Fannie Mae provides reliable, large-scale access to affordable mortgage credit in communities across our nation. We are the leading source of funding for housing in America, which means more people can buy or rent a home. We are focused on sustaining the housing recovery, improving our company, and leading change to make housing better.
Join our diverse, high-performing team and make a difference as we work together to enable access to a good home.
Under the integrated technology function within Risk Management, the Prinicpal-Cybersecurity Risk Oversight will drive governance, risk management activities, and project management across Fannie Mae’s second-line of defense for Cybersecurity as part of the DTCR (Data, Technology, Cybersecurity, and Resiliency) Risk Management Office. The incumbent will provide effective oversight and challenge of risk management activities. This position is responsible for cross-functional technology-related initiatives for risk oversight, identification, assessment, and monitoring.
KEY JOB FUNCTIONS
- Develop and oversee an effective technology risk (includes cybersecurity) oversight framework
- Leverage knowledge of the mortgage and/or financial services industry, technologies, and product types to ensure effective management of risk associated with Cybersecurity
- Actively identify, assess, and respond to risks associated with Cybersecurity as appropriate
- Identify gaps and inform solutions identified resulting from inadequate internal processes, systems or human errors associated with Cybersecurity
- Understand, adhere to and bolster Cybersecurity risk governance across the Cybersecurity/Information Security organizational landscape including the implementation of the three lines of defense model
- Inform policies, standards and procedures for Cybersecurity to maximize efficiency and minimize risk exposure
- Regarding Cybersecurity Risk Oversight, directly confer with business unit management and staff by scoping business problems, analyzing processes, risk exposure and sharing lessons learned. Identify problem drivers and reinforce operational procedures with appropriate internal controls.
- Lead and manage project and risk management-related activities that provide horizontal support across the Data, Technology, Cybersecurity, and Resiliency (DTCR) risk domains
- Partner with risk partners and other second-line enterprise risk management functions to drive meaningful Cybersecurity risk reductions and escalation of risks, as needed.
- Provide consultation to second-line risk management functions to help ensure proper execution of established frameworks, policies, standards, strategies (including risk appetite, RCSA, top/material risk).
- Comprehensively assess risks and gather insights from issues and events across technology business areas to provide an aggregated risk assessment.
- Design, influence, and oversee implementation of internal governance processes (includes reporting, issue management, policy/standard review, risk identification, risk assessments, and risk monitoring).
- Manages use of tools by which Cybersecurity risk owners identify new, top, emerging, or changing risks stemming from business activities or external events. Tools include Risk and Control Self-Assessments (RCSA), risk opinions for Key Business Decisions (KBD), and Material Risk Identification in accordance with policies and standards.
- Confer with first-line management and risk partners to assess technology capabilities, analyzing processes, and risk exposure to drive the implementation of appropriate risk management controls across the Cybersecurity landscape.
- Review technology and risk management processes; examine documentation and flow to identify ways to improve and streamline risk mitigation processes.
- Leads presentations, reporting, and workshop sessions on Cybersecurity risk management activities, process analysis, risk identification, assessment, control, and mitigation.
- Bachelor degree or equivalent
- Masters degree preferred
- IT/IS/Computer Science specialization preferred
- 10+ years of related Cybersecurity / Information Security experience
- 15+ years of related experience preferred
SPECIALIZED KNOWLEDGE & SKILLS
- Be authorized to work in the U.S. without sponsorship
- Possess superior communication skills and goal-oriented mindset
- Demonstrate strong process facilitation, process management and improvement skills
- Strong analytical skills in ability to interpret data, derive analytical insights from data and use tools as necessary (e.g., for testing and monitoring)
- Effective oral and written communication skills
- Must possess business acumen and credibility to help business line(s) proactively identify and address changing risk profile
- Mindset of continuous improvement as well as flexibility and adaptability
- Strategic Perspective - Demonstrate the relationship of Cybersecurity Risk Management to Corporate Strategy and how successful management of the cybersecurity threat landscape contributes to the safeguarding of the enterprise; Assess, oversee, challenge, and validate first-line cybersecurity controls monitoring/testing; Consult on emerging trends
- Cybersecurity / Information Security Portfolio - Assess cybersecurity / information security portfolio management processes; Maintain awareness and engagement with cybersecurity strategic initiatives; Raise risks related to information security program health
- Cybersecurity / Information Security Risk and Governance - Review and challenge compliance with policies, standards, procedures, and regulatory requirements (includes cyber insurance policy); Support the process to review the capabilities that support cyber preparedness across the enterprise; Evaluate the cybersecurity maturity and effectiveness profile, anchored by the NIST Cybersecurity Framework and other industry-frameworks (as needed); Oversee and challenge the processes and activities associated with managing third-party risks; Oversee and challenge the processes associated with cybersecurity awareness activities
- Vulnerability Management - Challenge the processes and activities associated with identifying, evaluating, classifying, remediating, and mitigating vulnerabilities
- Identity and Access Management (IAM) - Oversee and challenge the processes, policies, and controls for IAM to ensure the appropriate individuals access the right resources at the right time for the right reasons. IAM may be inclusive of the following: Internal ID management; External ID management; Credential Management; Privileged Access Management
- Data Security - Oversee and challenge the processes and activities associated with identifying the location of sensitive data and implantation of controls to reduce the risk of data being exposed to unauthorized individuals
- Security Architecture - Challenge the processes and activities associated with defining security requirements for solutions during development and deployment
- Security Incident - Oversee and challenge the processes, policies, and controls for managing cyber security incidents (e.g., incident management, table-top exercises, threat detection and response, cyber intelligence, etc.); Maintain awareness and participation in (as needed) incident management with key stakeholders (e.g., Privacy, Legal, Corporate Security, Risk Management, Regulatory Affairs)
- Security Operations and Engineering - Challenge the processes and activities associated with the Security Operations Center; Challenge and advise on the build and deployment of information security solutions throughout the software lifecycle
As a condition of employment with Fannie Mae, any successful job applicant will be required to successfully complete a background investigation.
Fannie Mae is an Equal Opportunity Employer.
Req ID: 59338