Assessments & Exercises Vice President - Offensive Security

About the position

As an Assessments & Exercises Vice President in the Cyber and Tech Controls line of business, you will contribute significantly to enhancing the firm's cybersecurity posture by using industry-standard assessment methodologies and techniques to proactively identify risks and vulnerabilities in people, processes, and technology. Design and deploy risk-driven tests and simulations (or manage a highly-skilled team that does) and inform analysis to clearly outline root-causes. In this role, you will evaluate preventative controls, incident response processes, and detection capabilities, and advise cross-functional teams on security strategy and risk management.

Responsibilities

• Design and execute testing and simulations - such as penetration tests, adversary emulation assessments, collaborative technical controls assessments, and cyber exercises.
• Contribute to the development and refinement of assessment methodologies, tools, and frameworks to ensure alignment with the firm's strategy and compliance with regulatory requirements.
• Evaluate controls for effectiveness and impact on operational risk, as well as opportunities to automate control evaluation.
• Collaborate closely with cross-functional teams to develop comprehensive assessment reports - including detailed findings, risk assessments, and remediation recommendations.
• Utilize threat intelligence and security research to stay informed about emerging threats, vulnerabilities, industry best practices, and regulations.

Requirements

• 5+ years of experience in cybersecurity, with demonstrated exceptional organizational skills to plan, design, and coordinate the development of offensive security testing, assessments, or simulation exercises.
• Knowledge of US financial services sector cybersecurity organization practices, operations risk management processes, principles, regulations, threats, risks, and incident response methodologies.
• Ability to identify systemic security issues as they relate to threats, vulnerabilities, or risks, with a focus on recommendations for enhancements or remediation.
• Proficiency in multiple security assessment methodologies (e.g., OWASP Top Ten, NIST Cybersecurity Framework) and offensive security testing tools.
• Excellent communication, collaboration, and report writing skills, with the ability to document and explain complex technical details in a concise, understandable manner.
• Strong understanding of Windows/Linux/Unix/Mac operating systems; OS and software vulnerability and exploitation techniques; commercial or open-source offensive security tools; networking fundamentals; IaaS and PaaS providers; DevOps; incident response; threat hunting; and familiarity with interpreting log output.

Nice-to-haves

• Hold relevant industry certifications - such as CISSP, CISM, OSCP, OSEP, OSED, OSEE, OSCE, CREST, or SANS certifications.
• Technical knowledge or experience developing proof of concept exploits and in-house scripting, using interpreted languages such as Python, Ruby, or Perl, and compiled languages such as C, C++, C#, or Java.
• Intelligence Community/Security Services background, knowledge of malware packing, obfuscation, persistence, exfiltration techniques.
• Experience querying log sources within large centralized logging platforms, e.g. Splunk, Elastic, Cloudera.