Head of IT Security, Controls & Technology Risk (LoD1)
New York, USA
Job description
Poste et missions
We are seeking for a highly skilled and experienced Head of IT Controls, Security and Technology Risk (LoD1) who will lead a critical team within the Natixis CIB Americas (AMER) IT department. In this key role, you will oversee and be responsible for IT Security, Controls, Change Management, Incident Management, Disaster Recovery Planning and Remediation functions, while reporting directly to the AMER Chief Information Officer (CIO). You will lead three teams, comprising approximately seven direct reports, each focusing on specific areas of IT risk, controls and security (Access Management, Vulnerability and Patch Management, CyberSecurity..).
As an executive in the First Line of Defense (LoD1), you will play a crucial role in ensuring that the AMER IT organization maintains a robust Technology Risk posture that aligns with the company and regulatory standards. You will facilitate effective change management and remediation processes across various IT teams, driving operational excellence and compliance.
This position requires outstanding communication and interpersonal skills, as you will regularly engage with senior management, board members, and regulatory bodies. Your ability to clearly and persuasively convey complex information will be essential for ensuring alignment with organizational goals and adherence to industry regulations. Additionally, you will lead audits and examinations (both internal and external) related to your areas of responsibility, which include Controls, Change Management, Incident Management, Disaster Recovery Planning, Security, and Remediation functions for AMER IT (LoD1).
· Controls and Security Governance: Ensure adherence to policies, standards, and controls across the different IT taxonomies. Address exceptions and align security risks with the organization's risk management framework, in accordance with BPCE Group/Natixis CIB strategy, industry best practices (e.g., NIST, SOC2, ISO), and regulatory compliance requirements (e.g., NY DFS Part 500, FFIEC). Regularly assess the effectiveness of AMER IT's LoD1 controls to ensure they are well-designed and operational, thereby mitigating risks and maintaining compliance with regulations. Present findings to the board and regulatory bodies, serving as the primary point of contact for auditor inquiries.
· Controls and Security Compliance and Remediation: Regularly assess the effectiveness of AMER IT's LoD1 controls to ensure they are well-designed and operational, thereby mitigating risks and maintaining compliance with regulations. Present findings to the board and regulatory bodies, serving as the primary point of contact for auditor inquiries. Oversee the implementation of comprehensive remediation actions to effectively address identified security gaps.
Project Planning and Tracking: Collaborate with the AMER Regulatory Affairs department and Head Office partners (BPCE Group and Natixis) to plan and prioritize AMER IT Controls, Disaster Recovery Planning (DRP), and Security projects and initiatives. Track progress and report deliverables to senior management.
· IT Change and Incident Management: Coordinate IT changes within AMER IT teams while overseeing the incident response process. Ensure timely identification, investigation, and remediation of security incidents. Work closely with the Second Line of Defense (Operational Risk, CISO–Technology Risk Management) for escalation, impact assessment, reporting, and follow-up on remediation actions.
· Incident Response Leadership: Lead the IT incident response process, including investigation, containment, eradication, recovery, and post-incident analysis to minimize the impact of IT breaches.
· IT Risk and Security Assurance and Reporting: Manage repositories of evidence and artifacts necessary for audits and regulatory compliance. Provide metrics and outcome-based performance indicators to assess risk management and remediation activities.
· Team Leadership and Development: Lead, mentor, and develop a team of security professionals and IT engineers. Foster their understanding of security gaps, encourage the evaluation of treatment options, and support the implementation of remediation strategies across your reporting scope and within AMER IT.
Natixis is an equal opportunity employer, committed to a workplace free of discrimination. Natixis will not tolerate any form of discrimination based on age, color, mental or physical handicap or disability, pregnancy, marital status, sexual orientation, national origin, alienage, ancestry or citizenship status, race, religion, sex (including sex stereotyping, gender identity, gender expression or transgender status), veteran status, creed, genetic information or carrier status, or any other protected characteristic as established by law.
Respect for all means that we deal with each person as an individual and not as a member of any group. All qualified applicants will receive consideration for employment. Management is expected to provide leadership in supporting the firms EEO program by taking steps to promote EEO in all facets of employment including recruitment, hiring, retention, promotion, performance assessment, and career-development opportunities.
The salary range for Executive Director will be between $260,000 - $300,000. Natixis is required by law to include a reasonable estimate of the compensation range for this role. Actual base salary will vary and will be based on several factors including, but not limited to, relevant experience, education, skills set, applicable licensure and certifications, and other business and organizational needs. Base salary is only one component of our total rewards package. Natixis also offers a generous benefits package, and you may be eligible for a discretionary incentive award depending on company and individual performance
Profil et compétences requises
BA/BS related field.
Strong experience in Cybersecurity and IT Controls, with significant experience in a senior or managerial role focused on security remediation, vulnerability management, and incident response
Expertise in security frameworks (e.g., NIST CSF, ISO 27001, SOC 1,2) and security risk management principles
Strong knowledge on FFIEC and NY DFS regulation and implementation
Experience with GRC tools and best practices, preferably RSA Archer
Excellent verbal and written communication skills
Relevant certifications such as CRISC, CISM, CISA, CISSP, or similar advanced security certifications are highly desirable
Knowledge of cloud security and securing hybrid IT environments is a plus.
Ability to work effectively and decisively in dynamic and ambiguous situations.
Ability to manage testing projects, track progress, and meet deadlines.
Commitment to professional development and staying updated on emerging security threats and technologies.