Client Technology IT Risk Specialist, EY, United States (Salary Not Disclosed)

June 25, 2020

The role of the Client Technology (CT) IT Risk Specialist is to enable the conduct of business, through proactive identification, assessment, and mitigation, of IT risks facing EY personnel, facilities, and operations around the globe.

  • Under direct supervision of the CT Risk Leader, the CT Risk Specialist is responsible for:
  • Build and maintain an understanding of the CT organization, roles and responsibilities, so resources and risk contacts can be quickly identified
  • Subject matter resource in IT Risk Management risk assessment methodologies
  • Negotiate timelines, scope, and deliverables with IT Risk Management
  • Coordinate participation in internal and external audits, including: Info Sec assessments, Code of Connection audits, IT Risk Management Audits, Global Internal Audits, and external regulatory audits
  • Complete understanding of all in-flight and completed audit scopes, objectives, timelines, etc
  • Responsible for imbedding risk-aware culture and executing on IT Risk Management defined education and awareness plan
  • Continual assessment of current risk profile and execution against established risk and security policies and procedures
  • Understanding of eGRC system and associated reporting
  • Understanding of risk management practices, including audits, assessments, controls, and risk registers
  • Work with leadership to determine areas for focus for risk assessments, develop assessment plan and timeline
  • Analyze data, statistics, and reports to ascertain trends and conclusions to present to CT leadership

Skills and attributes for success
  • Executes on the established IT Risk Management vision for risk activities across Client Technology
  • Liaises with broader Global IT Risk Management team
  • Serves as a point of escalation for risk across CT
  • Exhibit industry leading risk management practices through effective internal controls, risk monitoring, and risk assessments
  • Looks for ways to continually improve our risk management processes
  • Understand the Client Technology IT risk landscape while receiving input from domain, product, and service owners on potential risks
  • Conduct risk assessments on CT technologies, products, and operations
  • Enforce the usage of a standard risk management framework for CT products and operations
  • Engage with EY Risk Management functions including: GCO, Data Protection, Enterprise RIsk Management, Independence, etc. to validate CT's overall risk compliance
  • Consult on Enterprise programs to embed risk-based decision-making
  • Consult and provide direction to leaders in EY Technology on effective risk mitigation strategies
  • Deliver risk intelligence to EY Technology leaders to enable informed decision-making

To qualify for the role you must have:

  • An in-depth understanding of ISO 27002, ISO 27001, ISO 31000 frameworks and applying these frameworks
  • Familiarity with local and regional regulatory requirements and how they impact IT policies
  • Experience with RSA Archer
  • Experience managing the communication to senior leaders in relation to our risk management program
  • Projects advanced consultative skills to conduct effective questioning to break down complex issues into core elements, formulate appropriate ideas or planning and negotiate those ideas and plans clearly and concisely to advance a cooperative engagement by all levels of the organization including senior and/or executive management. 
  • Solid ability to guide or develop actionable roadmaps and to implement in an efficient way to drive all risk management directives.
  • An ability to utilize core risk and controls skills in a broad range of projects both in a traditional internal audit and in advisory projects aimed at assisting in the implementation of controls / improvements.
  • Experience in developing and executing reporting strategies
  • Flexibility to adjust to multiple demands, shifting priorities, ambiguity, and rapid change
  • Demonstrated ability to multitask and prioritize in a fast-paced environment
  • Flexibility to adjust to multiple demands, shifting priorities, ambiguity, and rapid change
  • Outstanding interpersonal, communication, organizational, and decision-making skills
  • Strong judgment and analytical ability
  • Ability to communicate and gain support for initiatives
  • Strong English language skills; excellent writing, presentation, interpersonal, and communication skills are required
  • Ability to understand and integrate cultural differences and motives and to lead cross cultural teams.
  • An ability to utilize core risk and controls skills in a broad range of projects both in a traditional internal audit and in advisory projects aimed at assisting in the implementation of controls / improvements.
  • Professional; quickly establishes personal credibility and demonstrates expertise.
  • 7 or more years of experience in the Information Technology, Information Security and/or IT Risk Management field(s).
  • 5+ years of experience in managing staff  in Governance, Risk, and Compliance
  • An advanced degree in Computer Science, Information Security or a related discipline, or equivalent work experience.
  • One or more of the following or equivalent certifications preferred: Certified Risk and Information Systems Control (CRISC), Certified Information Systems Security Processional (CISSP), Certified Information Security Manager (CISM), Certified Information System Auditor (CISA), Certified Internal Auditor (CIA), Global Information Assurance Certification (GIAC) in related area, CIPP, CIPT 

Ideally, you’ll also have:

  • Experience in IT Risk Management and/or Information Security disciplines
  • Experience in communicating to all levels of management, clients and vendors
  • A working knowledge of policy frameworks such as ISO, COBIT and unified compliance framework
  • Ability to appropriately balance internal functional needs with business impact and benefit
  • Skilled in executive level presentations and briefings
  • Solid knowledge and working experience in governance, risk and compliance as applies to technology
  • Proactively maintains a comprehensive knowledge of the core business and financial drivers of EY’s service lines as well as the operating environment within IT.  Works with peers and others in service specific IT groups to support the proper recognition of risk issues or to proactively position risk mitigation and other service improvement opportunities or to engage with others in the area of continuous improvement.
  • Good appreciation of the business benefits of internal control and good risk management and not just for compliance purposes (i.e., not limited to SOX, PCI or other regulatory mainstay drivers).

For more Information Go To: