Information Security Risk Management Director

Envestnet is seeking an Information Security Risk Management Director to join our Finance department. This is a hybrid role, with in-office work required at either our Berwyn, PA or Raleigh, NC office.

Envestnet is transforming the way financial advice is delivered through its connected technology, advanced insights, and asset management solutions – backed by industry-leading service and support. Since 1999, Envestnet has served the wealth management industry and today supports trillions in platform assets, serving over a hundred thousand financial advisors. The vast majority of the nation’s leading banks, the largest wealth management and brokerage firms, and over 500 of the largest RIAs rely on Envestnet’s wealth management platform and solutions to drive business growth, boost productivity, and deliver better financial outcomes for their clients.

Job Summary:

Reporting into the Head of Information Security, the Information Security Risk Management Director will lead the Information Security Risk Management function. The ideal candidate will bring a blend of technical acumen and strategic insight, capable of effectively communicating with stakeholders and guiding team members in alignment with our security culture and business priorities. The candidate will possess a strong background in information security risk management and cybersecurity, with working knowledge and experience in risk management frameworks such as NIST Cybersecurity Framework, NIST Risk Management Framework, NIST AI Risk Frameworks. The candidate will have an evolved understanding of the regulatory landscape for Information Security and Data Protection for the financial sector. Envestnet is looking for a strong transformational risk expert who can work closely with cross-functional security, operations, and engineering teams supporting leadership to ensure a robust comprehensive security risk management program is in place. This includes top down and bottom-up assessments, while ensuring communication of identified risks effectively, and ensuring timely remediation from a technical perspective, in addition to enhancing the security risk management program capabilities.

Job Responsibilities:

• Own the information security risk management function to conduct security risk and control assessments to identify potential risks from threats and vulnerabilities within the organization's information assets, infrastructure, and applications.
  
• Responsible for assuring that all risk management activities are properly performed, documented, communicated professionally and clearly, and that all documentation is organized efficiently and effectively within the Archer GRC tool.
  
• Ensure that control effectiveness assessments are aligned with our NIST based policies and standards by collaborating with cross-functional teams to understand technical implementations and assess control effectiveness.
  
• Partner and work closely with peers to develop an approach to an expanded insider threat program and provide related structure and management practices for the Envestnet enterprise.
  
• Responsible for refining and documenting the process used by the risk management team and managing adherence to it; develops new processes or modifies existing processes in alignment with NIST CSF 2.0 and other relevant risk models as needed.
  
• Drive information security risk orchestration activities and process improvements to ensure proper full coverage across products and services.
  
• Communicate identified security risks and their potential impact to stakeholders, including technical and non-technical audiences using a NIST based framework for quantified and qualitative models.
  
• Develop and facilitate threat-driven cyber scenarios and architectural visuals to support the assessment process to feed into the risk assessment pipeline and subsequent roadmaps for remediation.
  
• Provide metrics and outcome-based performance indicators on risk management activities and assessment results using risk quantification as needed.
  
• Develop and implement strategies for information security risk management, ensuring alignment with threat-driven, risk-based technical, compliance, and business requirements while providing risk-informed guidance.
  
• Development and maintenance of aggregated risk metrics for the cybersecurity program.
  
• Providing regular reports, presentations, and updates to the head of information security to deliver to senior management on risk activities and outcomes.
  
• Responsible for ensuring timely responses, coordination, and management of all risk management activities.
  
• Maintain up-to-date knowledge of industry standards, regulatory requirements, and emerging threats to inform risk assessment and remediation processes.
  
• Own the tooling and management of risk management processes related to Archer.
  
• Drive enhancement of the security risk management program, including developing and maintaining policies, standards, guidelines, procedures, and frameworks.
  
• Track and report on the status of risk remediation efforts, ensuring timely resolution and compliance with organizational policies.
  
• Develop and present detailed reports on risk assessments, including identified threats, vulnerabilities, and the effectiveness of implemented mitigation measures for technical and non-technical stakeholders, including senior management.
  
• Familiar with using and implementing GRC tools for audits and evidence management such as Archer.
  
• Support the evolution of the information security risk management function including the use of and adoption of AI.
  
• Adhere to and apply Envestnet legal, compliance, risk, business continuity, and administrative policy within the role and department(s) including the timely completion of training & awareness, affirmations, and testing as requested.
  
• As part of the responsibilities for this role, you will understand and readily support Envestnet's established corporate business practices, policies, internal controls, and procedures designed to create value or minimize risk.
  

Required Qualifications:

• 10+ years of experience in security risk assessment, with a focus on quantitative and qualitative IS risk analysis, or equivalent and relevant security experience.
  
• One or more industry-recognized and relevant Cybersecurity certifications such as CISSP, ISSMP, CRISC, CISM, CERT, CISA etc.
  
• Strong understanding of relevant frameworks, standards, and methods related to information security risk management, cybersecurity principles, and concepts.
  
• Knowledge of cloud security best practices and technologies (e.g., AWS, Azure, GCP) within a SAAS provider.
  
• 7 years technical risk management function for a financial institution.
  
• Strong project management skills with the ability to prioritize tasks and manage multiple projects and workstreams simultaneously.
  
• Understand and apply the architecture, security controls, and deployment models of advanced risk management and assessment methodologies, compliance frameworks (such as NIST, FAIR, CACI, GDPR, SOC2, and PCI DSS.
  
• Excellent communication skills at all levels, with the ability to articulate complex technical concepts to diverse audiences.
  
• Experience developing attack scenarios to assist with risk management and assessment activities.
  
• Knowledge of and experience with using threat contextualization and ingestion into the risk management and cyber roadmap processes.
  
• Experience with security risk remediation programs, including technical implementation and compliance considerations.
  
• Direct experience with driving risk management and assessments for enterprise-level program evolution and cloud service models in the financial sector.
  
• Experience leading, assessing, and managing risk in SAAS service provision.
  
• Familiarity with the convergence of various cyber control frameworks and the generation of control requirements in the context of risk management.
  
• Strong analytical and problem-solving skills, with attention to detail and accuracy.
  

Envestnet:

• Be a member of an innovative and industry-leading financial technology and solutions company.
  
• Competitive Compensation/Total Reward Packages that include:
  
  • Health Benefits (Health/Dental/Vision)
    
  • Paid Time Off (PTO) & Volunteer Time Off (VTO)
    
  • 401K – Company Match
    
  • Annual Bonus Incentives
    
  • Parental Stipend
    
  • Tuition Reimbursement
    
  • Student Debt Program
    
  • Charitable Match
    
  • Wellness Program