Who we are looking for

We are looking for a highly skilled and experienced Cybersecurity Risk Manager to perform Second line Risk Oversight over State Street's Offensive Security Program. You will be collaborating with peers in Global Cyber Security to ensure risk are being reduced through Red Team and Purple Team exercises, Threat Hunting and Application Penetration testing.

The Offensive Security Risk Manager will be part of a high performing Second Line of Defense team focused on reducing cyber security risk and maturing State Streets offensive security capabilities and reporting. This position will report directly to the Cyber Technology Risk Managing Director under the Chief Technology Risk Officer (CTRO).

What you will be responsible for

• Perform cyber security risk management for State Streets offensive security capabilities.


• Collaborate with GCS and Business units on the mission objectives, attack plans, and execution of the enterprise level penetration tests.


• Review and analyze reports provided by penetration testers to identify potential remediation activities to be performed.


• Coordinate with the Business on the results of the penetration test and provide oversight on issues/remediation identified as part of the Archer Finding Governance process.


• Produce reports, dashboards and metrics to measure the effectiveness of State Streets offensive security capabilities.


• Build and nurture positive working relationships with the intention to exceed stakeholder expectations.

• 5+ years of security testing experience (red teaming, cloud security, application security, or network security)


• Foundational understanding of risk management tools (Material Risk Identification, Risk and Control Self Assessments, and Key Risk Indicator Methodology)


• Bachelor's Degree in computer science, information technology, information systems, or equivalent


• Relevant certifications, such as CISSP, CRISC, GPEN, or OSCP highly preferred.

• 8 + years of security testing experience (red teaming, cloud security, application security, or network security)


• 5+ years of experience with threat modeling concepts and Cyber Security frameworks (CVSS, MITRE ATT&CK, DREAD, or STRIDE)


• Knowledge and working experience of NIST Cybersecurity Framework (CSF) and NIST 800-53


• Good understanding of state-of-the-art IT & Cyber Security products, services and technologies, as well as their respective impact on the organization's risk profile as scale.


• Ability to translate technical issues into risk terms that business can understand is absolutely necessary.


• Experience managing a global team of risk professionals.


• Good understanding and knowledge of IT infrastructure, systems, processes and emerging technologies such as cloud, converged infrastructure etc.


• At least two of the following relevant certifications, such as CISSP, CRISC, GPEN, or OSCP highly preferred.

The range quoted above applies to the role in the primary location specified. If the candidate would ultimately work outside of the primary location above, the applicable range could differ.