Overview:

Uses professional knowledge, skills, and experience to execute security assessments on the effectiveness of Cybersecurity security control designs, which may include conducting vendor onsite reviews of third parties.  Leverages a risk-based approach to ensure appropriate security principles and controls are applied during the system development life cycle and protect customer and corporate assets in line with the Bank’s risk appetite.

Primary Responsibilities:

• Understand the enterprise and/or third party security architecture to identify security gaps. 
• Assess security controls to ensure protection of the confidentiality, integrity and availability of customer and corporate data is in line with the Bank's enterprise risk appetite.  Types of assessments and testing may include: application/system security assessments, vulnerability testing, penetration testing, static code analysis and social engineering.
• Review effectiveness of security controls on an ongoing basis to determine whether the risk remains acceptable.
• Prepare required systems and applications cybersecurity security documentation within established SLAs (Service Level Agreements), ensuring alignment with all applicable laws, regulations, Bank policies and standards, as well as industry best practices in accordance with the Bank’s risk appetite.  Raise risk-related issues to management as required.    
• Conduct and document security control assessments and based on the findings (including effectiveness of security controls) and recommendations of a security assessment report; reassess remediated controls, when applicable. 
• Present technical information to technical and non-technical audiences to ensure the business lines understand the testing of the security control results.  Present recommendations to various levels within the organization, up to and including senior management.
• Accompany senior leadership on third party onsite visits as required, documenting results, and presenting findings to risk committees upon request. 
• Partner with lines of business line to ensure cybersecurity documentation is completed and ongoing monitoring requirements are fulfilled. 
• Engage with Technology teams to identify security risks of proposed third party environments and recommend potential system/application modifications.
• Understand and adhere to the Bank's risk and regulatory standards, policies and controls in accordance with the Bank's risk appetite.  Identify and present to Management risk-related issues requiring escalation to management.  Prepare and deliver management level presentation to communicate trends and threats.
• Remain current with industry trends and security threats to advise management on how to mitigate and contain risks to the business.  Prepare and deliver management level presentations to communicate trends and threats. 
• Mentor less experienced personnel on Cybersecurity principles and application, in relation to Bank policies and standards and how they relate to security assessments.
• Understand and adhere to the Company’s risk and regulatory standards, policies and controls in accordance with the Company’s Risk Appetite.  Identify risk-related issues needing escalation to management.
• Promote an environment that supports diversity and reflects the M&T Bank brand.
• Maintain M&T internal control standards, including timely implementation of internal and external audit points together with any issues raised by external regulators as applicable.
• Complete other related duties as assigned.

Scope of Responsibilities:

Up to 25% annual travel commitment

Education and Experience Required:

Associates’ degree and a minimum of 5 years’ relevant work experience, or in lieu of a degree, a combined minimum of 7 years’ higher education and/or work experience, including a minimum of 5 years’ relevant work experience

Previous experience of NIST (National Institute of Standards and Technology) or Cybersecurity frameworks, with a strong focus NIST 800-53 and 800-53a

Strong knowledge of cybersecurity principles and industry best practices (relevant to confidentiality, integrity, availability)

Proven knowledge of information technology security principles and implementation methods (e.g., firewalls, demilitarized zones, encryption, Active Directory / LDAP, SAML)

Skill in evaluating security controls based on confidentiality, integrity and availability requirements of systems

Experience with handling multiple projects

Experience meeting strict deadlines

Experience overseeing project tasks for less experienced team members

Education and Experience Preferred:

Bachelor's degree

Active CISA (Certified Information Systems Auditor), CAP (Certified Authorization Professional), CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager), or CRISC (Certified in Risk and Information Systems Control) certification or Cybersecurity domain-related industry-recognized certification

Working knowledge of the current version of the NIST SP800-53 and 800-53a Controls, or other recognized control frameworks, such as COBIT (Control Objectives for Information and Related Technology) or ISO

Knowledge of organization's risk tolerance and/or risk management approach

Working knowledge of project management methodology

Strong and proven knowledge of security technologies and architecture, including encryption, cloud network security design, role-based access control, perimeter security and application security

Knowledge of Cybersecurity threats and emerging security issues

Experienced in conducting security control testing of systems

M&T Bank is committed to fair, competitive, and market-informed pay for our employees. The pay range for this position is $82,783.41 - $137,972.36 Annual (USD). The successful candidate’s particular combination of knowledge, skills, and experience will inform their specific compensation.

Location

Buffalo, New York, United States of America