Cybersecurity Risk Oversight Specialist

Fannie Mae Corp Washington , DC 20319

Posted 2 months ago


Fannie Mae provides reliable, large-scale access to affordable mortgage credit in communities across our nation. We are the leading source of funding for housing in America, which means more people can buy or rent a home. We are focused on sustaining the housing recovery, improving our company, and leading change to make housing better.

Join our diverse, high-performing team and make a difference as we work together to enable access to a good home.


Under the integrated technology function within Risk Management, the Cybersecurity Risk Specialist provides counsel on governance, risk management activities, and project management across Fannie Mae?s second-line of defense Data, Technology, Cybersecurity, and Resiliency (DTCR) Risk Management program. The incumbent will provide effective oversight and challenge of cybersecurity risk management activities. This position is responsible for cross-functional technology-related initiatives for risk oversight, identification, assessment, and monitoring.


  • Implement, maintain, and oversee an effective technology risk (includes cybersecurity) oversight framework. Leverage knowledge of the mortgage and/or financial services industry, technologies, and product types to ensure effective management of risk associated with Cybersecurity.

  • Actively identify, assess, respond and escalate risks associated with Cybersecurity as appropriate. Identify gaps and inform solutions identified resulting from inadequate internal processes, systems or human errors associated with Cybersecurity.

  • Understand, adhere to and bolster Cybersecurity risk governance across the Cybersecurity/Information Security organizational landscape including the implementation of the three lines of defense model. Inform policies, standards, and procedures for Cybersecurity to maximize efficiency and minimize risk exposure.

  • Regarding Cybersecurity Risk Oversight, directly confer with business unit management and staff by scoping business problems, analyzing processes, risk exposure and sharing lessons learned. Identify problem drivers and reinforce operational procedures with appropriate internal controls.

  • Leads projects and risk management-related activities that provide horizontal support across the Data, Technology, Cybersecurity, and Resiliency (DTCR) risk domains.

  • Serve as a liaison, collaborating and interfacing with risk partners and other second-line enterprise risk management functions to drive meaningful technology-risk reductions and escalation of risks, as needed. Partner with second-line risk management functions to help ensure proper execution of established frameworks, policies, standards, strategies (including risk appetite, RCSA).

  • Comprehensively assess risks and gather insights from issues and events across technology business areas to provide an aggregated risk assessment. Design, implement, and/or influence internal governance processes (includes reporting, issue management, policy/standard review, risk identification, risk assessments, and risk monitoring).

  • Manages use of tools by which Cybersecurity risk owners identify new, top, emerging, or changing risks stemming from business activities or external events. Tools include Risk and Control Self-Assessments (RCSA), risk opinions for Key Business Decisions (KBD), and Material Risk Identification in accordance with policies and standards. Confer with first-line management and risk partners to assess technology capabilities, analyzing processes, and risk exposure to drive the implementation of appropriate risk management controls across the Cybersecurity landscape.

  • Review technology and risk management processes; examine documentation and flow to identify ways to improve and streamline risk mitigation processes. Participate in presentations and workshop sessions on Cybersecurity risk management activities, process analysis, risk identification, assessment, control, and mitigation

  • Where required by internal policies or external agencies, develop documentation of reports. This also includes developing, contributing to, and monitoring metrics and reporting (e.g., management reporting, internal reporting, etc.).


  • Bachelors degree or equivalent


  • Certified Risk Management Professional, Certified Internal Auditor, Certified Information Security Manager, Certified Information Systems Security Professional, Certified Data Management Professional, Certified Business Continuity Auditor


  • 8 years of related Cybersecurity/Information Security Risk Management experience or 1st line technology delivery experience in one or more of the following domains: data, cyber security, application development and operations

  • Relevant work within a financial services, capital markets, insurance organization or in a cybersecurity-focused role within a regulatory organization


  • Strategic Perspective - Demonstrate the relationship of Cybersecurity Risk Management to Corporate Strategy and how successful management of the cybersecurity threat landscape contributes to the safeguarding of the enterprise; Assess, oversee, challenge, and validate first-line cybersecurity controls monitoring/testing; Consult on emerging trends

  • Must possess business acumen and credibility to help business line(s) proactively identify and address changing risk profile

  • Possess superior communication skills and goal-oriented mindset

  • Demonstrate process facilitation, process management and improvement skills

  • Demonstrated ability to function in a similar role within a large and complex organization

  • Strong project management skills; self-motivated

  • Strong analytical skills in ability to interpret data, derive analytical insights from data and use tools as necessary (e.g., for testing and monitoring)


As a condition of employment with Fannie Mae, any successful job applicant will be required to successfully complete a background investigation.

Fannie Mae is an Equal Opportunity Employer.

icon no score

See how you match
to the job

Find your dream job anywhere
with the LiveCareer app.
Mobile App Icon
Download the
LiveCareer app and find
your dream job anywhere
App Store Icon Google Play Icon

Boost your job search productivity with our
free Chrome Extension!

lc_apply_tool GET EXTENSION

Similar Jobs

Want to see jobs matched to your resume? Upload One Now! Remove
Joint Venture Cybersecurity Risk Leader 20000037


Posted Yesterday

VIEW JOBS 4/9/2020 12:00:00 AM 2020-07-08T00:00 <strong>Joint Venture Cybersecurity Risk Leader – 20000037 </strong><br /> <br /> Location:  Columbus, IN<br /> <br /> No, this isn’t one of those ordinary jobs.<br /> Cummins is a team of dependable, innovative thinkers, who are empowered to generate and deliver solutions for customers, community, and environment. Our employees develop their careers through the challenges only a diverse, global innovator can promise. This is a collaborative culture where thinking beyond your desk is more than part of the job. It is the job.<br /> <em>This is what we call Working Right.</em><br />  <br /> <strong>Description</strong><br /> We are a place big enough to coach and develop a global workforce and create the world’s leading clean, engine technology. We’re also small enough for you to find your fit and personal passion with a team of dependable, innovative thinkers who are developing their careers within a diverse, inclusive, empowering environment.<br /> Learn more about this role and how you can begin <em>Working Right</em> .<br /> Our Corporate Business Unit delivers reliable, durable, high performing products to our global partners. Working in an innovative space, you’ll develop high tech solutions that will fuel your advanced career skill set and empower you to own your career. Our integrated businesses demand the talents and creativity of individuals with a wide range of skills and experience.<br /> This is an exciting opportunity in Columbus, Indiana for a Joint Venture Cybersecurity Risk Leader. This is where you can work on industry leading projects.<br /> <strong>The successful candidate will:</strong> <ul> <li style="padding: 0; margin: 0;" style="padding: 0; margin: 0;">Evaluate cybersecurity architectures related to our company Joint Ventures globally.</li> <li style="padding: 0; margin: 0;" style="padding: 0; margin: 0;">Assess cybersecurity risks associated with applications, infrastructure, and system connectivity into the Cummins Enterprise Domain.</li> <li style="padding: 0; margin: 0;" style="padding: 0; margin: 0;">Collaborate with Legal, Business Unit, Area Business Organization, and IT leadership to develop assessment criteria to reduce risk and development of risk mitigation approaches for Joint Ventures.</li> <li style="padding: 0; margin: 0;" style="padding: 0; margin: 0;">Create in collaboration with Legal, Engineering, IT and other stakeholders an assessment methodology for Joint Venture Cybersecurity Risk.</li> <li style="padding: 0; margin: 0;" style="padding: 0; margin: 0;">Apply Cummins’ technology standards to Joint Venture architectures to ensure compliance with Cummins’ Technology Reference Model.</li> <li style="padding: 0; margin: 0;" style="padding: 0; margin: 0;">Produce documentation related to cybersecurity risk as it applies to Joint Ventures.</li> </ul> Your impact will happen in these and other ways: <ul> <li style="padding: 0; margin: 0;" style="padding: 0; margin: 0;">Provides consultation on the aspects of threats, vulnerabilities, and compliance for solutions deployed within the environment.</li> <li style="padding: 0; margin: 0;" style="padding: 0; margin: 0;">Manages, provides leadership and guidance to less experienced cybersecurity leaders.</li> <li style="padding: 0; margin: 0;" style="padding: 0; margin: 0;">Prioritizes and assigns the tasks to be completed by a group of cybersecurity leaders.</li> <li style="padding: 0; margin: 0;" style="padding: 0; margin: 0;">Possesses the knowledge required to follow and adhere to compliance frameworks and other security requirements and standards that enable the organization to reduce risks and meet regulatory and statutory compliance.</li> <li style="padding: 0; margin: 0;" style="padding: 0; margin: 0;">Identifies systemic security issues based on the analysis of vulnerability and configuration data.</li> <li style="padding: 0; margin: 0;" style="padding: 0; margin: 0;">Implements security measures to resolve vulnerabilities, mitigate risks and recommend security changes to system or system components as needed.</li> <li style="padding: 0; margin: 0;" style="padding: 0; margin: 0;">Participates as a stakeholder in cross-functional teams to develop technology solutions.</li> <li style="padding: 0; margin: 0;" style="padding: 0; margin: 0;">Collaborates with functional teams and/or stakeholders to identify and/or develop appropriate solution designs, proper implementation and any required mitigation strategies.</li> <li style="padding: 0; margin: 0;" style="padding: 0; margin: 0;">Performs reviews and identifies security and other weaknesses in solutions that may introduce risks to the enterprise and business goal achievement.</li> <li style="padding: 0; margin: 0;" style="padding: 0; margin: 0;">Provides cybersecurity recommendations to leadership based on existing, emerging and new cybersecurity threats and vulnerabilities, which introduce risk to the achievement of business goals and objectives.</li> <li style="padding: 0; margin: 0;" style="padding: 0; margin: 0;">Employs best practices when implementing security controls within a system including software engineering methodologies; system and security engineering principles; secure design, secure architecture, and secure coding techniques.</li> <li style="padding: 0; margin: 0;" style="padding: 0; margin: 0;">Informs and provides governance regarding system security controls that ensure and provide for the confidentiality, integrity, availability, authentication, and non-repudiation of system resources and the data they process and store.</li> <li style="padding: 0; margin: 0;" style="padding: 0; margin: 0;">Coaches and develops less experienced team members.</li> </ul> <strong>Qualifications</strong><br /> <strong>Skills</strong><br /> <strong>Cybersecurity Risk Management - </strong>Identifies and assesses the potential impact of Cybersecurity risks against established Cybersecurity industry frameworks, regulations and organizational policies to develop and implement risk mitigation strategies in alignment with business objectives.<br /> <strong>Systems Requirements Planning -</strong> Develops a detailed set of use cases and requirements through documenting and deriving capabilities that are needed to operate, manage, administer and deploy enterprise cybersecurity capabilities and tools.<br /> <strong>Systems Analysis -</strong> Designs information systems solutions using solution design documents and the security review tool to help the organization operate more securely, efficiently and effectively.<br /> <strong>Strategic Planning and Policy -</strong> Advocates for changes in policy through collaboration and the identification of gaps identified by the use of cybersecurity technologies that protect our data and business information systems.<br /> <strong>Business Analysis Planning -</strong> Identifies the activities needed to conduct business analysis considering the five business aspects, level of detail, and approach for eliciting requirements to plan for resources and techniques to document the business needs and solution characteristics.<br /> <strong>Business insight - </strong>Applying knowledge of business and the marketplace to advance the organization’s goals.<br /> <strong>Manages complexity -</strong> Making sense of complex, high quantity, and sometimes contradictory information to effectively solve problems.<br /> <strong>Balances stakeholders -</strong> Anticipating and balancing the needs of multiple stakeholders.<br /> <strong>Collaborates -</strong> Building partnerships and working collaboratively with others to meet shared objectives.<br /> <strong>Builds effective teams -</strong> Building strong-identity teams that apply their diverse skills and perspectives to achieve common goals.<br /> <strong>Drives engagement - </strong>Creating a climate where people are motivated to do their best to help the organization achieve its objectives.<br /> Instills trust - Gaining the confidence and trust of others through honesty, integrity, and authenticity.<br /> <br /> <strong>Experience</strong> <ul> <li style="padding: 0; margin: 0;" style="padding: 0; margin: 0;">Minimum 10 to 15 years of experience with increasing responsibilities in cybersecurity risk management.</li> <li style="padding: 0; margin: 0;" style="padding: 0; margin: 0;">Familiarity with ISO 27001, NIST Cybersecurity Framework and other related risk frameworks.</li> <li style="padding: 0; margin: 0;" style="padding: 0; margin: 0;">Experience with Legal and Regulatory regimes related to Privacy, Cybersecurity, Data Protection, and Incident Response.</li> <li style="padding: 0; margin: 0;" style="padding: 0; margin: 0;">Experience with Audit of IT systems in complex multi-national environments preferred.</li> <li style="padding: 0; margin: 0;" style="padding: 0; margin: 0;">Prior experience with third party risk highly preferred.</li> </ul> <strong>Required Education, Licenses or Certifications</strong><br /> College, university, or equivalent degree in Information Technology, Business or a related subject, or relevant experience required.<br /> Certified Information Systems Security Professional (CISSP) or similar certification preferred.<br /> <br /> <strong>Compensation and Benefits</strong><br /> Base salary rate commensurate with experience. Additional benefits vary between locations and include options such as our 401(k) Retirement Savings Plan, Cash Balance Pension Plan, Medical/Dental/Life Insurance, Health Savings Account, Domestic Partners Coverage and a full complement of personal and professional benefits.<br />  <br /> <strong>E-verify</strong><br /> We are an equal opportunity and affirmative action employer dedicated to diversity in the workplace. Our policy is to provide equal employment opportunities to all qualified persons without regard to race, gender, color, disability, national origin, age, religion, union affiliation, sexual orientation, veteran status, citizenship, gender identity and/or expression, or other status protected by law.<br />  <br /> We validate right to work using E-Verify.<br /> We will provide the Social Security Administration (SSA) and, if necessary, the Department of Homeland Security (DHS), with information from each new employee’s Form I-9 to confirm work authorization. To learn more about E-Verify, including your rights and responsibilities, please visit <a href=""></a> .<br />  <br />   Tech-Connect Washington DC

Cybersecurity Risk Oversight Specialist

Fannie Mae Corp