Description The Director of Technology Risk Management provides operational and technical leadership to the team responsible for CME Group's Information Technology (IT) risk and cyber risk management. Under the supervision of the Director, the team is responsible for the identification, quantification, and reporting of technology and cyber risk, overseeing an annual Enterprise Technology Risk Assessment (ETRA), the execution of planned and ad hoc risk assessments, and reviewing results with IT senior management as appropriate. The successful candidate will have experience with industry frameworks and methodologies that support the measurement of cyber/information security program maturity (e.g. NIST Cyber Security Framework); the identification, analysis, evaluation, and treatment of technology/cyber risks (e.g. ISO/IEC 27005, NIST SP800-37r2, FAIR); and familiarity with the COSO Enterprise Risk Management Framework (COSO ERM). Additionally, the candidate should be comfortable designing governance processes and workflows to operate within an enterprise-class Governance, Risk, and Compliance (GRC) tool. The ideal candidate will have worked in one or more highly regulated industries (particularly the financial industry) in a cyber/technology governance capacity and have considerable experience with enterprise scale cybersecurity tools and programs. The candidate should have comfort evaluating risks arising from novel and emerging technologies (e.g. mobile, cloud, A.I.). The person in this role must have the ability to mentor and develop a diverse team located in different geographical regions, as well as an ability to manage consultants in staff-supporting and project-based roles. The person in this role must also successfully coordinate the team's activities with the activities of the other internal risk management teams, internal audit, and corporate compliance functions. Principal Accountabilities
Manage and oversee CME Group's Technology Risk Management team of 7 full time employees responsible for executing risk assessments and risk governance of CME Group's cyber and technology risks.
Plan for and deliver on a schedule of technology risk assessments. Provide oversight of reported risks, findings, and remediation plans to ensure consistent governance on IT/cyber risks.
Drive continuous improvement of risk management processes, procedures, and metrics. Ensure CME Group's processes align to best practices, comply with applicable standards from ISO/IEC, NIST, and others.
Ensure timely delivery of regulatorily required items, including an annual Enterprise Technology Risk Assessment (ETRA).
Develop strong rapport and collaborate with IT risk, audit, Enterprise Risk Management, and other corporate compliance teams to align risk governance across areas, enable consistent reporting, and ensure adequate coverage of risks.
Skills & Software Requirements
Excellent interpersonal, collaboration, and conflict management skills
Excellent writing and editing skills and experience developing and delivering presentations to audiences up to and including senior executives and potentially external regulators
Management, mentoring, and development of staff
Knowledge and awareness of advanced cybersecurity defense techniques, including cyber threat intelligence and cyber incident response concepts and practices
Knowledge and experience with disruptive and emerging technologies (e.g. mobile, cloud, A.I.)
Knowledge and experience working with IT Service Management practices (governance, process, roles and responsibilities, metrics, etc.)
Information Security certification such as CISA, CISSP
Understanding of various control frameworks such as NIST, ISO, COBIT, FFIEC, COSO ERM
3 to 5+ years of experience at director or manager level in one or more highly regulated industries (particularly the financial industry) in a cyber/technology governance capacity
3 to 5+ years of experience with enterprise scale cybersecurity tools and programs
10 to 15+ years of experience in technology, risk, and/or compliance roles
In-depth understanding and experience with industry frameworks and methodologies that support the measurement of cyber/information security program maturity (e.g. NIST Cyber Security Framework); the identification, analysis, evaluation, and treatment of technology/cyber risks (e.g. ISO/IEC 27005, NIST SP800-37r2, FAIR); and Enterprise Risk Management (e.g., COSO)
Demonstrable knowledge of a broad range of Information Security technologies and practices
Proven ability to build value propositions, business cases, and drive results as part of a larger project or program team
Education A bachelor's or master's degree in Computer Science, Information Systems, or other related field; or equivalent work experience. Certifications Preferred: one or more certifications, including:
CME Group: Where Futures Are Made
CME Group (www.cmegroup.com) is the world's leading derivatives marketplace. But who we are goes deeper than that. Here, you can impact markets worldwide. Transform industries. And build a career shaping tomorrow. We invest in your success and you own it, all while working alongside a team of leading experts who inspire you in ways big and small. Joining our company gives you the opportunity to make a difference in global financial markets every day, whether you work on our industry-leading technology and risk management services, our benchmark products or in a corporate services area that helps us serve our customers better. With 3,500 employees located around the world, we're small enough for you and your contributions to be known. But big enough for your ideas to make an impact. The pace is dynamic, the work is unlike any other firm in the business, and the possibilities are endless. Problem solvers, difference makers, trailblazers. Those are our people. And we're looking for more.
This position requires that you be fully vaccinated against COVID-19 by the date of hire. Proof of vaccination will be required as a condition of employment. CME Group complies with federal, state and local laws with respect to providing accommodations for individuals who are unable to receive the vaccine due to a medical condition or religious belief.