Cybersecurity Risk Assessor

Your Opportunity

Your opportunity

At Schwab, you’re empowered to make an impact on your career. Here, innovative thought meets creative problem solving, helping us “challenge the status quo” and transform the finance industry together.

We believe in the importance of in-office collaboration and fully intend for the selected candidate for this role to work on site in the specified location(s).

The Cyber Assessments and Resilience Team is a first line of defense team positioned within the Schwab Cybersecurity Services vertical, aligned to ensure that services and applications within the Schwab Portfolio are assessed from a technology risk, cybersecurity risk, and cyber resilience perspective.

The cybersecurity risk assessor is a subject matter expert (SME) who works as part of the team to assess cybersecurity risks against established requirements, standards, policies and frameworks. The individual is responsible for proactive identification, assessment, treatment, and continuous monitoring of information security and technology risks. As a risk assessment SME, the individual reviews cybersecurity practices and recommends remediation of gaps or proposes new controls, consistent with best practices, as well as continually evaluates risk exposure and tolerance as defined by business leaders and external entities. The role also reviews and documents deficiencies, advocates for change and, when appropriate, escalates issues to senior risk leadership.

This is a key role in assuring that cyber risks are effectively managed, Schwab client information is protected, and our client’s trust is maintained. Success in this role will require ability to exercise influence, communicate effectively, think strategically, and work collaboratively among internal and external stakeholders across multiple functions combined with strong expertise in risk management discipline and security and technology controls best practices. This is an individual contributor role.

What you're good at

The Cyber Risk Assessment Manager will be responsible for the following:

• Receive and triage new assessment requests relating to on-prem, public cloud, third party, acquired applications, processes, and standards.  Review inherent risk characteristics and validate the inherent risk is accurate to prepare for assessment.   
• Partner with a distributed team consisting of security architects, engineers, and risk practitioners to determine the assessment scope and rigor based on inherent risk  
• Maintain coordination and organization of assessments in flight between all key security teams involved throughout the lifecycle of the assessment. 
• Translate control gaps identified from security architecture and engineering teams into security conditions and documented issues in a risk-based language that can be shared with application and system owners for remediation.
• Coordinate with application and technology teams and explain gaps which need actioning prior to production release, while communicating risks identified by assessment up to senior management.
• Document effectiveness of the application/system, process, or third party and the residual risk resulting from the assessment.
• Prepare a detailed cybersecurity risk assessment report based on existing risk reporting models and templates.
• Perform continuous monitoring and tracking of identified gaps and provide regular risk updates to senior management
• Create and present risk posture discovery and recommendation reports to risk management leadership.
• Develop and deliver executive-level reporting and presentations outlining cyber risks, risk velocity/trending, and status of defined action plans.
• Identify and manage continuous improvements in various areas, including automation of risk assessments, leadership reporting activities, development and maintenance of risk-related information, and audit and/or regulatory areas.
• Contribute to the creation and ongoing development of security and control metrics.
• Support maturing cyber risk governance through development of standard processes and procedures.
• Advocate and promote awareness of cyber risks to business and technical partners.

Other responsibilities include:

• Build strong relationships and partner closely with security and technology partners across Charles Schwab Corporation and its affiliates.
• Develop internal processes to increase team efficiencies and continually mature operations.
• Other risk related responsibilities as identified
• May travel minimally as needed

What you have

Required Qualifications:

• 3-5 years of relevant experience in the disciplines of information security, risk assessment activities or information security compliance with strong hands-on experience in security risk assessments.
• Superior attention to detail and focus on quality work delivery
• Expertise in information security best practices and technology risk management disciplines, including knowledge and familiarity with a broad range of IT and information security products and technologies such as Network Security, Cryptography, Identity and Access Management, Vulnerability Management, Logging and Monitoring, Cloud Platforms, and Application Security.
• Familiar with one or more regulatory requirements and laws such as, but not limited to, PCI, Federal Financial Institutions Examinations Council, Sarbanes-Oxley Act, HIPAA, GDPR and GLBA. Additionally, experience in one or more: ISO 27001, ITIL and NIST. General understanding of the Factor Analysis of Information Risk methodology
• Working knowledge of software development practices and technologies.
• Understanding of information security or technology risks.
• Experience in developing performance or risk metrics, and executive dashboards.
• Excellent analytical & technical skills, able to research problems, determine root causes and solutions.
• Experience using and administering collaboration platforms such as MS SharePoint, Confluence, or JIRA.
• Must be a self-starter and able to work independently, as part of a team, and lead working groups as required.
• Work ethic based on a strong desire to exceed expectations.
• Ability to work successfully in a fast-paced, results-oriented environment. Requires excellent time management skills, ability to appropriately prioritize multiple, competing demands.
• Ability to translate technical control gaps into risk statement language.
• Bachelor’s Degree in Computer Science or related discipline.
• Relevant certifications or ability to obtain information security certifications such as CISSP, CCSP, CCSK, CISM or CRISC.

In addition to the salary range, this role is also eligible for bonus or incentive opportunities.

What you are good at

What you have

Required Qualifications:

• 3-5 years of relevant experience in the disciplines of information security, risk assessment activities or information security compliance with strong hands-on experience in security risk assessments.
• Superior attention to detail and focus on quality work delivery
• Expertise in information security best practices and technology risk management disciplines, including knowledge and familiarity with a broad range of IT and information security products and technologies such as Network Security, Cryptography, Identity and Access Management, Vulnerability Management, Logging and Monitoring, Cloud Platforms, and Application Security.
• Familiar with one or more regulatory requirements and laws such as, but not limited to, PCI, Federal Financial Institutions Examinations Council, Sarbanes-Oxley Act, HIPAA, GDPR and GLBA. Additionally, experience in one or more: ISO 27001, ITIL and NIST. General understanding of the Factor Analysis of Information Risk methodology
• Working knowledge of software development practices and technologies.
• Understanding of information security or technology risks.
• Experience in developing performance or risk metrics, and executive dashboards.
• Excellent analytical & technical skills, able to research problems, determine root causes and solutions.
• Experience using and administering collaboration platforms such as MS SharePoint, Confluence, or JIRA.
• Must be a self-starter and able to work independently, as part of a team, and lead working groups as required.
• Work ethic based on a strong desire to exceed expectations.
• Ability to work successfully in a fast-paced, results-oriented environment. Requires excellent time management skills, ability to appropriately prioritize multiple, competing demands.
• Ability to translate technical control gaps into risk statement language.
• Bachelor’s Degree in Computer Science or related discipline.
• Relevant certifications or ability to obtain information security certifications such as CISSP, CCSP, CCSK, CISM or CRISC.

In addition to the salary range, this role is also eligible for bonus or incentive opportunities.