Technology Risk Director- Enterprise Engineering

Job Description

The Enterprise Technology & Security (ETS) Risk Director directs a team of risk professionals, developing comprehensive risk management strategies, and ensuring the organization's technology risk practices are robust, effective, and aligned with industry standards and regulatory requirements. This executive-level position provides strategic leadership over a dedicated ETS risk function, setting the direction for risk identification, assessment, and mitigation across the bank's technology and security domains. The Director serves as a key advisor to senior leadership on technology risk matters, drives the maturation of the enterprise risk framework, and maintains strong relationships with regulators, audit, and governance bodies.

Responsibilities

• Lead and oversee the Technology Risk Management function, providing strategic direction to a team of risk professionals and fostering a culture of accountability, excellence, and continuous improvement.
• Develop, implement, and continuously evolve a comprehensive technology risk management strategy and framework aligned with enterprise risk appetite, regulatory expectations, and industry best practices.
• Oversee the identification, assessment, monitoring, and reporting of technology and security risks across systems, applications, infrastructure, and processes.
• Serve as the primary executive liaison for regulatory examinations, internal audits, and supervisory engagements related to technology and security risk, ensuring effective coordination and high-quality outcomes.
• Define and maintain technology risk policies, standards, control libraries, and assessment methodologies to support consistent and scalable risk management practices.
• Partner with senior technology leaders, business executives, compliance, audit, and governance teams to embed risk management into strategic planning and decision-making.
• Provide clear, actionable, executive-level risk reporting and insights to the Risk Committees and senior management, translating complex risk landscapes into strategic guidance.
• Oversee the portfolio of risk findings, regulatory commitments, and corrective action plans, driving timely, effective, and sustainable remediation.
• Lead oversight of Third-Party Risk Management for the organization's technology and security critical service provider relationships.
• Monitor industry trends, emerging threats, and regulatory developments to proactively adjust the organization's risk posture.
• Champion a strong risk-aware and risk-informed culture across the technology organization through education, engagement, and communication.

Team-Specific Requirements

Cloud & Modern Engineering Platforms

• Working knowledge of cloud services and architectures (AWS and Azure preferred), including shared responsibility models, identity and access management, and cloud-native security controls.
• Experience assessing risk in DevSecOps, CI/CD pipelines, containerized workloads (Docker/Kubernetes), and infrastructure-as-code environments.

Infrastructure, Platform & Engineering Risk

• Strong understanding of enterprise infrastructure platforms, including Windows, Linux (RHEL), virtualization (VMware), databases, middleware, and core network services.
• Experience evaluating end-of-life (EOL) / end-of-support (EOS) risk, technical debt, and remediation prioritization across large engineering estates.

Cybersecurity & Resilience

• Hands-on familiarity with vulnerability management, platform hardening, secure configuration standards, and threat remediation prioritization.
• Experience with technology resilience, including BCP/DR, cyber recovery, data protection, backup strategies, and resiliency testing.
• Ability to translate engineering and cyber risks into business impact, service disruption, regulatory exposure, and customer risk.

Risk Frameworks & Governance

• Deep experience with enterprise technology risk management routines, including RCSAs, issue management, risk assessments, targeted reviews, and control testing.
• Working knowledge of regulatory and risk frameworks relevant to financial institutions (FFIEC, NIST, ISO, COBIT, COSO, CRI).
• Proven ability to synthesize large volumes of technical risk data into clear, prioritized executive-level insights.

Risk, Issue, and Compliance Management

• Experience using GRC Archer (or equivalent platforms such as OpenPages) to manage RCSAs, issues, action plans, metrics, and regulatory responses.
• Familiarity with risk reporting, risk dashboards, and executive-level risk metrics.

Engineering, Security & ITSM Tooling

• Working knowledge of common enterprise tooling used by engineering and cyber teams, such as ServiceNow, Jira, and Confluence, to support risk intake, issue tracking, and remediation monitoring.
• Familiarity with vulnerability and security tools such as Qualys, Wiz, CrowdStrike, CyberArk, Splunk, or similar platforms to support effective oversight and challenge.

Monitoring & Reporting

• Exposure to engineering and operational monitoring platforms (e.g., DataDog, Grafana, Tableau, Power BI), with the ability to interpret signals, trends, and risk indicators rather than operate the tools directly.

Experience & Skills

Required:

• 12+ years of progressive experience in IT risk management, information security, or internal audit, including 5+ years in a senior leadership role.
• Demonstrated executive leadership experience, including building and developing high-performing risk teams in complex, regulated environments.
• Comprehensive expertise in risk frameworks including CRI Profile, NIST 800-53, NIST CSF, COBIT, and ITIL, with a track record of applying them at an enterprise scale.
• Deep familiarity with regulatory expectations and supervisory frameworks applicable to regional banks (OCC, Federal Reserve, FDIC).
• Exceptional communication and influencing skills; proven ability to present risk strategy and findings to Board-level and executive audiences.
• Experience leading large-scale regulatory examinations, audit engagements, and enterprise-wide corrective action programs.
• Proven ability to set strategic direction, manage organizational priorities, and deliver results in a fast-paced, evolving environment.

Preferred:

• Prior experience as a risk director or equivalent executive in a federally regulated financial institution.
• Track record of building or transforming enterprise-level technology risk programs.
• Strong network within the financial services risk and technology community.

Education

• Bachelor's degree in Information Technology, Cybersecurity, Business, or a related field required; Master's degree (MBA, MS in Cybersecurity, or equivalent) strongly preferred.
• One or more of the following certifications are preferred:
• CISSP (Certified Information Systems Security Professional)
• CISM (Certified Information Security Manager)
• CRISC (Certified in Risk and Information Systems Control)
• CISA (Certified Information Systems Auditor)

Hours & Work Schedule

• Hours per Week: 40
• Work Schedule: Monday-Friday
• Hybrid: 4 days per week onsite, 1 day remote

Pay Transparency

• The salary range for this position is $190,000 - $240,000 per year, plus an opportunity to earn an annual discretionary bonus. Actual pay is based on various factors including but not limited to the work location, and relevant skills and experience.
• We offer competitive pay, comprehensive medical, dental and vision coverage, retirement benefits, maternity/paternity leave, flexible work arrangements, education reimbursement, wellness programs and more. Note, Citizens' paid time off policy exceeds the mandatory, paid sick or paid time-away policy of every local and state jurisdiction in the United States. For an overview of our benefits, visit

Required Skills

• Analytical Reasoning
• Business Integrity Management
• Commercial Thinking
• Compliance Management
• Compliance Risk
• Corporate Governance
• Creating Purpose
• Crisis Control
• Cross-Functional Collaboration
• Customer Empowerment
• Customer-Centricity
• Developing Others
• Diversity and Inclusion Practice
• Due Diligence
• Empowering Others
• Fostering Inclusion
• Industry Insight
• Influencing Others
• Innovation
• Monitoring and Evaluation (M&E)
• Motivating Others
• Optimizing People Productivity
<