Santander Bank, NA Information Security Risk Manager in Boston, Massachusetts

Information Security Risk Manager - 1802048



Information Risk Management is a 2ndLine oversight function. At Santander, the Information Risk Management (IRM) team engages in key projects and business/technology initiatives, works with the 1stand 3rdLines to drive a business aligned, risk-based, cost-effective program designed for the confidentiality, integrity and availability of information, information systems (technology infrastructure, application systems and end-user technology) and information resources in support of business products and processes.

Mutual commitment and shared interests are critical to our success. We value motivated self-starters, diverse perspectives, integrity, adaptability and excellence. We seek capable, experienced, qualified and motivated individuals who seek to advance their own professional goals, by working with us to serve the best interests of our team, the firm and, our customers.

Santander is looking to hire qualified candidates to fill key Information Risk Management positions to build out our Information Risk Management team. We are looking for several experienced candidates with a solid Information Technology risk or audit background and experience in developing and managing information technology, information security or similarly complex programs in the Financial Services industry.

Qualified candidates will be part of the 2nd line of defense Information Risk Management team responsible for defining risk frameworks and policy, and providing oversight, review and credible challenge of risk management activities owned and managed by the 1st line of defense. These roles will report to the Head of Information Risk Management.

Qualified individuals are responsible for leading, and/or participating in, high-profile information risk management initiatives, including risk program transformation activities and supporting other critical deliverables. Senior team members play an active role in providing thought leadership, strategic thinking and providing hands-on training to less experienced team members.

Information Risk Management team members partner with key stakeholders across all lines of defense, all business lines and support functions, including IT, IS, Risk, Compliance, Legal, Audit, Human Resources and Finance, to support the identification, assessment, management and reporting of information risks. Team members work in concert with the operational risk management team, including the vendor risk management and business continuity management teams, to ensure close coordination, integration, transparency and awareness of information risks across all risk management.


  • Provides 2nd Line risk oversight of the Information Risk Management Program and provides direct 2nd Line support for the Information Technology, Information Security, Business Continuity Management and Records Management Programs, including policies/standards/procedures, strategies, material risks, risk reporting routines and metrics.

  • Independently serves as a trusted partner and risk advisor to key stakeholders and business partners across all lines of defense.

  • Credible review and challenge of 1st Line Risk and Control Self-Assessments, including process mapping, identification and assessment of risk, identification of controls, and assessments of control design and effectiveness.

  • Provide direct support for regulatory exams and interactions, including assessing risk remediation/mitigation activities.

  • Perform independent risk assessments of information risk management related disciplines, including information technology, information security, business continuity management and disaster recovery and records management.

  • Positively contribute to the risk culture and overall awareness of information risk and contribute to the creation and delivery of information risk management training.

  • Escalate, report and communicate information risk management matters to executive management and/or regulatory bodies.

  • Director Level: Acts as a delegate for the Head of Information Risk Management as required.



  • 8-15+years of related experience; ideally a combination of Technology Risk (1stor 2ndline), IT Audit (3rdline) and/or 1stLoD Information Technology or Information Security experience.

  • 5+ years in a leadership role managing staff and third-party relationships.

  • Experience in Banking / Financial Services.

  • Bachelor’s degree in the field of IT, Information Security or related field; Master’s degree preferred.

  • One or more recognizedindustry certifications from ISACA, (ISC)2, SANS/GIAC, IIA, etc.

  • Thought leader, strategic and critical thinker, problem solver.

  • Motivated self-starter with positive energy.

  • Ability to work well both independently and collaboratively as a member of the team.

  • Ability to multi-task, work in a fast-paced environment and adapt to change.

  • Ability to influence and deliver a difficult message.

  • Strong written and verbal communications.

  • Experience interacting with and presenting to C-level executives and Federal Regulators/Examiners.

  • Strong program and project management skills/capabilities (PMP a plus).

  • Informed perspective on market environment, future trends, and emerging risks.

  • Integrity, combined with high personal and professional standards.

  • Spanish language skills preferred.

  • Risk Management Knowledge: Risk Identification, Risk Assessment, Risk Treatment Measures including Risk Acceptance, Governance including Measuring/Monitoring/Reporting, Risk Aggregation, Control Assessments & Controls Testing, etc.

  • Information Technology Related Knowledge: Asset management, change management, incident/problem management, patch management, Software Development Life-Cycle (SDLC), release management, capacity/performance management, data/records management and destruction, backup and recovery, etc.

  • Information Security Related Knowledge: Identity and access management, privileged access management, generic ID management, threat intelligence, vulnerability management, secure coding practices, FFIEC Cyber Assessment Tool (CAT), data security and encryption, phishing, forensics, mobile security, third-party vendors, etc.

  • Business Continuity Management including Business Impact Analysis and Disaster Recovery Planning.

  • Technical skills and capabilities (minimum requirement: general understanding and/or working knowledge): Microsoft Windows, Red Hat Linux, IBM AIX, IBM Mainframe/Midrange, VMWare ESXi, LAN/WAN/MAN Networking, Firewall Technologies, Intrusion Detection/Prevention Systems (IDP/IPS), Security Information and Event Management (SIEM), Cloud Computing, Governance Risk and Compliance (GRC) Tools, Web Proxies, SQL/Oracle/DB2 Database Technologies, Data Leakage Protection (DLP), Storage Area Networks (SAN) and Network Attached Storage (NAS), Email Systems, End-User Computing, Web Servers, Middleware Technologies, Microsoft SharePoint.

Job : Risk Management Strategy
Primary Location : Massachusetts-Boston
Schedule : Full-time
Job Posting : Mar 30, 2018, 3:20:39 PM