MassMutual
Head of Cyber Governance, Risk & Compliance
MassMutual, Boston, New York, United States,
Overview:We are seeking an experienced and strategic leader to join our organization as the Head of Cyber Third Party and Risk Management. In this critical role, you will be responsible for overseeing and enhancing our third-party cyber risk management program, governance, security awareness and training, and ensuring the security of our business information assets. You will lead efforts to assess, mitigate, and monitor risks associated with third-party vendors and drive information security risk management across MassMutual’s critical business units/entities.
Key Responsibilities:Leadership and Strategy:Develop and execute a comprehensive third-party risk management strategy aligned with organizational objectives, regulatory requirements, and industry best practices.Define and implement cyber security strategies, policies, and standards to protect company assets and data.Third-Party Risk Management:Lead the assessment and ongoing monitoring of third-party vendors and partners to identify potential risks and vulnerabilities.Establish risk assessment frameworks, methodologies, and scoring models to evaluate the security posture of third parties.Vendor Due Diligence and Contract Management:Implement robust due diligence processes for assessing the security capabilities of prospective vendors and partners.Collaborate with legal and procurement teams to incorporate security requirements into vendor contracts and agreements.Risk Mitigation and Remediation:Develop and oversee the implementation of risk mitigation strategies and controls to address identified vulnerabilities and risks with third parties.Monitor and track remediation efforts to ensure timely resolution of security issues impacting third-party relationships.Cyber Security Governance:Develop and enforce cyber security policies, standards, and guidelines across the organization.Ensure compliance with regulatory requirements and industry standards (e.g., ISO 27001, NIST CsF) related to information security.Security Awareness and Training:Establish a world-class enterprise cyber security awareness and training program.Develop relevant metrics to measure the efficiency and effectiveness of the security awareness and training program, facilitate appropriate resource allocation, and increase the maturity of the program.Cross-Functional Collaboration:Collaborate with internal stakeholders including IT, law, compliance, privacy procurement, and senior leadership to integrate third-party risk management and information security into business processes.Communicate security risks and recommendations to senior management, advocating for necessary investments and resources.Required Skills and Qualifications:Bachelor’s degree in computer science, Information Technology, Business Administration, or related field; advanced degree preferred.Proven experience (8+ years) in third-party risk management, information security, or related cybersecurity roles, with at least 5 years in a leadership capacity.Deep understanding of third-party risk management frameworks (e.g., NIST SP 800-161, ISO 27001), regulatory requirements, and industry standards.Strong knowledge of information security principles, practices, and technologies, including data protection, encryption, access control, and identity management. Excellent leadership and people management skills, with the ability to lead and mentor a diverse team of professionals.Experience working with business process reengineering and IT solutioning; experience working on project teams bringing together both business & technology. Capable of explaining technical concepts to a non-technical audience.Effective communication skills, with the ability to articulate complex security concepts to non-technical stakeholders and influence decision-making at all levels.Preferred Qualifications:Industry certifications such as CISSP, CISM, CRISC, or related certifications in risk management and cybersecurity.Experience in financial services, healthcare, or other regulated industries with stringent security and privacy requirements.Familiarity with emerging technologies and trends in cybersecurity, such as cloud security, IoT security, and DevSecOps practices.MassMutual is an Equal Employment Opportunity employer Minority/Female/Sexual Orientation/Gender Identity/Individual with Disability/Protected Veteran. We welcome all persons to apply. Note: Veterans are welcome to apply, regardless of their discharge status.If you need an accommodation to complete the application process, please contact us and share the specifics of the assistance you need.
#J-18808-Ljbffr
Key Responsibilities:Leadership and Strategy:Develop and execute a comprehensive third-party risk management strategy aligned with organizational objectives, regulatory requirements, and industry best practices.Define and implement cyber security strategies, policies, and standards to protect company assets and data.Third-Party Risk Management:Lead the assessment and ongoing monitoring of third-party vendors and partners to identify potential risks and vulnerabilities.Establish risk assessment frameworks, methodologies, and scoring models to evaluate the security posture of third parties.Vendor Due Diligence and Contract Management:Implement robust due diligence processes for assessing the security capabilities of prospective vendors and partners.Collaborate with legal and procurement teams to incorporate security requirements into vendor contracts and agreements.Risk Mitigation and Remediation:Develop and oversee the implementation of risk mitigation strategies and controls to address identified vulnerabilities and risks with third parties.Monitor and track remediation efforts to ensure timely resolution of security issues impacting third-party relationships.Cyber Security Governance:Develop and enforce cyber security policies, standards, and guidelines across the organization.Ensure compliance with regulatory requirements and industry standards (e.g., ISO 27001, NIST CsF) related to information security.Security Awareness and Training:Establish a world-class enterprise cyber security awareness and training program.Develop relevant metrics to measure the efficiency and effectiveness of the security awareness and training program, facilitate appropriate resource allocation, and increase the maturity of the program.Cross-Functional Collaboration:Collaborate with internal stakeholders including IT, law, compliance, privacy procurement, and senior leadership to integrate third-party risk management and information security into business processes.Communicate security risks and recommendations to senior management, advocating for necessary investments and resources.Required Skills and Qualifications:Bachelor’s degree in computer science, Information Technology, Business Administration, or related field; advanced degree preferred.Proven experience (8+ years) in third-party risk management, information security, or related cybersecurity roles, with at least 5 years in a leadership capacity.Deep understanding of third-party risk management frameworks (e.g., NIST SP 800-161, ISO 27001), regulatory requirements, and industry standards.Strong knowledge of information security principles, practices, and technologies, including data protection, encryption, access control, and identity management. Excellent leadership and people management skills, with the ability to lead and mentor a diverse team of professionals.Experience working with business process reengineering and IT solutioning; experience working on project teams bringing together both business & technology. Capable of explaining technical concepts to a non-technical audience.Effective communication skills, with the ability to articulate complex security concepts to non-technical stakeholders and influence decision-making at all levels.Preferred Qualifications:Industry certifications such as CISSP, CISM, CRISC, or related certifications in risk management and cybersecurity.Experience in financial services, healthcare, or other regulated industries with stringent security and privacy requirements.Familiarity with emerging technologies and trends in cybersecurity, such as cloud security, IoT security, and DevSecOps practices.MassMutual is an Equal Employment Opportunity employer Minority/Female/Sexual Orientation/Gender Identity/Individual with Disability/Protected Veteran. We welcome all persons to apply. Note: Veterans are welcome to apply, regardless of their discharge status.If you need an accommodation to complete the application process, please contact us and share the specifics of the assistance you need.
#J-18808-Ljbffr