Director, Information Security Governance

**Director, Information Security Governance**

**MCAP at a Glance**

Joining MCAP means you will be a part of our diverse workforce of highly talented individuals who are recognized for their expertise and success At MCAP, your professional expertise, commitment to teamwork and passion for service excellence are recognized and rewarded with competitive total rewards offering, a career with continuous learning and development (formal & informal training), and exciting opportunities in a dynamic, entrepreneurial environment.

**The Role**

This position will be accountable for governance, risk, and control activities within MCAP’s Information Security program.

The role will be responsible for leading a team of professionals to build and maintain these programs.

You will act as a trusted advisor, ensuring that governance, risk, and compliance issues are identified, understood, and managed effectively within the information security program. You will provide communication and education to raise awareness and will effectively promote a culture of compliance and control and actively identify business process improvement opportunities.

This position will be accountable for cyber threat and risk assessments and risk monitoring. This will involve evaluation of threats and risks to the confidentiality, integrity and availability of MCAP assets and documenting the required capabilities and control measures to mitigate risks.

This position will be accountable for establishing capabilities to reduce the risks of data loss prevention in order to prevent unintended or risk data exposure.

This position will be accountable to ensure that controls are established, measured and maintained and comply with regulatory and industry best practices.

**Training and Education**
- Ensure MCAP’s enterprise level security awareness program is created, delivered, maintained and measured.
- Ensure awareness training and education provided to specialized areas (e.g. phishing campaigns, secure code development).
- Shift enterprise mindset to ‘security by design’.

**Risk Management & Policy**
- Create, maintain and evaluate security policies, standards and procedures to provide the direction for the information security program.
- Ensure policies are being followed, correcting violations as well as approving and tracking exceptions
- Evaluate threats and risks to the confidentiality, integrity and availability of information assets
- Ongoing review of identified risks to identity and respond to changes in risk landscape
- Create and maintain KRI’s to describe our risk posture.

**Compliance, Audit & Review**
- Track compliance obligations and monitor organizational adherence, making recommendations to meet new or changing requirements
- Review current state of compliance adherence, identify gaps and recommend gap-closure initiatives
- Evaluate risks associated with third-party suppliers and partner with vendor owner for response and remediation.

**Data Security**
- Identify and implement capabilities to help reduce and or prevent sensitive data from being inappropriately shared, transferred or used.
- Identify and implement capabilities to Monitor and control data movement within and outside, aiming to protect against data breaches.
- Restrict data use and transfer according to data sensitivity and handling instructions to prevent unintended or risk data exposure.

**What You Bring To The Team**
- 10+ years in information security with a focus on governance, risk and compliance
- Strong knowledge in security governance, risk and compliance practices & frameworks (e.g. NIST, ISO, CIS)
- Strong knowledge of enterprise business continuity processes, procedures, and standards
- Multiple years of experience with incident response and frameworks
- Team management
- Demonstrated ability to create and maintain corporate level security and privacy policy, procedures, etc
- Creation and management of security awareness training programs
- Proven experience in developing a framework for process managing, monitoring, training and auditing
- Demonstrated ability to effectively engage leadership at all levels and to navigate through a large organization
- Demonstrated talent for building relationships, fostering collaboration, leading transformational change;
- Experience in the Finance Services industry mortgages
- Experience and general knowledge of security tools and technology
- Experience and general knowledge of systems, networks and cloud architectures
- Experience with risk analysis, penetration testing, and vulnerability management
- Experience and knowledge with information security and IT governance frameworks (e.g. CIS, NIST, ISO, SOC2, COBIT, ITIL)
- Minimum knowledge of cloud native development practices and design patterns using private or public cloud providers required
- Basic understanding of cloud patterns and infrastructure management using private or public cloud providers required
- Ability to prioritize in a dynamic, strate