NFCU or its members
• Ensure the effective identification, mitigation and management of information security risks arising from business activities. In addition, provide guidance and advice to senior management on the status of their control environment related to standards compliance, risk identification and control issues. Identify critical areas to monitor and escalate issues and findings to appropriate stakeholders and governance committees
• As applicable, articulate implications of risks and issues related to data management and protection to sponsors and risk owners and, if necessary, assist with security exceptions or issue management
• Translate control deficiencies into action plans and provide recommendations to enhance governance practices in alignment with risk and compliance frameworks.
• Participate in Security-related special projects, councils, working groups, etc. as a Risk SME Text here Governance Risk Reporting
• Create related content and agendas for risk forums with senior leadership and key risk stakeholders, facilitating risk conversation, identify outcomes and actions, and ensure follow-up for those actions with risk decision makers and performers
• Create and maintain strategies to ensure full compliance with Part 748 Appendix A reporting obligations, including maintaining procedures to review and retain risk forum and board minutes for future regulator and internal audit inspection
• Maintain awareness across all Information Security functional areas to inform risk writing and strategic compilation of reports and presentations on a variety of cyber security technical and risk projects
• Draft and manage the completion of the Information Security Annual Report in collaboration with domain subject matter experts and communications resources
• Identify special information security topics relevant to current cybersecurity threats to present to senior leadership and the board of directors, leveraging individual research, internal and external papers, and subject matter experts, and in collaboration with information security leadership
• Maintain the procedures for board minutes review and perform board minutes review that assure key presentation topics were discussed and captured accurately for later regulatory and internal audit inspection
• Review and analyze key performance and key risk indicator data as an output of the Information Security Metrics and Analytics team to identify performance and risk trends important to include in various senior leadership and board reporting including reports and dashboards for Board, Executives, CISO, and other ad-hoc requests
• Perform other duties as assigned

• A minimum of 6-8 years of experience leading risk and/or compliance related activities in financial services or other relevant industry, especially Operational Risk Programs
• Deep knowledge of federal banking safety and soundness regulations and extensive familiarity of CAMELS, FFIEC and examination approaches from NCUA, OCC, FHFA and the CFPB
• Extensive knowledge of industry leading risk management frameworks such as COSO, COBIT, NIST CSF, ITIL)
• Advanced knowledge of the PCI standards framework
• Working knowledge of at least one data protection and/or privacy framework (e.g. DMM, DMBOK, NIST Privacy Framework)
• Extensive experience in the development of risk management frameworks along with the requisite implementation
• Advanced knowledge of information technology systems, project processes, and application development
• Highly independent, organized and able to work autonomously in a fast-paced and time sensitive setting to produce accurate and compelling reports
• Deep knowledge of federal banking safety and soundness regulations and extensive familiarity of CAMELS, FFIEC and examination approaches from NCUA, OCC, FHFA and the CFPB (or ability to quickly familiarize with these regulatory bodies as they related to Navy Federal
• Advanced organizational, planning and time management skills
• Advanced research, analytical, and problem solving skills
• Advanced skill developing and implementing programs in a leadership role
• Advanced skill building effective relationships with all levels of staff, management, stakeholders, and vendors, through rapport, trust, diplomacy and tact
• Advanced verbal, written, interpersonal, and presentation skills to communicate clearly and concisely technical and non-technical information to all levels of management and a strong EQ
• Effective skill to influence, negotiate and persuade to reach agreeable exchange and positive outcomes
• Advanced skill exercising initiative and using good judgment to make sound decisions
• Strong presentation writing and creation skills (advanced Microsoft PowerPoint)
• Bachelor's degree in Information Systems, Computer Science, Engineering, Business, Mathematics, Economics, or related field, or the equivalent combination of education, training and experience

Desired Qualifications

• Knowledge of Navy Federal Credit Union instructions, standards, and procedures
• Working knowledge of the MITRE attack framework
• Professional certifications including, but not limited to any of the following: FRM, PRM, CISA, CISM, CISSP, CGEIT, CRISC, CFE, CPA, CIA, CIPP, ISA, AWS and etc.
• Professional or planned date for certification in Operational Risk, and/or specialized in Technology or Information Security
• Graduate education in Business, Cyber/Information Security Risk, Information Systems, Computer Science, Engineering, Quantitative discipline or related field

Hours: Monday - Friday, 8:00AM - 4:30PM

Location: 820 Follin Lane, Vienna, VA 22180 | 5510 Heritage Oaks Drive Pensacola, FL 32526 | 141 Security Drive Winchester, VA 22602

You have goals, dreams, hobbies, and things you’re passionate about—what’s important to you is important to us. We’re looking for people who not only want to do meaningful, challenging work, keep their skills sharp and move ahead, but who also take time for the things that matter to them—friends, family, and passions. And we're looking for team members who are passionate about our mission—making a difference in military members' and their families' lives. Together, we can make it happen. Don’t take our word for it:

• Best Companies for Latinos to Work for 2024
• Computerworld® Best Places to Work in IT
• Forbes® 2024 America’s Best Large Employers
• Forbes® 2023 The Best Employers for New Grads
• Fortune Best Workplaces for Millennials™ 2023   
• Fortune Best Workplaces for Women ™ 2023       
• Fortune 100 Best Companies to Work For® 2023
• Military Times 2023 Best for Vets Employers
• Newsweek Most Loved Workplaces 
• Ripplematch Campus Forward Award - Excellence in Early Career Hiring
• Yello and WayUp Top 100 Internship Programs

Equal Employment Opportunity: Navy Federal values, celebrates, and enacts diversity in the workplace. Navy Federal takes affirmative action to employ and advance in employment qualified individuals with disabilities, disabled veterans, Armed Forces service medal veterans, recently separated veterans, and other protected veterans. EOE/AA/M/F/Veteran/Disability EOE/AA/M/F/Veteran/Disability

Hybrid Workplace: Navy Federal Credit Union is a hybrid workplace, and details will be discussed during your interview process.

Disclaimers: Navy Federal reserves the right to fill this role at a higher/lower grade level based on business need. An assessment may be required to compete for this position. Job postings are subject to close early or extend out longer than the anticipated closing date at the hiring team’s discretion based on qualified applicant volume. Navy Federal Credit Union assesses market data to establish salary ranges that enable us to remain competitive. You are paid within the salary range, based on your experience, location and market position.

Bank Secrecy Act: Remains cognizant of and adheres to Navy Federal policies and procedures, and regulations pertaining to the Bank Secrecy Act.