At Key, employee and candidate health is a top priority. Due to the ongoing spread of COVID-19, most interviews are being conducted virtually. Our talent acquisition team is diligently working to provide you the support you need throughout our hiring process. Learn more.

Cybersecurity & Resilience Risk Manager in Buffalo, NY at KeyBank

Date Posted: 2/5/2021

Job Snapshot

  • Employee Type:
  • Location:
    Buffalo, NY
  • Date Posted:

Job Description

The Cybersecurity and Resilience Operational Risk Program Manager has overall responsibility to mitigate and discourage actions that may expose KeyCorp and its affiliates to cybersecurity or resilience risk with its business activities. This position is responsible for ensuring cybersecurity and resilience risk requirements and processes comply with regulatory requirements, Key’s Risk Management policies and program requirements, and that business activities are managed within Key’s Operational Risk Management appetite. Additionally, this position is responsible for the oversight of risk identification and mitigation for cybersecurity and resilience risk, including the oversight of relevant programs and policies, which includes providing highly specialized guidance and oversight on current and emerging legal, regulatory, and operational risk issues, monitoring and measuring operational risk performance, and reviewing and challenging of strategy (e.g., initiatives, products, third parties, and clients), control design, implementation, testing, and remediation for all LOBs. The qualified candidate must be able to work independently and use sound judgment taking into consideration risk tolerances of assigned LOBs and KeyCorp overall. This role reports directly to the Senior Director of Cybersecurity and Technology Risk Oversight. This position will have direct reports that include operational risk officers and/or analysts.


– Proactively works with business unit management to identify and assess cybersecurity and resilience risks associated with business activities, ensuring alignment with the Corporate Operational Risk Framework including:
• Advising LOBs on risks and controls and applicable metrics (i.e., KRIs, EWIs, Tolerances).
• Advising LOBs on risks related to new products and/or services and business initiatives.
• Advising LOBs on risks related to outsourced third party activities.
• Identifying aggregate risk across LOBs
• Assessing the appropriateness of and working with LOBs on developing and/or enhancing internal procedures and guidelines to comply with Operational Risk appetite, tolerances and policies.
• Conducts a robust Review and Challenge process in evaluating and reviewing business processes, risk profiles, risk indicators, controls, remediation plans, etc., to ensure alignment with Key’s Operational Risk and Enterprise Risk Management programs, policies and practices.
• Ensures the effective development and delivery of corporate-wide and or role specific Operational Risk training; provides guidance and assistance related to LOBs related to the development of LOB specific operational risk training.
• Providing periodic risk reporting to senior management
– Accountable for ensuring that policies and procedures and associated cybersecurity and resilience risk programs are consistent with current applicable banking rules, regulations, and laws. Monitors and assesses for any new or amended requirements.
– Develops and recommends for approval policies, standards, procedures and guideline to comply with corporate risk appetites, tolerances and policies.
– Acts as Cybersecurity and Resilience Risk Subject Matter Expert on assigned Subcommittees and/or Working Groups.
– Develops and maintains positive working relationships with internal clients, staff, peers, and senior management.
– Ensures a sound understanding of business strategy, business processes and associated risks for assigned business units.
– Escalates promptly to appropriate senior management or appropriate risk committee any material breaches of applicable laws, rules, policies or standards with actual or potential operational risk impact, and necessary correction action.
– Maintain relationships with industry peers and regulatory bodies.
– Respond to internal and external audits, regulatory exams and other requests for information. Assist in the evaluation of audit and examination findings and implementation of corrective action and needed responses.
– Effectively manages assigned human capital, ensuring acceptable employee engagement levels, providing sound direction, active coaching and development, and performance management of assigned employees. Trains and develops staff to understand risk and controls principals, regulatory requirements, risk management and process improvement techniques.

– An Undergraduate degree is required, advanced degree/s desired and would be a plus
– Minimum of 8+ years of relevant industry and professional experience (e.g., cybersecurity risk management, cybersecurity audit, or direct cybersecurity governance experience)
– In-depth practical knowledge of cybersecurity controls, risk assessments and operational processes, and applicable techniques for implementation of regulatory, compliance and legal requirements and operational processes.
– Demonstrated knowledge of cybersecurity related regulations, guidelines, and frameworks (e.g., COBIT, GLBA, HIPAA, NIST, PCI)
– Strong leadership and relationship management skills including the ability to lead up and across the organization
– Ability to effectively communicate to lines of businesses and senior management, both in writing and verbally
– Has high ethical standards
– Proven to be a proactive thinker
– Proven ability to drive results through people
– Strong project management and/or continuous improvement skills
– Proven ability to have, maintain, and establish strong contacts within the industry so as to be aware of current industry issues and practices
– Industry certifications a plus (e.g., Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM)


KeyCorp is an Equal Opportunity and Affirmative Action Employer committed to engaging a diverse workforce and sustaining an inclusive culture. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or veteran status.


Not Ready to Apply?

Joining our Talent Network will enhance your job search and application process. Whether you choose to apply or just leave your information, we look forward to staying connected with you.

At Key, we’re committed to diversity and inclusion in all we do. Qualified individuals with disabilities or disabled veterans who are unable or limited in their ability to apply on this site may request reasonable accommodations by email.