Manager, Cybersecurity Risk Assessment

Job Requisition ID: 10748

Position Status: Permanent Full Time

Position Type: Hybrid

Office Location: Ottawa (ON) preferred, Montreal (QC) and Toronto will be considered

Travel Requirement: Occasional

Language Designation: Bilingual

Language Skill Levels (Read/Write/Speak): CBC

Security Requirement: Secret

Salary: Our salaries generally range from $ 101639.30 to $ 127049.13 and are based on qualifications and experience.

About CMHC

The work you do and the work we do together matters. We come to work every day with a common purpose: to contribute to a well-functioning housing system.

At CMHC, we hold ourselves accountable for our results and support our colleagues in their achievements. We thrive on collaboration , connecting across CMHC and involving the right people to get our work done. We have flexibility , in how, when, and where we work, within the boundaries of the business needs and the nature of your role. Our leadership style is guided by trust , where our leaders favour an adaptive approach based on the needs of their teams.

Join us and be part of a team that's committed to making a real difference and be part of something meaningful.

What’s in it for you

We’ve got the purpose, the people and the perks you need for a fulfilling career. Here’s the comprehensive and generous benefits you get when you’re a permanent employee:

• Annual paid vacation.
• Annual individual performance incentive.
• Defined benefit pension plan.
• Comprehensive group insurance plan to support your well-being from day one.
• Support towards your personal and professional growth with training, mentorship and more.
• An inclusive workplace culture and environment.

About the role

The Manager, Cybersecurity Risk Assessment, is responsible for supporting the development and implementation of cybersecurity risk mitigation strategies and monitoring cybersecurity risk levels within the organization. This role assists in identifying and assessing potential threats, ensures alignment with organizational objectives, and collaborates with other departments to integrate risk management practices into business operations.

Office Location: Ottawa (ON) preferred, Montreal (QC) and Toronto will be considered.

What you’ll do:

• Support the identification of potential risks and vulnerabilities to develop targeted risk mitigation strategies to reduce the impact of identified risks (technological, operational, financial, and compliance-related threats). Oversee the implementation of risk mitigation plans in collaboration with 1-B. Monitor and support the execution of these strategies and support the continuous monitoring of risks, the effectiveness of mitigation strategies and ensure they comply with relevant industry standards, regulations, and best practices.
• Contribute to ongoing monitoring of IT and cybersecurity risk levels across the organization. Assist in evaluating and enhancing the risk assessment methodologies to identify vulnerabilities, threats, and potential impacts on organizational assets, including systems, data, and infrastructure so they remain effective and aligned with industry best practices and regulatory requirements. Recommend improvements to strengthen the organization's ability to identify, assess, mitigate and respond to these risks. Leverage risk management tools and frameworks to provide a thorough analysis of risks and their potential consequences. Contribute to the development and enhancement of IT and cybersecurity risk management processes, procedures, and standards to ensure effective risk identification, evaluation, and mitigation. Collaborate with relevant stakeholders to integrate these processes into business operations, ensuring consistency and compliance across the organization.
• Provide regular reports to leadership and senior management on risk status, emerging threats, and mitigation progress. highlighting emerging risks, trends, and the effectiveness of existing mitigation efforts.
• Support security incidents if required, providing guidance on response strategies to minimize damage and ensure a swift resolution. Coordinate with relevant teams to ensure proper documentation and post-incident analysis for continuous improvement.
• Collaborate with leadership, IT, compliance, audit, first and second line of defense to integrate cybersecurity risk and risk mitigation strategies into business processes, ensuring effective and proactive risk management and alignment of risk assessment efforts with broader organizational objectives and risk management frameworks and ensure risk management practices meet regulatory standards and internal audit requirements. Support the preparation and response to audits, ensuring that risk controls are documented and effectively implemented.
• Assist leadership in prioritizing IT risk-related programs and initiatives based on their potential impact, urgency, and alignment with organizational goals. Ensure that high-priority initiatives are monitored in terms of IT risks and align with overall risk management objectives.
• Continuously assess and refine the organization’s risk management framework to ensure it addresses emerging threats, regulatory requirements, and industry best practices. Recommend enhancements to risk assessment methodologies and reporting processes to keep pace with evolving risks. Ensure clear and consistent communication of risk information across the organization, tailoring messages to various stakeholders. Develop and deliver risk awareness training for employees to foster a proactive risk culture and ensure informed decision-making at all levels. Communicate the results of cybersecurity risk assessments to senior management and key stakeholders, including potential risks, vulnerabilities, and recommendations for mitigation. Prepare detailed reports that present both technical and non-technical assessments in a clear and actionable manner.
• Lead post-incident risk assessments following security breaches or cyber incidents to assess the impact and recommend corrective actions. Provide insights into how these incidents could inform future risk mitigation strategies and improve overall cybersecurity posture. Oversee the delivery of the training and awareness programs to improve organizational understanding of cybersecurity risks and risk assessment practices. Promote a culture of proactive risk management across all levels of the organization, ensuring that employees are equipped to recognize and respond to cybersecurity threats.

What you should have:

• Undergraduate degree in Cyber Security, Computer Security, Information Systems Security, Computer Science or in a related field. An equivalent combination of education and/or experience can be considered.
• 7 years experience in IT Security and/or IT information working with risk management methods including risk assessment and mitigation.
• 3 years experience in providing leadership and direction to cybersecurity staff.
• Ability to independently apply risk frameworks (e.g., NIST, ISO) and advise on the application of these methods in a cybersecurity context.
• Knowledge of: impacts of cybersecurity lapses, including specific business functions and IT systems. Able to assess and provide actionable insights on how cybersecurity lapses affect business operations. security system resilience and how environmental or operational changes affect system performance. relevant cybersecurity laws and regulations, able to apply them within organizational contexts and ensure compliance.
• Experience in: managing risk in cybersecurity, including risk identification, mitigation, and communication to stakeholders. performing risk assessments, analyzing potential impacts, and providing actionable insights to senior leadership. applying cybersecurity and privacy requirements to business needs, ensuring compliance with relevant laws and standards. conducting risk analysis and feasibility studies, capable of evaluating trade-offs in cybersecurity projects and initiatives.
• Strong communication skills (oral and written) both in English and French with he ability to convey technical risk assessments and mitigation strategies to management and stakeholders (including senior management).

It would be great if you also had:

• A Certified Information Security Manager (CISM) will be preferred.
• A Certified Information Systems Security Professional (CISSP), GIAC Security Leadership (GSLC), GIAC Critical Controls Certification (GCCC) or other relevant IT Security licence, designation, or certificate.
• Experience and knowledge of security technologies such as identity management, computer forensics, application security and network security technologies.
• Experience and/or knowledge of recognized standards. E.g. NIST CSF, ISO 27001/27002, ITSG-33, OSFI B13, CIS, etc.
• The knowledge of Canadian laws and Government of Canada regulatory requirements and standards. E.g. Treasury Board, Office of the Superintendent of Financial Institutes, etc.

Posting closing date: Note, the competition will remain active until filled.

Our commitment to diversity, equity, and inclusion

We’re committed to employment equity and encourage women, Indigenous Peoples, persons with disabilities, veterans and persons of all races, ethnicities, religions, abilities, sexual orientations, and gender identities and expressions to apply. We also welcome applications from non-Canadians who are eligible to work in Canada.

CMHC is an inclusive workplace where diversity of thought – and of people – are recognized, valued, and considered essential to achieving our mission.

What happens after you apply

We know that applying for a new job can be both exciting and daunting, and we appreciate your effort. . If you are selected for an interview or testing, please advise us if you require an accommodation.

If you applied before and you were not successful don’t worry – we're always posting new positions, so don’t hesitate to give it another shot. We’re excited to see what you bring to the table this time around!