Cybersecurity Control Testing Lead, VP

Control Testing Lead

Discover your opportunity with Mitsubishi UFJ Financial Group (MUFG), one of the world's leading financial groups. Across the globe, we're 150,000 colleagues, striving to make a difference for every client, organization, and community we serve. We stand for our values, building long-term relationships, serving society, and fostering shared and sustainable growth for a better world.

With a vision to be the world's most trusted financial group, it's part of our culture to put people first, listen to new and diverse ideas and collaborate toward greater innovation, speed and agility. This means investing in talent, technologies, and tools that empower you to own your career.

Join MUFG, where being inspired is expected and making a meaningful impact is rewarded.

The selected colleague will work at an MUFG office or client sites four days per week and work remotely one day. A member of our recruitment team will provide more details.

The Control Testing Lead will be responsible for leading a team that plans, executes, documents, and reports results for technology control testing across cloud and on-premises environments. This role will manage direct reports, establish testing priorities, oversee quality of execution, and drive consistent control testing practices across technical domains. The role requires strong knowledge of cybersecurity, cloud security, technical controls, infrastructure control design, software development lifecycle practices, and risk-based assurance methodologies.

This position will serve as a team leader within a broader Cybersecurity GRC control assurance operating model, accountable for directing testing activities, developing team capability, influencing control quality, and providing insight to engineering, security architecture, application, infrastructure, audit, risk, and compliance stakeholders. The role will work extensively with Cybersecurity GRC to align testing priorities, evidence standards, issue rationale, reporting expectations, and remediation themes while helping ensure that controls are appropriately designed, operating effectively, supported by reliable evidence, and aligned to regulatory, internal policy, and industry framework requirements.

Key Responsibilities

• Lead and manage a team responsible for control testing activities across cloud, hybrid, and on-premises environments, with emphasis on cloud services, infrastructure, identity, access, configuration, logging, monitoring, vulnerability management, and change management controls.
• Set testing strategy, define annual and quarterly priorities, oversee risk-based test plans, and ensure test scripts, walkthrough procedures, evidence requests, sampling approaches, and testing documentation are consistent and defensible.
• Manage direct reports by setting goals, assigning work, reviewing deliverables, providing coaching, supporting career development, and maintaining accountability for quality, timeliness, and risk-based judgment.
• Assess control design and operating effectiveness by reviewing system configurations, architecture patterns, policies, procedures, tickets, logs, screenshots, reports, and other supporting evidence.
• Drive continuous, automated control monitoring and assurance to reduce manual, point-in-time validation
• Evaluate technical controls across cloud platforms, including identity and access management, network segmentation, encryption, key management, logging, monitoring, workload protection, vulnerability remediation, backup and recovery, and secure configuration baselines.
• Evaluate on-premises technical controls across servers, databases, network devices, endpoints, applications, data centers, and supporting infrastructure.
• Review software development lifecycle and secure delivery controls, including secure design, threat modeling, code review, testing, deployment pipeline controls, release management, change approvals, segregation of duties, and production deployment governance.
• Identify control gaps, evidence deficiencies, design weaknesses, and operating issues, document clear observations, risk impacts, root causes, and practical remediation recommendations.
• Work extensively with Cybersecurity GRC, compliance, audit, application, infrastructure, cloud engineering, and security architecture stakeholders to validate control performance, align on testing expectations, resolve control evidence questions, and support consistent issue treatment.
• Provide leadership, coaching, and technical guidance to control testers, analysts, and stakeholders on testing methodology, evidence standards, technical control concepts, documentation quality, and audit-ready conclusions.
• Own testing progress, issue status, remediation themes, management reporting, audit readiness, risk and control forums, assurance routines, and continuous improvement of the control testing function.

Required Qualifications

• 10+ years of experience in technology risk, IT audit, cybersecurity, control testing, cloud security, infrastructure security, or related technical assurance roles, including experience leading teams or managing direct reports.
• Strong understanding of cloud and hybrid control environments, with practical knowledge of on-premises infrastructure control concepts.
• Strong understanding of AI models and ability to define and execute appropriate assessment strategy
• Demonstrated experience testing technical controls, including access management, privileged access, change management, vulnerability management, logging and monitoring, encryption, backup and recovery, incident response, configuration management, and network security.
• Strong understanding of software development lifecycle practices, secure delivery methods, deployment controls, release management, and production change governance.
• Ability to lead testing teams, manage performance, review workpapers, develop talent, resolve execution blockers, and maintain consistent quality across concurrent testing activities.
• Strong analytical judgment with the ability to assess control design and operating effectiveness using evidence-based testing.
• Ability to interpret technical evidence and translate findings, risk themes, control gaps, and remediation trends into clear documentation, leadership messaging, and actionable management reporting.
• Strong communication and stakeholder management skills, including the ability to engage technical and non-technical audiences, challenge control design constructively, and influence outcomes.
• Ability to manage multiple testing workstreams, prioritize risk-based activities, escalate risks appropriately, and deliver high-quality outcomes within established timelines.

Education

• Bachelor's degree in computer science or a closely related discipline, or an equivalent combination of formal education and experience

Other Details

• The typical base pay range for this role for NY/NJ is between $147k - $194k depending on job-related knowledge, skills, experience, and location. Non NY/NJ is 144k-180k
• This role may also be eligible for certain discretionary performance-based bonuses and/or incentive compensation. Additionally, our Total Rewards program provides colleagues with a competitive benefits package (in accordance with the eligibility requirements and respective terms of each) that includes comprehensive health and wellness benefits, retirement plans, educational assistance and training programs, income replacement for qualified employees with disabilities, paid maternity and parental bonding leave, and paid vacation, sick days, and holidays.
• VISA sponsorship is not available for this position

We will consider for employment all qualified applicants, including those with criminal histories, in a manner consistent with the requirements of applicable state and local laws (including (i) the San Francisco Fair Chance Ordinance, (ii) the City of Los Angeles' Fair Chance Initiative for Hiring Ordinance, (iii) the Los Angeles County Fair Chance Ordinance, and (iv) the California Fair Chance Act) to the extent that (a) an applicant is not subject to a statutory disqualification pursuant to Section 3(a)(39) of the Securities and Exchange Act of 1934 or Section 8a(2) or 8a(3) of the Commodity Exchange Act, and (b) they do not conflict with the background screening requirements of the Financial Industry Regulatory Authority (FINRA) and the National Futures Association (NFA). The major responsibilities listed above are the material job duties of this role for which the Company reasonably believes that criminal history may have a direct, adverse and negative relationship potentially resulting in the withdrawal of conditional offer of employment, if any.The above statements are intended to describe the general nature and level of work being performed. They are not intended to be construed as an exhaustive list of all responsibilities duties and skills required of personnel so classified.We are proud to be an Equal Opportunity Employer and committed to leveraging the diverse backgrounds, perspectives and experience of our workforce to create opportunities for our colleagues and our business. We do not discriminate on the basis of race, color, national origin, religion, gender expression, gender identity, sex, age, ancestry, marital status, protected veteran and military status, disability, medical condition, sexual orientation, genetic information, or any other status of an individual or that individual's associates or relatives that is protected under applicable federal, state, or local law.