Senior Director of Security Configuration Management & Cyber Governance

Senior Director of Security Configuration Management & Cyber Governance

Playing an essential role in the U.S. economy, Fannie Mae is foundational to housing finance. Here, your expertise can help fuel purpose-driven innovation that expands access to homeownership and affordable rental housing across the country. Join Fannie Mae to grow your career and help people find a place to call home.

In this compelling leadership position, you will plan and direct a function and team responsible for designing, developing, testing, or maintaining hardware, technology, or processes, and ensure the coordination of business unit operational activities.

The Senior Director of Security Configuration Management & Cyber Governance is a strategic cybersecurity leader responsible for establishing, governing, and continuously improving enterprise-wide security configuration management, cyber governance, compliance, and risk oversight programs. This role ensures the organization's technology assets, platforms, and services are securely configured, governed according to industry best practices, and aligned with regulatory, business, and risk management objectives.

The Senior Director will lead multidisciplinary teams responsible for security baselines, configuration standards, governance frameworks, policy management, compliance oversight, control effectiveness, and cyber risk reporting. This leader serves as a trusted advisor to executive leadership, technology organizations, audit partners, regulators, and business stakeholders to strengthen the organization's cybersecurity posture while enabling business transformation and innovation.

Key Responsibilities

Strategic Information Security Leadership & Governance

• Develop and execute the enterprise strategy for security configuration management and cyber governance.
• Provide executive-level reporting on cyber risk, control effectiveness, compliance posture, and configuration management maturity aligned with risk appetite.
• Partner with business, technology, risk, legal, compliance, and audit stakeholders to ensure consistent governance practices across the Information Security organization.
• Drive continuous improvement initiatives that enhance operational resilience, security effectiveness, and regulatory readiness.
• Monitor emerging cyber threats, vulnerabilities, and industry trends to proactively address risks.

Security Configuration Management

• Establish enterprise security configuration standards, baselines, and hardening requirements across cloud, SaaS and on-prem software services.
• Ensure secure configuration controls are integrated into system development, deployment, and operational processes.
• Oversee configuration compliance monitoring, risk prioritization, remediation governance and executive reporting.
• Lead initiatives to automate configuration management, compliance validation, and security configuration enforcement.
• Define key performance indicators (KPIs), key risk indicators (KRIs), and metrics to measure security configuration compliance and risk reduction outcomes.
• Ensure alignment with industry frameworks such as NIST, CIS Benchmarks and relevant regulatory requirements.
• Drive continuous improvement of configuration compliance, and security control effectiveness.
• Ensure timely remediation of security misconfigurations across the enterprise.
• Lead security configuration management assessments and audits conducted by internal audit, regulators, and external parties. Ensure effective remediation of audit findings and regulatory observations.

Cyber Governance

• Lead cyber assurance governance program, partnering with Information Security Standard owners to define key requirements and monitor s.
• Lead development of governance dashboards, scorecards, and metrics that provide transparency into control performance, compliance posture, risk trends, and remediation progress.
• Present cybersecurity risks, trends, and remediation status to executive leadership, risk committees, and governance forums.
• Monitor emerging cybersecurity threats, regulatory developments, and industry trends to proactively evolve governance practices.
• Ensure alignment with enterprise risk management frameworks and regulatory expectations.

Leadership & People Management

• Build, lead, mentor, and develop high-performing teams focused on security governance, security configuration management, and cyber risk oversight.
• Foster a culture of accountability, innovation, collaboration, and continuous learning.
• Establish clear goals, performance expectations, and development plans for leaders and team members.
• Drive workforce planning, succession planning, talent acquisition, and leadership development initiatives.
• Manage budgets, vendor relationships, and strategic initiatives.
• Influence and inspire cross-functional teams without direct authority to achieve strategic cybersecurity objectives.
• Promote strong partnerships across technology, security operations, engineering, architecture, risk, compliance, and business functions.
• Serve as a key cybersecurity representative to executive leadership committees and governance forums.
• Communicate complex technical and risk topics in clear business terms appropriate for executive and board-level audiences.
• Build strong relationships with regulators, auditors, industry peers, and external partners.
• Influence strategic technology decisions through cybersecurity governance and risk management expertise.

Minimum Required Experiences

• Bachelor's degree in Cybersecurity, Information Technology, Computer Science, Engineering, or related field.
• 8 years of progressive experience in cybersecurity, information security, risk management, governance, or technology leadership roles.
• 8+ years of leadership experience managing large teams and senior-level managers.
• Demonstrated experience leading enterprise-scale security configuration management, cyber governance, risk, compliance, or security engineering programs.
• Deep understanding of cybersecurity frameworks, standards, and regulations including NIST CSF, NIST 800-53, CIS Controls, ISO 27001, COBIT, and relevant regulatory requirements.
• Deep knowledge of cloud security, infrastructure security, endpoint security, security configuration management, and security operations.
• Experience presenting cybersecurity strategies, risks, and performance metrics to executive leadership and executive committees.
• Proven ability to lead organizational change and drive adoption of enterprise security initiatives.
• Bachelor's degree in Information Security, Cybersecurity, Computer Science, Information Systems, Risk Management, or related field.
• Strong understanding of regulatory requirements applicable to financial services or highly regulated industries.
• Shows curiosity and adaptability in learning and responsibly applying new technologies, including artificial intelligence, to reimagine how we work.

Desired Experiences

• Master's degree in Cybersecurity, Information Security, Business Administration, or related discipline.
• Industry certifications such as CISSP, CISM, CRISC, CGEIT, CISA, or equivalent.
• Experience within highly regulated industries such as financial services, government, healthcare, or critical infrastructure.
• Experience implementing governance and security configurations and controls across hybrid cloud and modern technology environments.
• Knowledge of DevSecOps, Infrastructure as Code (IaC), automated compliance monitoring, and security orchestration technologies.

Leadership Competencies

• Strategic Thinking and Vision
• Executive Presence and Influence
• Risk-Based Decision Making
• Talent Development and Coaching
• Organizational Leadership
• Change Management
• Cross-Functional Collaboration
• Operational Excellence
• Accountability and Results Orientation

Qualifications

Active Directory (AD), Amazon Web Services (AWS), Artificial Intelligence (AI), Atlassian JIRA, Authentication Management, Backup and Recovery (Software), Business Insight Skills, Business Process Management Skills, Calendar and Scheduling Tools, Cleaning and Transforming Data, Cloud Technology, Collaborating Cross-Functionally, Communicating in Technical Writing, Communicating Technical Information, Communication, Configuration Management (CM), Conflict Resolution, Coordination, Customer and Market Insights, Customer Relationship Management (CRM), CyberArk, Cybersecurity Analysis, Data Analysis, Data Analysis Interpretation {+ 60 more}

Education:

Bachelor's Level Degree (Required), Master's Level Degree

The future is what you make it be. Discover compelling opportunities at Fanniemae.com/careers.

For most roles, employees are expected to work onsite on a regular basis at their designated office location. In-office work cadence is determined by your manager. Proximity within a reasonable commute to your designated office location is preferred unless the job is noted as open to remote.

Fannie Mae is an equal opportunity employer and considers qualified applicants for employment without regard to race, color, religion, sex, national origin, disability, age, sexual orientation, gender identity/gender expression, marital or parental status, or any other protected factor. Fannie Mae is committed to providing reasonable accommodations to qualified individuals with disabilities who are employees or applicants for employment, unless to do so would cause undue hardship to the company. If you need assistance using our online system and/or you need a reasonable accommodation related to the hiring/application process,