Sr. Information Security Officer, Managing Director

State Street Corporation Munich, GermanyPosted 16 hours ago Permanent Competitive
- Sr. Information Security Officer, Managing Director
- State Street Bank International GmbH ('SSBI') seeks to recruit a Senior Information Security Officer, Managing Director (Sr. ISO) to improve the overall protection of SSBI, its customers and partners from an evolving and sophisticated threat landscape.- The SSBI Sr. ISO reports to the SSBI Chief Governance Officer and closely cooperates with the SSBI Head of IT and the wider management team. Key stakeholders include:
- Information Security Officers
- Business and Functional Leaders
- Cyber Fusion Center
- Cyber Architecture & Security Engineering
- First Line Risk and Controls
- 3LOD Partners

The SSBI Senior Information Security Officer (Sr. ISO) will drive compliance with GCS security controls in their business unit/region/country/functional area which they represent. The Sr. ISO will serve as a trusted and influential information security advisor to senior-level business management in a large organization.
- The SSBI Sr. ISO roles and responsibilities are defined under five domain areas with the following objectives and specific responsibilities for each domain:
**Information Security program development and management**
Objective: Develop and manage the information security program within the business unit to drive compliance with information security supplemental requirements and reduce risk- Identify senior business management and build relationship to ensure effective information security governance is established - strategy with goals and objectives, strategic alignment, roles and responsibilities, performance measurement, outcomes
- Understand context of the business unit - internal and external issues, organizational structure, organizational drivers, geography, strategy, legal and regulatory requirements
- Develop an information security strategy aligned to the business unit strategy, defining the goal of information security, objectives and the desired state
- Develop and maintain an information security policy, associated standards and procedures
- Define the activities to be performed within the information security program, and assign ownership
- Establish relevant metrics to evaluate the effectiveness of the information security program
- Monitor and review information security program, to ensure continual development and improvement

**Risk and Incident Management**
Objective: Manage information security risk and incident response, from assessment through mitigation of risk, and throughout the entire lifecycle of incident management- Support the business unit in identifying high risk/critical processes and technology, ensuring they are inventoried, ownership is assigned and that regular reviews are carried out
- Integrate information security risk review into lifecycle processes such as Incident Management, ASAP, ISRMP, TPRM, BCP, SDLC, Change and Project management
- Attend risk and technology committees. Identifying, documenting and communicating Information Security risks. If risk and technology committees do not exist, work with the business unit to establish forums for discussion
- Act as Information Security representative during regulatory and statutory engagements
- Participate in security incident response program representing the business area to detect and respond to incidents in a timely manner. Post incident, provide support to the business to identify control gaps.

**Measurement**
Objective: Develop metrics for measuring the information security program and related activities- Establish and agree on appropriate reporting with senior management to give a view of the state of information security throughout the business unit
- Complete the quarterly ISO maturity assessment to provide a clear understanding of the maturity of the implementation of the ISO framework
- Identify failed business controls and provide support on remediation to drive compliance with information security supplemental requirements
- Create development plans for all information security resources to ensure continual improvement

**Communication**
Objective: Establish internal and external communication channels that support information security- Report on potential business impact of proposed new information security supplemental requirements, and of security risks from new business initiatives
- Report significant changes in information security risk to appropriate level of management for review on both a periodic and an event driven basis
- Provide regular communication on threat intelligence relevant to the business unit, and issue guidance on supporting controls
- Report on impact or potential impact of security incidents to senior management

**Education**
Objective: Maintain up to date knowledge of evolving information security threat landscape and provide information security awareness, training and education to key stakeholders- Design and develop an interactive