Avp, Security Governance and Risk Management

You are as unique as your background, experience and point of view. Here, you’ll be encouraged, empowered and challenged to be your best self. You'll work with dynamic colleagues - experts in their fields - who are eager to share their knowledge with you. Your leaders will inspire and help you reach your potential and soar to new heights. Every day, you'll have new and exciting opportunities to make life brighter for our Clients - who are at the heart of everything we do. Discover how you can make a difference in the lives of individuals, families and communities around the world.

**Position Overview**

This position manages a major functional area that reports directly to the Vice President, Security Engineering and Advisory. The AVP, Security Risk Management and Governance will be responsible for defining and aligning strategies for security risk management and governance and ensure that exposures to cyber risk are identified and managed at an acceptable level.

The position is an integral part in the development, implementation, and compliance of security control programs across the organization globally and will regularly act as a voice of Information Security to clients and management, building cyber security confidence in support of business development and governance processes.

The incumbent has direct oversight of the following functions:

- Information Security Policy, Directives, and Operating Guidelines.
- Alignment of the Sun Life Security Program to National Institute of Standards and Technology (NIST) and Cloud Security Alliance Cyber Security Frameworks.
- Control monitoring of internal security risk assessments and third party security risk management. Governance and risk management with; regulators, auditors, and customer response.
- Develop and manage the security risk management and compliance strategy, framework and approach.
- Integrate security risk reporting and aggregate reporting into the operational risk framework.
- Provide briefings to senior management and advise them of critical issues that may affect business or enterprise security objectives in partnership with Sun Life Business Unit risk and compliance officers.
- In conjunction with Legal, Privacy and Compliance, identify information management and protection laws and regulations and implement actions to ensure compliance.
- Recommend strategies to ensure a common approach towards regulatory authorities and obtain internal efficiency.
- Ensure a comprehensive understanding of existing requirements and ongoing monitoring of new requirements.
- Develop strategies and action plans to drive control maturity improvement in areas where controls do not adequately mitigate security risks.
- Facilitate prioritization of security risk and due diligence activities with different lines of business in conjunction with Business Unit Risk and Compliance officers.
- Identify global security regulatory, legislative, and industry specific compliance requirements and applicability to each line of business.
- Partner with Architecture and Engineering teams to develop risk mitigation strategies, solutions, and recommendations to reduce components, systems, or enterprise security risk.
- Develop, document, and assess measures, metrics, and internal controls related to cyber security assessments and acceptance.
- Coordinate and track all information technology and security related audits including scope of audits, business units involved, timelines, and outcomes.
- Liaise with Corporate Operational Risk Management and Internal Audit, maintaining excellent relationships and provide transparency.
- Provide guidance, evaluation and advocacy on audit responses.
- Develop and maintain a strategy for managing security related audits, compliance checks and external assessment processes for auditors.
- Lead the development and implementation of effective and reasonable policies and practices to secure sensitive data and ensure security and compliance with contracts, regulatory requirements, and industry standards.
- Manage the third party risk assessments process to ensure risk transparency and business acceptance, contractual obligations and enable risk-based decision making.
- Partner with business and technology leaders in ensuring new and existing business relationships adequately address information security risk through vendor management, security engineering engagements, and security assessments of processes and procedures.
- Manage specified Governance Risk and Compliance (GRC) projects from inception to completion.
- Support the Vice President and CISO in establishing annual and long-term goals, defining risk and governance strategies, metrics, and reporting mechanisms.

**Qualifications, Experience, Skills and Attributes**
- Minimum of 15 years work experience in IT with direct responsibility for technologies in scope, including at least 10 years previous experience in a management role.
- Experience working in a Financial Services organiza