Role Description
The Cyber Risk - GRC Issue Management role is responsible for designing, implementing, and operating a cyber risk governance issues management program, coordinating across multiple regions and aligning cybersecurity activities with business objectives, regulatory requirements, and enterprise risk appetite.
This role serves as the bridge between the CISO organization, technology teams, risk management as the second line of defense (2LOD), internal audit as the third line of defense (3LOD), and regulators, supporting the identification of cyber risks and managing identified issues within the Cybersecurity organization to closure. It includes assessment, measurement, and tracking, sustainment, and consistent reporting across the CISO organization.
Role Objectives
Cyber Governance
Define and implement an issues management program, including identification of issues and mitigating controls, documentation of issues, planning and execution of remediation activities, with emphasis on sustainment of new technology and process controls.
Establish and operate cyber risk forums, governance committees, and escalation paths.
Align cyber governance with broader technology risk and enterprise risk taxonomies.
Support board and executive‑level reporting on cyber risk posture and material exposures.
Cyber Risk Management
Own the issues management cyber risk lifecycle, including:
Evaluation of current issues management practices.
Developing and implementing improvements to the processes.
Reporting progress toward closure of open risks.
Review and approval of plans to address identified issues.
Monitoring progress against those plans.
Ensuring appropriate sustainability is included in planning.
Verifying readiness for closure and submission.
Integrate outputs from:
Vulnerability management.
Penetration testing.
Application security.
Cloud and data security assessments.
Third‑party cyber risk.
Metrics, Reporting and Data
Review and approve cyber risk KPIs and KRIs as they relate to issue closure.
Translate technical risk data into business‑relevant insights.
Support aggregate and integrated reporting across technology risk and cyber risk.
Enable consistent risk data through GRC platforms and tooling.
GRC Technology Enablement
Define requirements for risk, issue, control, and compliance workflows.
Drive automation of evidence collection and reporting.
Ensure tooling aligns to governance models and risk taxonomy.
Stakeholder Management
Partner closely with CISO and cyber domain leaders across regions globally.
Enterprise Risk Management.
Internal Audit.
Legal, Compliance, and Privacy teams.
Qualifications And Skills
At least 10+ years of experience in cybersecurity, technology risk, or GRC.
Strong understanding of cyber risk management frameworks (e.g., NIST CSF, ISO 27001, regional regulations).
Demonstrated experience operating in highly regulated environments, preferably financial services.
Proven experience interfacing with regulators, auditors, and senior executives in a global organization.
Experience documenting and successfully closing regulatory and audit issues.
Strong ability to translate technical risk into business risk and executive‑level messaging.
Experience supporting cloud, AI, and emerging technology risk governance.
Preferred Certifications (not Required)
CISSP
CISM
CRISC
CISA
Additional Requirements
SMBC’s employees participate in a hybrid workforce model that provides the opportunity to work from home, as well as from an SMBC office. Employees must live within a reasonable commuting distance of their office location. Prospective candidates will learn more about their specific hybrid work schedule during the interview process.
SMBC provides reasonable accommodations during candidacy for applicants with disabilities consistent with applicable federal, state, and local law. If you need a reasonable accommodation during the application process, please let us know at accommodations@smbcgroup.com.
#J-18808-Ljbffr