Information Security & Risk Director

Envestnet is seeking a Director, Information Security - YOD to join our Yodlee department. This is a remote role with occasional travel to our Raleigh, NC office.

Envestnet is transforming the way financial advice is delivered through its connected technology, advanced insights, and asset management solutions – backed by industry-leading service and support. Since 1999, Envestnet has served the wealth management industry and today supports trillions in platform assets, serving over a hundred thousand financial advisors. The vast majority of the nation’s leading banks, the largest wealth management and brokerage firms, and over 500 of the largest RIAs rely on Envestnet’s wealth management platform and solutions to drive business growth, boost productivity, and deliver better financial outcomes for their clients. 

Envestnet’s Strategy:

• Deliver the industry-leading wealth management platform, powered by advanced data and insights 
  
• Leverage our scale and efficiencies to serve our clients’ needs comprehensively 
  
• Enable financial advisors to deliver more holistic advice – reflecting a more complete view of their clients’ financial lives, and in a more connected environment
  

For more information, please visit www.envestnet.com.

Job Summary: 

The Director of Information Security Risk is a senior leader who reports to the Principal Director of Information Security. He works closely with other leaders and business partners to protect the confidentiality, integrity, and availability of customers’ information and financial assets and identify and manage technology risk in the organization. The InfoSec Risk Director will manage the implementation, monitoring, and governance of Yodlee’s Cybersecurity information security and risk framework. This position will deliver information security and risk conscious culture and information security programs, that are regularly tested and reported and meet regulatory expectations for the enterprise.

Job Responsibilities:

Governance (Policies and Procedures):

• In partnership with senior leaders from IT, GRC, and business stakeholders, lead the development, maintenance, and publication of up-to-date information security policies, procedures, standards, controls, and guidelines based on the NIST 800.53 revision 5 framework and ISO 27001, or equivalent.
  
• Oversee the training and dissemination of such policies, procedures, standards, controls, and guidelines to the enterprise.
  
• Assist with regulatory audits and external and/or internal cybersecurity assessments and ensure they are successfully prepared for and delivered per calendar year for all business units (SOC2, PCI, FFIEC, NIST Readiness assessment).
  
• Active participant of the Enterprise Risk Management Committee, or equivalent, prepare and report quarterly progress against risk remediation plans and advise on current enterprise technology risks.
  
• Provide leadership to the enterprise's cybersecurity organization through leading, mentoring, and inspiring a high-performing, collaborative cybersecurity team.
  
• Monitor and drive compliance with the organization's information security policies and procedures among employees, contractors, alliances, and other third parties.
  

Risk Assessment and Management:

• Implement and monitor a comprehensive enterprise information security and IT risk management program integrated with product, technology and operations disciplines.
  
• In partnership with senior leaders from IT, GRC, and business stakeholders, determine a strategy to define risk appetite, improve and oversee the monitoring and continuous improvement of a risk-based enterprise security program across all cybersecurity risk domains, including cyber risk management, threat intelligence, cybersecurity controls, third-party risk management, cyber incident and vulnerability management.
  
• Partner with executive management, Enterprise Risk Management, Compliance, external Regulators, and audit personnel to discern acceptable levels of risk for the organization.
  
• Supervise risk assessments and testing to ensure that appropriate controls are in place and are effective.
  
• Understand and interact with business, corporate, and technology disciplines to ensure the consistent application of policies and standards across all technology projects, systems, and services, including privacy, risk management, compliance, and business continuity management

Audits:

• Partner with executive management, Enterprise Risk Management, Compliance, external Regulators, and audit personnel to assess all acceptable levels of risk for the organization.
  
• Assist with external national and international regulatory audits including SOC 2, PCI, APEC PRP, Data Privacy, CBPR, and CFPB.
  
• Oversee the third-party risk management services by conducting provider due diligence, risk review, and continuous monitoring of external vendors.
  
• Ensure data loss and fraud prevention policies and procedures are effective and followed and advise on vendor risk and data/fraud exposure.

Information Security Management System (ISMS):

• Centralize functions to manage, monitor, review, and improve information security practices, establishing policies, procedures, and controls.
  
• Develop metrics that indicate the effectiveness of security controls applied to information systems and supporting information security programs. These indices will be used to facilitate decision-making, improve performance, and increase accountability through the collection, analysis, and reporting of relevant performance-related data—providing a way to tie the implementation, efficiency, and effectiveness of information system and program security controls to company's success.
  
• Partner and work closely with Data Privacy to develop an approach to influence data protection, determine the scope for the DLP program, and provide governance and management practices for the enterprise.
  
• Monitor, adapt, and improve effectiveness and efficiency for the Information Security team.
  
• Ensure and monitor to ensure information security programs comply with relevant laws, regulations, and policies to minimize risk and audit findings.
  
• Stay abreast of emerging security threats and technologies, providing strategic guidance on evolving security trends to executive leadership.
  
• Adherence to and application of Envestnet legal, compliance, risk, business continuity and administrative policy within the role and department(s) including the timely completion of training & awareness, affirmations and testing as requested.  
  
• As part of the responsibilities for this role, you will understand and readily support Envestnet's established corporate business practices, policies, internal controls and procedures designed to create value or minimize risk.
  

Required Qualifications: 

• Required Skills and Experiences:
  
  • Education: Required - bachelor's degree in computer science, information technology, cybersecurity, or a related field; master's degree preferred.
    
  • Progressive experience in information security with a combination of risk management, information security, and IT-related responsibilities with regulated financial institutions and/or fintech companies, or equivalent experience in regulatory organizations or consulting services with a concentration in IS/IT disciplines within banking/fintech.
    
  • 15+ years of experience in a senior leadership role with increasing levels of responsibilities.
    
  • Experience with information security frameworks. Knowledge of NIST, ISO, SOC 2, PCI, and/or Cobit. Familiarity with Cyber Security Assessment Tool (CAT), IS-related laws, rules, regulations, and best practices.
    
  • Experience with third-party service provider due diligence, negotiations, oversight, and monitoring.
    
  • Proven track record and experience in developing information security policies and procedures as well as successfully executing programs that meet excellence objectives in a dynamic environment.
    
  • Thorough understanding of IT operations and the role and impact of information security on these operations.
    
  • One or more of the following professional certifications: CISSP, CISM, CERT, CISA, etc.
    
• Additional Competencies and Skills:
  
  • Leadership: Strong leadership skills with the ability to inspire and motivate teams.
    
  • Communication: Excellent verbal and written communication skills, with the ability to convey complex security concepts to non-technical stakeholders.
    
  • Analytical Thinking: Strong analytical and problem-solving skills to assess and mitigate risks effectively.
    
  • Strategic Vision: Ability to develop and implement long-term strategies for information security.
    
  • Collaboration: Proven ability to work collaboratively with cross-functional teams and external partners.
    
  • Adaptability: Ability to adapt to rapidly changing environments and emerging threats.
    
  • Project Management: Strong project management skills to oversee multiple initiatives simultaneously.
    

Envestnet: 

• Be a member of an innovative and industry leading financial technology and solutions company 
  
• Competitive Compensation/Total Reward Packages that include:
  
  • Health Benefits (Health/Dental/Vision)
    
  • Paid Time Off (PTO) & Volunteer Time Off (VTO)
    
  • 401K – Company Match
    
  • Annual Bonus Incentives
    
  • Parental Stipend 
    
  • Tuition Reimbursement
    
  • Student Debt Program
    
  • Charitable Match 
    
  • Wellness Program
    

Salary:

The annual base salary range for this position is $160,000 to $200,000.

#LI-SC1