Manager, Cyber & IT Risk, Tangerine GRM

Requisition ID: 260240

Tangerine is Canada’s leading direct bank. We offer flexible and accessible banking options, innovative products, and award-winning Client service. The reason why Tangerine employees come to work each day is to help Canadians live better lives. We focus on making a difference in our communities, and that includes our own internal community. It’s important to us that our employees feel empowered and enthusiastic about belonging to our Orange culture.

Contributes to the successful development and execution of a second line of defense program for Cyber Security and IT Risk Management within Tangerine. Assesses risk management practices carried out by the first line of defense and provides effective challenge and oversight. Undertakes quantitative analysis of threat and vulnerability scenarios which may impact IT systems operations as well as business processes supporting the Bank’s multiple delivery channels. Ensures all activities are conducted in compliance with governing regulations, internal policies and procedures. Contributes to the overall success of a second line of defense function within Tangerine Global Risk Management (GRM).

Accountabilities

• Champions a customer-focused culture throughout their team to deepen client relationships and leverage broader Bank relationships, systems and knowledge.
• Execute 2nd Line Challenge: Conduct comprehensive and objective evaluation of risk management practices carried out by the first line of defense to identify potential threats and vulnerabilities in the Bank’s processes, systems and operations. Ensure that Tangerine’s processes and controls relating to Cyber Security and IT risks are sufficient to maintain the consistent operation of systems, the continuous availability and integrity of data and the confidentiality of sensitive information. Partner with 1st line of defense to develop risk mitigation strategies across key Cyber & IT domains. Challenge IT and Cybersecurity risks within scenario analysis and thematic reviews. Deliver risk assessments, metrics and controls within a complex and constantly evolving digital bank.
• Control Evaluation: Evaluate the design of controls and communicate the impact of control weaknesses to first line teams and control implementers.
• Alignment Evaluation: Evaluate the extent to which the first line of defense is aligned with internal and external control standards, as well as regulatory and audit requirements.
• Framework Knowledge: Act as subject matter expert in one or more industry-standard risk management frameworks (including CIS Benchmarks, NIST, ISO27001) and understand cyber risk mitigation strategies.
• Stakeholder Advisory: Advise stakeholders on risk management, controls development, and adherence to mitigate risks.
• Risk Monitoring: Monitor key risk indicators, analyze control metrics, and provide insights on risk management effectiveness to management, driving continuous improvement initiatives. Monitor cybersecurity risks and the controls in place within the bank, as well as external cybersecurity reporting that may impact the bank.
• Reporting: Support IT and Cyber Risk reporting for various risk committees and senior management as required.
• Understand how the Bank’s risk appetite and risk culture should be considered in day-to-day activities and decisions.
• Collaborate with internal and external partners to ensure information sharing and support complementary and contrasting risk oversight initiatives as appropriate.
• Support the identification and reporting submissions for Tangerine IT Risk related information for regulatory requirements.
• Actively pursue effective and efficient operations of their respective areas in accordance with Scotiabank’s Values, its Code of Conduct and the Global Sales Principles, while ensuring the adequacy, adherence to and effectiveness of day-to-day business controls to meet obligations with respect to operational, compliance, AML/AFT/sanctions and conduct risk.

Do you have the skills that will enable you to succeed in this role? - We'd love to work with you if you have:

• Strong expertise in IT Risk Management, with experience spanning multiple domains (e.g. Logical Access, Data Leakage, Disaster Recovery, Change Management, Incident Management)
• Experience with Cybersecurity Risk Management is preferred
• A minimum of 7 years of experience in technology risk management departments, preferably in a financial institution
• Industry certifications desirable (e.g. CRISC, CISA, CISSP)
• Advanced knowledge of relevant regulatory rules (OSFI, FFIEC, NYDFS 500) and frameworks (NIST, COBIT) is preferred
• 5+ years of experience or equivalent expertise in technology risk management, information security, or a related field, with a focus on risk assessment and control evaluation
• Demonstrated expertise in regulatory compliance, risk management frameworks, and industry best practices (e.g., NIST, ISO, FFIEC, GDPR)
• Proficiency in data security, risk management & controls, security governance, and analytical thinking, with a track record of implementing effective risk mitigation strategies
• Advanced knowledge of data analytics and data literacy