Senior Cyber Hygiene Governance/ Engineer Operations

Willkommen im Team als Senior Cyber Hygiene Governance/ Engineer Operations Das Unternehmen: Commerzbank is the leading bank for the Mittelstand and with a comprehensive portfolio of financial services a strong partner for corporate client groups and private and small-business customers in Germany. We are a bank that is characterized by a fair and cooperative relationship with one another and with our customers. We appreciate working in inspiring teams of people who bring a diverse background. We offer a creative environment and excellent career development opportunities. Work Life Balance is very important to us. And of course, we know that a good job also includes an attractive salary. Aufgabe: Governance Framework & Policies - Design, maintain and continuously improve the cyber hygiene governance framework (policies, standards, SLAs, RACI, exception and risk acceptance processes) - Ensure that cyber hygiene requirements are clear, consistent and operationally implementable (especially for vulnerability, patch and baseline configuration management) Regulatory Requirements & Compliance - Translate regulatory and 2nd Line of Defense requirements (e.g. DORA, BAIT, MaRisk, NIS 2, PCI-DSS, SOC2-like frameworks) into concrete cyber hygiene controls and control objectives - Regularly assess the effectiveness of implemented controls, identify control gaps and drive remediation measures Audit Preparation and Support - Act as central point of contact for Internal Audit, external auditors and supervisory authorities on cyber hygiene topics - Plan, coordinate and support audits and reviews (incl. preparing stakeholders, providing evidence, creating overviews and mappings of controls) - Ensure audit-proof documentation of controls, roles, processes, decisions, exceptions and risk acceptance cases - Support definition, evaluation and follow-up of audit findings, management actions and remediation plans until closure Reporting, KPIs & KRIs - Define, evolve and maintain KPIs, KRIs, scorecards and reporting models for cyber hygiene, including an audit and compliance perspective - Prepare executive-ready reports for CISO, Risk Management, Compliance, Internal Audit and steering committees Interface to Security Problem Management - Ensure that structural insights from Security Problem Management (root causes, trend analyses, recurring weaknesses) are reflected in governance artefacts and control requirements - Support prioritisation of issues with high relevance for audits and regulatory compliance Advisory, Training & Awareness - Advise business and IT stakeholders and senior management on cyber hygiene governance, controls and audit expectations - Develop and deliver guidelines, training and FAQs on governance and audit requirements related to cyber hygiene - Coach Junior and Regular Governance Specialists, especially on audit-ready documentation and interaction with auditors Profil: Professional Experience - Several years of experience in cyber security governance, IT risk management, internal/external audit or comparable roles in regulated industries (ideally financial services / critical infrastructure) Technical & Domain Knowledge - Deep knowledge of relevant security frameworks and regulatory requirements (e.g. ISO 27001/2, DORA, BAIT, MaRisk, NIS 2, PCI-DSS, SOC2-like frameworks) - Strong understanding of cyber hygiene controls (vulnerability, patch and configuration management) and how to evidence them to auditors and regulators - Experience in control design and assessment (design & operating effectiveness) and in deriving remediation measures from audit findings - Experience with defining and using KPIs/KRIs for governance and audit-related reporting Methodological & Personal Skills - Strong strategic, conceptual and systemic thinking with a focus on traceability, auditability and sustainability of solutions - Excellent communication, facilitation and stakeholder management skills – especially in dealing with Audit, supervisory bodies, CISO, Risk Management and IT - High resilience and professionalism in critical audit and escalation situations Languages & Certifications - Excellent English skills (written and spoken); German is a strong plus - Relevant certifications are an advantage (e.g. ISO 27001 Lead Implementer/Lead Auditor, CISM, CRISC, CISA) Kontakt: Would you like to become a member of a strong and dedicated team? If so, please submit your application online. If you have any further enquiries about this role, please contact Linh Jasmin Vo +49 69 935349407 or email her at linhjasmin.vo@commerzbank.com.