We have an opening for a Manager, Cybersecurity Governance and Risk.
The Manager, Cybersecurity Governance and Risk leads IT risk management (ITRM) initiatives to
increase transparency of risk impacts to the Firm, manages the Cyber risk register, issues log and
supports the Governance and Risk team in identifying and implementing industry standards (e.g., NIST,
ISO and COBIT) in accordance with applicable regulatory or client guidelines.  The role will contribute to
evolving ITRM’s oversight, reporting, governance, communications, and education efforts from an
Information Security perspective and assists in developing methodologies, policies, process, and tools to
support InfoSec and Governance and Risk initiatives.
In this capacity, the Manager, Cybersecurity Governance and Risk will:
 Assist the with the development, implementation and management of the governance and risk
strategic plan and roadmap, including evolving the reporting structure and frequency to InfoSec
stakeholders;
 In conjunction with the Controls and TPRM Managers, evolve, develop and manage the
development, maintenance and evaluation of organizational InfoSec governance and risk
procedures, processes and guidelines in accordance with Firm and Client requirements;
 Serve as a key contributor in identifying, managing and communicating governance and risk
across InfoSec policy domains, providing expertise to prioritize and manage risk, while facilitating
the adoption in conjunction with the Controls Manager of IT Risk policies, standards and
guidelines across the enterprise;
 Manage the Cyber risk and issue registers and remediations; track IT risk registers and perform
risk(s) to policy domain to control(s) mapping to provide prioritization and transparency into
control and policy domains requiring remediation;
 Works with the Controls Manager and other stakeholders to  identify, validate and document
deficiencies in ITRM governance, processes and risk management practices, propose
remediations, and enforce cross functional POAM initiatives and status reporting requirements in
accordance with prioritization requirements;
 Assist InfoSec’s TPRM and Client InfoSec Assessments, including assessment activities
(completion and quality control reviews) and support reporting efforts to InfoSec leadership and
stakeholders;
 Evolve risk methodologies, as well as conduct and support risk assessments to support InfoSec
the identification of risk across policy domains, identify opportunities for control enhancement and
risk mitigation;
 Facilitate the definition and maintenance of InfoSec governance and risk measures and metrics;
and
 Handle additional related projects as assigned.
Proficiencies:
 Strong project management skills and understanding of the technology and operational risks as
related to technology solutions;
 Advanced awareness of current information security standards and developments (CSF, NIST,
ISO), the COSO framework, as well as the emerging cyber threat landscape;

 Strong understanding of Operational Risk from a Technology perspective;
 Excellent analytical and problem-solving skills, inquisitive nature and comfort challenging current
practices;
 Understanding of governance, risk and compliance (GRC) practices and technologies across
governance, process and technical domains;
 Third party assessment experience, including the evaluation of SOC2 Type 2, SIG, Pen Test,
etc., reports.
 Ability to develop and maintain a solid working relationships across the departments; and
 High-level technical understanding of security applications, platforms and architectures.
Qualifications:
 At least seven (7)years of combined information technology, information security and risk
management experience;
 Bachelor degree in Information Security, Information Assurance, Computer Science, Information
Systems, or other related field (two years of additional experience may be substituted for two
years of college credits);
 CISA, CISM, GSEC, CISSP, CRISC or other security-related certification preferred;
 Advanced understanding of risk management concepts, frameworks, and methodologies;
 Strong understanding of information security concepts and technologies;
 Background in “big 4” consulting preferred;
 Fundamental knowledge of the operation of law practices;  and
 Advanced knowledge of MS Outlook, Word, Excel, Visio, and PowerPoint.