Risk Assessment Lead - Cybersecurity Risk Oversight

The Risk Assessment Lead serves as a key member of the Cybersecurity Risk Oversight team within the Second Line of Defense (2LoD). This role is accountable for independently assessing and challenging First Line Technology and Information Security practices to ensure effective risk management and regulatory compliance.

This position requires a senior professional who can operate with a high degree of autonomy, prioritize work based on material risk, and influence outcomes through strong technical expertise and stakeholder engagement.

Key Responsibilities:

Risk Oversight & Independent Challenge

• Provide independent oversight and credible challenge across Technology and Information Security domains including governance, controls, risk assessments, metrics, and issue management.

• Perform risk-based assessments to identify control gaps, thematic risks, and emerging threats.

• Develop independent risk opinions supported by analysis, evidence, and professional judgment.

• Evaluate alignment with applicable laws, regulations, and industry frameworks (e.g., NIST, FFIEC, PCI).

Risk Management & Framework Execution

• Partner with business and risk stakeholders to support the implementation and maintenance of effective risk management frameworks.

• Identify gaps in processes, systems, controls and drive solutions to minimize risk exposure.

• Ensure risks are actively identified, monitored, escalated, and remediated as appropriate.

• Influence policies and procedures to strengthen the control environment and reduce regulatory risk.

Stakeholder Engagement & Communication

• Build and maintain strong relationships with First Line stakeholders while maintaining independence and objectivity.

• Provide clear, concise, and executive-ready communication of risk posture, key issues, and trends.

• Engage senior leadership to support risk-informed decision making.

• Translate complex technical risks into actionable business insights.

Leadership & Organizational Impact

• Lead, coach, or mentor risk and security professionals; support talent development and team capability.

• Contribute to strategic initiatives impacting enterprise technology, security and risk programs.

• Act as a subject matter expert on technology and cybersecurity risk and regulatory expectations.

• Promote a strong risk culture emphasizing accountability, transparency, and continuous improvement.

Basic Qualifications
- Bachelor's degree, or equivalent work experience
- Typically more than 10 years of applicable experience

Preferred Skills/Experience

• Advanced knowledge of information security domains (e.g., identity and access management, application security, cloud security, vulnerability management, incident response)

• Strong understanding of regulatory requirements and industry standards (e.g., NIST, FFIEC, PCI, and risk management frameworks)

• Experience performing risk assessments, control evaluations, and oversight activities

• Advanced understanding of business operations, systems, and associated risks and controls

• Ability to operate independently with strong judgment and professional skepticism

• Strong analytical, problem-solving, and decision-making skills

• Excellent written and verbal communication skills, including executive-level messaging

• Proven ability to influence stakeholders and challenge effectively without direct authority

• Strong leadership and management skills across people, processes, and projects

• Experience operating within Second Line of Defense, audit, or regulatory environments

• Relevant certifications (e.g., CISSP, CISA, CRISC, CISM) preferred

• Advanced knowledge of regulatory environment and trends in financial services

This role requires working from a U.S. Bank location three (3) or more days per week.