Technology Risk Director- Enterprise Engineering

Description

The Enterprise Technology & Security (ETS) Risk Director directs a team of risk professionals, developing comprehensive risk management strategies, and ensuring the organization's technology risk practices are robust, effective, and aligned with industry standards and regulatory requirements. This executive-level position provides strategic leadership over a dedicated ETS risk function, setting the direction for risk identification, assessment, and mitigation across the bank's technology and security domains. The Director serves as a key advisor to senior leadership on technology risk matters, drives the maturation of the enterprise risk framework, and maintains strong relationships with regulators, audit, and governance bodies.

• Lead and oversee the Technology Risk Management function, providing strategic direction to a team of risk professionals and fostering a culture of accountability, excellence, and continuous improvement.

• Develop, implement, and continuously evolve a comprehensive technology risk management strategy and framework aligned with enterprise risk appetite, regulatory expectations, and industry best practices.

• Oversee the identification, assessment, monitoring, and reporting of technology and security risks across systems, applications, infrastructure, and processes.

• Serve as the primary executive liaison for regulatory examinations, internal audits, and supervisory engagements related to technology and security risk, ensuring effective coordination and high‑quality outcomes.

• Define and maintain technology risk policies, standards, control libraries, and assessment methodologies to support consistent and scalable risk management practices.

• Partner with senior technology leaders, business executives, compliance, audit, and governance teams to embed risk management into strategic planning and decision‑making.

• Provide clear, actionable, executive‑level risk reporting and insights to the Risk Committees and senior management, translating complex risk landscapes into strategic guidance.

• Oversee the portfolio of risk findings, regulatory commitments, and corrective action plans, driving timely, effective, and sustainable remediation.

• Lead oversight of Third-Party Risk Management for the organization’s technology and security critical service provider relationships.

• Monitor industry trends, emerging threats, and regulatory developments to proactively adjust the organization’s risk posture.

• Champion a strong risk‑aware and risk‑informed culture across the technology organization through education, engagement, and communication.

Cloud & Modern Engineering Platforms

• Working knowledge of cloud services and architectures (AWS and Azure preferred), including shared responsibility models, identity and access management, and cloud‑native security controls.

• Experience assessing risk in DevSecOps, CI/CD pipelines, containerized workloads (Docker/Kubernetes), and infrastructure‑as‑code environments.

Infrastructure, Platform & Engineering Risk

• Strong understanding of enterprise infrastructure platforms, including Windows, Linux (RHEL), virtualization (VMware), databases, middleware, and core network services.

• Experience evaluating end‑of‑life (EOL) / end‑of‑support (EOS) risk, technical debt, and remediation prioritization across large engineering estates.

Cybersecurity & Resilience

• Hands‑on familiarity with vulnerability management, platform hardening, secure configuration standards, and threat remediation prioritization.

• Experience with technology resilience, including BCP/DR, cyber recovery, data protection, backup strategies, and resiliency testing.

• Ability to translate engineering and cyber risks into business impact, service disruption, regulatory exposure, and customer risk.

Risk Frameworks & Governance

• Deep experience with enterprise technology risk management routines, including RCSAs, issue management, risk assessments, targeted reviews, and control testing.

• Working knowledge of regulatory and risk frameworks relevant to financial institutions (FFIEC, NIST, ISO, COBIT, COSO, CRI).

• Proven ability to synthesize large volumes of technical risk data into clear, prioritized executive‑level insights.

Required:

• 12+ years of progressive experience in IT risk management, information security, or internal audit, including 5+ years in a senior leadership role.

• Demonstrated executive leadership experience, including building and developing high-performing risk teams in complex, regulated environments.

• Comprehensive expertise in risk frameworks including CRI Profile, NIST 800-53, NIST CSF, COBIT, and ITIL, with a track record of applying them at an enterprise scale.

• Deep familiarity with regulatory expectations and supervisory frameworks applicable to regional banks (OCC, Federal Reserve, FDIC).

• Exceptional communication and influencing skills; proven ability to present risk strategy and findings to Board-level and executive audiences.

• Experience leading large-scale regulatory examinations, audit engagements, and enterprise-wide corrective action programs.

• Proven ability to set strategic direction, manage organizational priorities, and deliver results in a fast-paced, evolving environment.

Preferred:

• Prior experience as a risk director or equivalent executive in a federally regulated financial institution.

• Track record of building or transforming enterprise-level technology risk programs.

• Strong network within the financial services risk and technology community.

• Bachelor's degree in Information Technology, Cybersecurity, Business, or a related field required; Master's degree (MBA, MS in Cybersecurity, or equivalent) strongly preferred.
• One or more of the following certifications are preferred:
• CISSP (Certified Information Systems Security Professional)
• CISM (Certified Information Security Manager)
• CRISC (Certified in Risk and Information Systems Control)
• CISA (Certified Information Systems Auditor)

Hours & Work Schedule

• Hours per Week: 40 
• Work Schedule: Monday-Friday
• Hybrid: 4 days per week onsite, 1 day remote

Some job boards have started using jobseeker-reported data to estimate salary ranges for roles. If you apply and qualify for this role, a recruiter will discuss accurate pay guidance.

Equal Employment Opportunity

Citizens, its parent, subsidiaries, and related companies (Citizens) provide equal employment and advancement opportunities to all colleagues and applicants for employment without regard to age, ancestry, color, citizenship, physical or mental disability, perceived disability or history or record of a disability, ethnicity, gender, gender identity or expression, genetic information, genetic characteristic, marital or domestic partner status, victim of domestic violence, family status/parenthood, medical condition, military or veteran status, national origin, pregnancy/childbirth/lactation, colleague’s or a dependent’s reproductive health decision making, race, religion, sex, sexual orientation, or any other category protected by federal, state and/or local laws. At Citizens, we are committed to fostering an inclusive culture that enables all colleagues to bring their best selves to work every day and everyone is expected to be treated with respect and professionalism. Employment decisions are based solely on merit, qualifications, performance and capability.