Overview: The Senior Cybersecurity Controls Assessments & Testing Specialist will use their specialized knowledge and experience to execute security assessments on the effectiveness of Cybersecurity security control designs, which may include conducting vendor onsite reviews of third parties. This individual will also leverage a risk-based approach to ensure appropriate security principles and controls are applied during the system development life cycle and protect customer and corporate assets in line with the Bank's risk appetite.
Understand the enterprise and/or third party security architecture to identify security gaps.
Assess security controls to ensure protection of the confidentiality, integrity and availability of customer and corporate data is in line with the Bank's enterprise risk appetite. Types of assessments and testing may include: application/system security assessments, vulnerability testing, penetration testing, static code analysis and social engineering.
Review effectiveness of security controls on an ongoing basis to determine whether the risk remains acceptable.
Prepare required systems and applications cybersecurity security documentation within established SLAs (Service Level Agreements), ensuring alignment with all applicable laws, regulations, Bank policies and standards, as well as industry best practices in accordance with the Bank's risk appetite. Raise risk-related issues to management as required.
Conduct and document security control assessments and based on the findings (including effectiveness of security controls) and recommendations of a security assessment report; reassess remediated controls, when applicable.
Present technical information to technical and non-technical audiences to ensure the business lines understand the testing of the security control results. Present recommendations to various levels within the organization, up to and including senior management.
Accompany senior leadership on third party onsite visits as required, documenting results, and presenting findings to risk committees upon request.
Partner with lines of business line to ensure cybersecurity documentation is completed and ongoing monitoring requirements are fulfilled.
Engage with Technology teams to identify security risks of proposed third party environments and recommend potential system/application modifications.
Understand and adhere to the Bank's risk and regulatory standards, policies and controls in accordance with the Bank's risk appetite. Identify and present to Management risk-related issues requiring escalation to management. Prepare and deliver management level presentation to communicate trends and threats.
Remain current with industry trends and security threats to advise management on how to mitigate and contain risks to the business. Prepare and deliver management level presentations to communicate trends and threats.
Mentor less experienced personnel on Cybersecurity principles and application, in relation to Bank policies and standards and how they relate to security assessments.
Understand and adhere to the Company's risk and regulatory standards, policies and controls in accordance with the Company's Risk Appetite. Identify risk-related issues needing escalation to management.
Promote an environment that supports diversity and reflects the M&T Bank brand.
Maintain M&T internal control standards, including timely implementation of internal and external audit points together with any issues raised by external regulators as applicable.
Complete other related duties as assigned.
Scope of Responsibilities: Up to 25% annual travel commitment or less
Education and Experience Required: Associates' degree and a minimum of 5 years' relevant work experience, or in lieu of a degree, a combined minimum of 7 years' higher education and/or work experience, including a minimum of 5 years' relevant work experience
Previous experience of NIST (National Institute of Standards and Technology) or Cybersecurity frameworks, with a strong focus NIST 800-53 and 800-53a
Strong knowledge of cybersecurity principles and industry best practices (relevant to confidentiality, integrity, availability)
Proven knowledge of information technology security principles and implementation methods (e.g., firewalls, demilitarized zones, encryption, Active Directory / LDAP, SAML)
Skill in evaluating security controls based on confidentiality, integrity and availability requirements of systems
Experience with handling multiple projects
Experience meeting strict deadlines
Experience overseeing project tasks for less experienced team members
Education and Experience Preferred: Bachelor's degree
Active CISA (Certified Information Systems Auditor), CAP (Certified Authorization Professional), CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager), or CRISC (Certified in Risk and Information Systems Control) certification or Cybersecurity domain-related industry-recognized certification
Working knowledge of the current version of the NIST SP800-53 and 800-53a Controls, or other recognized control frameworks, such as COBIT (Control Objectives for Information and Related Technology) or ISO
Knowledge of organization's risk tolerance and/or risk management approach
Working knowledge of project management methodology
Strong and proven knowledge of security technologies and architecture, including encryption, cloud network security design, role-based access control, perimeter security and application security
Knowledge of Cybersecurity threats and emerging security issues
Experienced in conducting security control testing of systems