The Opportunity

This role will be accountable for establishing and maintaining a cyber risk quantification methodology and will work closely with key cyber and IT governance teams including the ETX Governance and Risk team and the Security Intelligence team to ensure changes to internal controls and the external cyber threat landscape are factored into our cyber risk calculations.

The Team

The Cyber Risk Quantification Consultant sits within MassMutual’s Enterprise Technology Experience (ETX) division, within the Enterprise Cyber Security (ECS) department and focuses on building our Cyber Risk Quantification efforts to effectively measure and report on changes and contributing factors to the MassMutual’s cyber risk level.

The Impact

• Establish a cyber risk quantification methodology that effectively details inputs, outputs, and measurements for cyber risk at MassMutual.
• Identify appropriate sources for cyber risk reporting and opportunities for automation of data inputs/outputs.
• Participate in the maintenance and continuous improvement of the cyber risk register based on knowledge of the business, cyber threat landscape, and National Institute of Standards and Technology (NIST) cybersecurity frameworks.
• Partner with the ETX Governance & Risk and Security Intelligence teams to ensure results from controls effectiveness testing are captured as part of residual risk calculations and that emerging cyber threats are factored into inherent cyber risk calculations.
• Utilize IT and cyber risk subject matter expertise, understanding of the financial services industry, and collaboration with peers to properly advise on suitable actions to take to reduce risk.
• Work with ETX Risk and BISO teams to track open mitigations as part of the cyber risk register and hold business owners accountable for completing risk mitigation activities.
• Collaborates closely with the Security Intelligence team to understand changes in the cyber threat landscape and determine potential impact to MassMutual’s inherent cyber risk score. 
• Collaborate with second- and third-line control areas including Corporate Audit, Financial Risk Reporting, and Enterprise Risk.
• Interface with internal team members and key stakeholders to provide accurate visibility into cyber risks, including partnering with Data Science, as needed.
• Collaborates with members of ECS and other risk areas including Enterprise Risk Management
• Communicate and champion the program roles and initiatives.
• Prepare risk reporting dashboards and recommend/build enhancements to ensure consistent alignment with risk environment changes and updates.
• Quantify and prepare metrics to demonstrate residual risks, prioritize remediation actions, and/or outline and facilitate criteria for risk acceptance.
• Work with cyber security function leadership to prepare and report Key Risk Indicator (KRI) data for dashboards and metrics.

Minimum Qualifications

• Bachelors degree
• 8 years in Cyber Security, Technology Risk Management, Cyber Security Program Management, or a related field.
• 1 year with all aspects of cyber-security risk including - identification, analysis, quantification, and remediation strategies.
• 1 year with MITRE ATT&CK and Cyber Kill Chain, including Tactics, Techniques, and Procedures (TTPs)
• 1 year with threat modeling or other mechanisms for identifying internal cyber risk.
• 1 year of applied knowledge of cybersecurity risk and control frameworks such as NIST CSF, NIST 800-53, CMMC, ISO 27K series, CIS Critical Security Controls, CSA Cloud Control Matrix, etc.

Preferred Qualifications

• Possession of or willingness to pursue related certifications (CRISC, CCSP, CISSP, etc.)
• Exceptional relationship management – building and maintaining collaborative partnerships across all levels of an organization.
• Strong communication skills and ability to influence others.
• Proven ability to articulate the why and to enable fact-based decision making.
• Excellence in Execution – Ensuring commitments are met and ensuring key stakeholders are constantly informed of status.
• Strong leadership qualities and business acumen and an ability to communicate with all levels of the organization.
• Strong written and verbal communication skills
• Self-starter who is willing to take on new challenges in response to the changing cyber threat landscape.
• Excellent written and verbal communication skills.
• Demonstrated success in guiding and influencing sound cyber risk and security remediation strategies aligned with core business objectives and risk appetite.
• Ability to deal with the ambiguity associated with working in a fast paced and changing environment.
• Experience or knowledge in life insurance and/or financial services products and services.
• Business acumen experience in key enterprise technology and business areas.

#LI-RK1

MassMutual is an Equal Employment Opportunity employer Minority/Female/Sexual Orientation/Gender Identity/Individual with Disability/Protected Veteran. We welcome all persons to apply. Note: Veterans are welcome to apply, regardless of their discharge status.
If you need an accommodation to complete the application process, please contact us and share the specifics of the assistance you need.