Principal Analyst, Cyber Risk & Analysis (TRM Assessment Methodology)
Company: Capital One
Location: Chicago
Posted on: January 27, 2023
Job Description:
Center 2 (19050), United States of America, McLean,
VirginiaPrincipal Analyst, Cyber Risk & Analysis (TRM Assessment
Methodology)Capital One is one of the fastest growing organizations
in the world today. The growth of the business is being accelerated
by leveraging innovative and emerging technologies. We are serious
about technology, we dream big, and we execute: Capital One moved
our entire enterprise to the public cloud over the course of five
years, fully exiting our data centers. Just as we prioritize
driving innovation through technology, we equally prioritize
cybersecurity and managing technology risk. Technology Risk
Management (TRM) is a small organization that packs a big punch.
The roughly ninety professionals in TRM are trusted expert advisers
who shape decisions, challenge activities to ensure they meet our
standards, and generally oversee technology and information
security risk across the business and the central technology
organization. TRM is a second line organization, which means it is
independent and does not sit within the technology organization.
-TRM plays a critical role in ensuring that the company's
risk-taking entities are aware of the risks inherent in their
activities and decisions, the impact of their actions on the
company at an enterprise level, and opportunities to reduce,
mitigate or avoid the risks altogether. Associates within TRM are
highly-skilled information security, cybersecurity, site
reliability engineering, technology, and risk management
professionals who have a wealth of experience and a demonstrated
ability to provide value added recommendations and deliver
high-impact results in their areas of expertise. - -This position -
Principal Analyst, Compliance and Risk Intelligence, Technology
Risk Management - will play a key role in enhancing the methodology
and practices for how the organization assesses cybersecurity and
technology risk, as well as cybersecurity and technology compliance
risk. This includes leading enhancements to the risk taxonomy,
further developing and socializing the assessment methodology, and
driving process improvement efforts for several established
assessment practices. - It will be critical for this role to foster
strong working relationships with other 2nd Line groups, and be
able to influence the broader enterprise risk frameworks to reflect
technology/cyber risk considerations. -As a member of a growing
organization, you are expected to shape and further refine the risk
program, and will have the opportunity to operate with both
autonomy and empowerment from senior leadership. The successful
candidate will be a seasoned professional with knowledge of cyber
and technology risk, who can understand data and interpret it in
context, who is intellectually curious, and who has a passion for
sharing data insights.Desired Outcomes: -
- Identify, interpret and curate external data points to support
and ground risk assessments
- Review various risk products and extract key findings and
supporting risk intelligence and analyze its applicability to other
assessments
- Respond to inquiries to provide grounding data points for
specific assessments, research possible sources and their
trustworthiness, distill into succinct data points.
- Understand compliance requirements, interpret their
applicability and compare to existing mitigations. Identify
potential gaps both scope of requirement applicability and whether
the implementation meets intent.
- Create and distribute educational materials on cyber and tech
industry trends, recent events and compliance requirements and
answer questions from the team. - -Basic Qualifications:
- Bachelor's degree or military experience
- At least 2 years of experience managing, or consulting, or
auditing in the fields of information security, or technology, or
risk management
- At least 2 years of experience with cybersecurity or technology
risk assessments or cybersecurity, technology or compliance
controls assessments
- At least 1 professional security management certification (Open
FAIR, Certified Information Systems Security Professional (CISSP),
Certified Information Security Manager (CISM), Certified
Informations Systems Auditor (CISA), or Certified in Risk and
Information Systems Control (CRISC)) -Preferred Qualifications:
- Critical analytical thinker, including the ability to express a
point of view supported by data (with both technical and
non-technical audiences). Experience in data analysis, metrics
definition and/or metrics implementation is a plus.
- Raises concerns early and knows when to escalate, including the
ability to raise issues and facilitate constructive problem-solving
at all levels of the organization
- Passion and expertise in technology and cybersecurity domains,
with an ability to be confident, respectful, and articulate when
registering dissenting or unpopular opinions
- Ability to collaborate effectively with colleagues,
stakeholders, and leaders across multiple organizations to get
consensus, socialize strategy, and achieve objectives
- Ability to manage multiple parallel initiatives while
maintaining superior results
- Execution oriented and a self-motivator
- Personal resilience - the ability to to stay optimistic and
keep people focused during crises or times of change
- Experience developing and implementing industry risk
frameworks, quantitative analysis, tools, and methodologies: e.g.
frameworks like COSO, quantitative analysis such as FAIR, tools
such as a Process, Risk & Control (PRC) library, and assessment
methodologies such as RCSA, scenario analysis, or new initiative
risk assessments
- Experience developing and implementing industry controls
frameworks (e.g. NIST 800-53, ISO 27001/27002), designing controls
and/or testing controls design
- Knowledge of supervisory expectations expressed in the Federal
Financial Institutions Examination Council (FFIEC) IT Handbook,
Federal Reserve Supervisory Letters, Office of the Comptroller of
the Currency Bulletins, and/or Federal Deposit Insurance
Corporation Financial Institution Letters.
- Familiarity with compliance and legal requirements in the cyber
and technology space, and experience in practical interpretation
and implementation of those. -At this time, Capital One will not
sponsor a new applicant for employment authorization for this
position.The minimum and maximum full-time annual salaries for this
role are listed below, by location. Please note that this salary
information is solely for candidates hired to perform work within
one of these locations, and refers to the amount Capital One is
willing to pay at the time of this posting. Salaries for part-time
roles will be prorated based upon the agreed upon number of hours
to be regularly worked.Location is New York City: $127,092 -
$149,940 for Prin Assoc, Cyber Risk & AnalysisCandidates hired to
work in other locations will be subject to the pay range associated
with that location, and the actual annualized salary amount offered
to any candidate at the time of hire will be reflected solely in
the candidate's offer letter.This role is also eligible to earn
performance based incentive compensation, which may include cash
bonus(es) and/or long term incentives (LTI). Incentives could be
discretionary or non discretionary depending on the plan.Capital
One offers a comprehensive, competitive, and inclusive set of
health, financial and other benefits that support your total
well-being. Learn more at the -. Eligibility varies based on full
or part-time status, exempt or non-exempt status, and management
level.No agencies please. Capital One is an Equal Opportunity
Employer committed to diversity and inclusion in the workplace. All
qualified applicants will receive consideration for employment
without regard to sex, race, color, age, national origin, religion,
physical and mental disability, genetic information, marital
status, sexual orientation, gender identity/assignment,
citizenship, pregnancy or maternity, protected veteran status, or
any other status prohibited by applicable national, federal, state
or local law. Capital One promotes a drug-free workplace. Capital
One will consider for employment qualified applicants with a
criminal history in a manner consistent with the requirements of
applicable laws regarding criminal background inquiries, including,
to the extent applicable, Article 23-A of the New York Correction
Law; San Francisco, California Police Code Article 49, Sections
4901-4920; New York City's Fair Chance Act; Philadelphia's Fair
Criminal Records Screening Act; and other applicable federal,
state, and local laws and regulations regarding criminal background
inquiries.If you have visited our website in search of information
on employment opportunities or to apply for a position, and you
require an accommodation, please contact Capital One Recruiting at
1-800-304-9102 or via email at
RecruitingAccommodation@capitalone.com. All information you provide
will be kept confidential and will be used only to the extent
required to provide needed reasonable accommodations.For technical
support or questions about Capital One's recruiting process, please
send an email to Careers@capitalone.comCapital One does not
provide, endorse nor guarantee and is not liable for third-party
products, services, educational tools or other information
available through this site.Capital One Financial is made up of
several different entities. Please note that any position posted in
Canada is for Capital One Canada, any position posted in the United
Kingdom is for Capital One Europe and any position posted in the
Philippines is for Capital One Philippines Service Corp.
(COPSSC).
Keywords: Capital One, Chicago , Principal Analyst, Cyber Risk & Analysis (TRM Assessment Methodology), Professions , Chicago, Illinois
Didn't find what you're looking for? Search again!
Loading more jobs...