Threat Modeling Architect VP

Reporting to the VP Cyber Resilience, this role resides in the Cyber Resilience (COR) team within the SMBC Americas Division Information Security Office. CR's mission is to support 14 companies managing activities related to Cyber Resilience in accordance with applicable regulations, Firm policies, and industry best practices for Information Security and Operational Resilience.

The Threat Modeling Architect VP will execute and mature a program that provides a visual representation of assets, controls, threat agents, trust zones, attack paths, and a list of potential attacks a threat agent may perform as well as related reporting documents and issue management. Additionally, responsibilities include participating in information technology, data management, cybersecurity, and operational resilience management across businesses. This includes regional resilience coordination and reporting of progress to executive leadership. The role also serves as a champion for Cyber Resilience concerns, controls and maturation at the Firm, especially for the modeled environments, and related processes such as Architecture and SDLC (Software Development Lifecycle).

• Facilitates the management of an enterprise Threat Modeling Assessment program to enhance maturity across the firm.
• Builds Threat Models of enterprise services to identify and refine the attack surface.
• Acts as a Cyber Resilience champion of the Threat Modeling Assessment program and serve a pivotal role in maturation efforts.
• Delivers reports that capture identified risks, controls, assets, trust zones and enhancement requirements.
• Partners with stakeholders on Threat Modeling Assessment Issues to create action plans identified during fieldwork.
• Ability to prioritize engagements using a risk-based-approach.
• Determines alignment of Cyber Resilience controls in practice with those from authoritative sources such as NIST SP 800-53 and ISO 27002 to provide holistic insight into current capabilities and risk themes as well as best practices.
• Develops a deep knowledge of SMBC critical services and dependencies on technology, people, processes and third parties.
• Understands the impact of cyber risks as it relates to both firm and industry wide impacts to technical and security dependencies and single points of failure to enhance mitigation activities.
• Educates and provides subject matter expertise to support the business on cyber hygiene activities and enhancements based on business related impacts.

• Required experience with Visio. Knowledge of Draw.IO, IriusRisk, or Threat Modeler a plus
• Experience in Risk Assessment and Penetration Testing
• Deep understanding of enterprise architecture and security architectural elements as they relate to risks and controls. Ability to accurately capture and enhance architectural diagrams.
• Well-versed in Cyber Resilience to include technology, incident response and cyber risk practices with the ability to connect and align with the firm's processes and frameworks.
• 8+ years of direct work experience within the financial services industry with focus on security architecture as it relates to cyber threats.
• Working knowledge of business and cyber risk management process and controls, industry practices, and frameworks (e.g., NIST 800-53, ISO 27000 family).
• Broad knowledge of cloud technologies (AWS, Azure certification a plus)
• Detail oriented, with proven ability to question the status quo and apply resilience activities to enhance capabilities, as appropriate.
• Strong organizational skills, with proven ability to successfully manage multiple, concurrent priorities and team members as the program is built out.
• Ability to communicate and work effectively in a matrixed environment and across various organizational levels, where flexibility, collaboration, and adaptability are important at all levels.
• Strong analytical skills and attention to detail.
• Able to communicate technical issues to a non-technical executive audience.
• Foundational knowledge of banking laws and regulations. (FFIEC, BCBS, FCA, PRA, BoE, etc.)
• Maintain a business cyber threat mindset to understand underlying risks and weaknesses to properly assist in mitigating and enhancement activities.
• Strong desire to continually deliver a quality and meaningful work product in a timely and efficient manner.
• BA/BS in Computer Engineering, Computer Science, Information Systems, Cyber Security, Business Administration, or demonstrated relevant industry background and/or military experience.
• CCSP Certified Cloud Security Professional (CCSP), Microsoft Certified: Cybersecurity Architect Expert (MS SC-100 Exam), Certified Network Defense Architect (CNDA), CREST Registered Technical Security Architect (CRTSA), Global Information Assurance Certifications Defensible Security Architect (GDSA from GIAC) certifications preferred.
  

D&I Commitment

Responsible for fostering a culture of diversity and inclusion, holding leaders accountable for creating an inclusive environment through awareness and practice of equity in recruiting, developing, and promoting diverse talent.