Head of Business Information Risk Officer (BIRO)

The role's objective is to be the Head of Business Information Risk Officer (BIRO) Program to lead the development and implementation of a new function for the 2nd line of defense to ensure that cybersecurity and technology initiatives are implemented within the business context and be advocates for cyber and technology risk within the business unit. This role represents the Chief Information Risk Officer serving as the bridge between the business and cybersecurity teams. In addition, this role will be the BIRO responsible for our Corporate and Global Services functions. This is a people leader role who also assists the Chief Information Risk Officer in the execution of strategic technology and cyber risk objectives with accountability for the performance and results of their respective teams. This role is also the CIRO's lead for all tech and cyber risk for our business units. Achieves goals mostly through work of others by providing leadership to managers and professional staff.

MAJOR DUTIES

• Design/Implement the strategic technology and cyber risk objectives of the group by bringing in-depth business unit knowledge from across all businesses to inform the strategy

• Serve as people manager for BIROs across all business units
• Represents CIRO in for all business unit risk and governance committees
• Develop and report on risk measures for the enterprise as an aggregation of the individual business unit reporting to ensure leadership across all business units understand their cybersecurity and technology risk posture.
• Escalate to the CIRO and appropriate governance committees where there are concentration or aggregation risks across the business units or within one BU that impacts others
• Assist in the technology and cyber risk business unit level communications and expertise

• Develop the processes for oversight and governance of issue identification and remediation for any technology or cyber related issue across the businesses
• Develop a strategy and ensure consistent implementation of 2nd line challenge to the 1st line risk management activities for the business
• Partners with Regional Chief Information Risk Officers to drive the remediation of all open issues and risk exceptions.
• Partner with the 1st LOD to ensure compliance across all business units with cybersecurity standard requirements including but not limited to vulnerability management, non-centralized identity and access management, and application security issues business unit compliance requirements. This includes providing education and training on any new requirements as they are defined.
• Partner with business leaders on any new product development to ensure cyber and technology risk is identified and managed throughout the product development process to include providing connectivity and input to the Operational Risk Product and Process Risk Modernization Program

KNOWLEDGE/SKILLS

• Broad understanding of existing and emerging cybersecurity threats, particularly those to the financial sector, and how to prevent them from impacting Northern Trust
• Strong understanding of cyber and technology regulatory requirements for all global regions

• Strong aptitude to develop and maintain internal and external business relationships and to leverage those relationships in pursuit of their day to day goals and responsibilities
• Extensive knowledge of systems security architecture, excellent consultative skills, strong analytical ability and ability to work effectively with clients.
• Experience with effectively communicating technology and cybersecurity risk posture in the context of the business at the executive level
• Extensive knowledge of cyber and technology risk management to include risk treatment, issues management, control validation, cybersecurity consultation and assessment, risk measurement and reporting, and lines of defense
• Applies knowledge of key business drivers and the factors that maximize department performance to mitigate against and minimize risk.

• Ability to influence risk decisions with both business and technology organizations without formal authority

• Experience leading a team in an operational risk management program with preference for cybersecurity or technology experience in any of the three lines of defense
• Experience leading a regionally disparate team

• History of setting departmental priorities and allocating resources to align with CIRO objectives
• Demonstrated experience in working with senior level clients in a consultative and/or advisory capacity.
• Demonstrated experience in presenting to executive management.