Chief Auditor - Cyber & Information Security
Citi, the leading global bank, has approximately 200 million customer accounts and does business in more than 160 countries and jurisdictions. Citi provides consumers, corporations, governments and institutions with a broad range of financial products and services, including consumer banking and credit, corporate and investment banking, securities brokerage, transaction services, and wealth management. Our core activities are safeguarding assets, lending money, making payments and accessing the capital markets on behalf of our clients.
Citi's Mission and Value Proposition explains what we do and Citi Leadership Standards explain how we do it. Our mission is to serve as a trusted partner to our clients by responsibly providing financial services that enable growth and economic progress. We strive to earn and maintain our clients' and the public's trust by constantly adhering to the highest ethical standards and making a positive impact on the communities we serve. Our Leadership Standards is a common set of skills and expected behaviors that illustrate how our employees should work every day to be successful and strengthens our ability to execute against our strategic priorities.
Diversity is a key business imperative and a source of strength at Citi. We serve clients from every walk of life, every background and every origin. Our goal is to have our workforce reflect this same diversity at all levels. Citi has made it a priority to foster a culture where the best people want to work, where individuals are promoted based on merit, where we value and demand respect for others and where opportunities to develop are widely available to all. Description:
Citi Internal Audit: Internal Audit is a global organization of over 1700 professionals covering Citi's global businesses and service to clients and customers in over 180 countries. Citi's Internal Audit division provides independent assessments of the company's governance, risk management and internal control environment for key stakeholders including the Board of Directors, senior management and Citi's numerous regulators globally. Internal Audit is a change agent within Citi aimed to enhance the control culture of Citigroup worldwide and thereby support senior management decision making around the globe. Role Summary:
The Chief Auditor - Cyber and Information Security serves as the authoritative body for providing independent third-line assurance that the cyber threats faced by the firm have been properly understood, assessed and mitigated via first line information security defensive programs and second line assurance activities. This role will be responsible for:
- Development and completion (and ongoing update) of an effective audit strategy and plan (including budgets) that provides thorough, risk based coverage for addressing Cyber and Information Security risks across Citi;
- Effectively reviewing and challenging first and second line cyber and information security assessments; Engaging, Building and managing relationships with the CISO, Senior technology and business management, and Second Line Cyber Risk Management function;
- Leading and developing a team of Cyber and Information Security auditors globally;
- Working closely with Product, Function and Regional Chief Auditors to ensure delivery of a plan of work that provides assurance over the Cyber and Information Security risks;
- Providing regular updates and briefings on audit perspectives of Cyber and Information Security Risks to Senior Management, Board Sub-Committees etc.; and
- Interacting with regulators across the globe to provide updates and briefings on audit perspectives of Cyber and Information Security.
In order to carry out these responsibilities, the incumbent must have excellent interpersonal and written communications skills, and deep understanding and knowledge of Cyber and Information Security matters. Critical thinking is a key requirement of the role, as themes related to risks and issues around the organization will be identified and presented to key stakeholders, such as senior management, the Audit Committee, regulators and external audit functions. The position requires a wide ranging, yet detailed knowledge of technology and banking, as well as a strong understanding of the fundamental risks associated with a large commercial and investment bank. The role will entail considerable coordination of resources and will therefore also require strong people management and communication skills. Knowledge/Experience:
• Demonstrated experience in managing large global teams and managing integrated internal audit and assurance delivery.
• Strong understanding of cyber risk management and ability to effectively communicate cyber risk functions to executives
• Experience developing Cyber audit assessments and testing criteria, tools and methodologies
• Advanced level experience in a Technology or Cyber/ Information Security audit or business/technology related role with extensive experience in business, functional and people management, with proven abilities in taking responsibility for executing concurrently on a portfolio of high quality deliverables according to strict timetables.
• Subject matter expertise regarding Information Security discipline.
• Prior experience of conducting cyber risk audits and presenting results to management
• Knowledge of cyber regulations for FS industry
• Knowledge of cyber risk controls
• Experience in developing control testing processes
• Understanding of industry best practices (e.g., NIST, ISO, COBIT, SANS Top 20)
• Proven knowledge and experience of risk issue management criteria, tools, and methods
• Understanding of how risks and control deficiencies need to prioritized and remediated across the first line Skills/ Competencies:
• A self-aware, self-confident individual who has well developed listening skills, and a strong ability to engage a group of accomplished business unit heads by providing proactive advice on a variety of audit matters while carefully balancing the independent requirements of the IA function. Able to analyze and think through highly complex issues, but then appropriate execute and implement against a well thought through framework in a seamless manner; Fluent in oral and written English; Excellent communication skills.
• Understanding of industry best practices (e.g., NIST, ISO, COBIT, SANS Top 20)
• Effective negotiation skills, a proactive and 'no surprises' approach in communicating issues and strength in sustaining independent views. This individual must be an articulate and effective communicator, both orally and in writing, with an energetic, charismatic and approachable style.
• Strong interpersonal skills for interfacing with all levels of internal and external audit and senior management. Personal presence, intellect, energy and drive to succeed in a high-performance environment.
• Strong leadership skills with a proven track record in managing teams and making a positive impact on the organization. A global citizen who is comfortable in all geographies, regions and cultures.
• Self-motivated and goal-oriented with the ability to seize the initiative, garner consensus and develop and implement an effective strategy. Demonstrates a high level of analytical rigor in formulating strategies, objectives and measuring results. Operates with passion and real drive when pursuing goals.
• Sense of urgency in implementing programs and evaluating priorities; decisive, action-oriented and practical. Willingness to challenge and question the status quo, making recommendations for options and best solutions. Responsibilities:
• Drives the strategic direction of Citi's Internal Audit (IA) function in the establishment of an audit coverage strategy for Cyber and Information Security risks, which include reporting methodologies, organizational design and effective positioning of the function to ensure provision of independent assurance. This is to be consistent and aligned with Citigroup and Citibank business objectives.
• Uses excellent communication, leadership and strong management skills to influence a wide range of internal audiences including respective product, function, or regional executive management partners and external audiences including regulators and external auditors. Frequently engages in both internal and external negotiations which will have a major impact on the function, and on the organization as a whole.
• Directs audit activities supporting a product line, function, or legal entity at the global or regional level, in accordance with IA standards, Citi policies, and local regulations. Responsible for providing valued and timely independent assurance on the design and operating effectiveness of a product, function, or legal entity at a global or regional level.
• Responsible for the delivery of high quality, value-added multiple concurrent audits on time and to specification.
• Ensures the delivery of audit reports, that are complete, insightful, timely, error free and concise.
• Ensures timely delivery of high-quality comprehensive regulatory and internal audit issue validation, and where determined appropriate issue validation on other remediation actions, including issues arising from the external auditors, consultants and other parties.
• Contributes towards the delivery of high impact reports of IA's contributions to executive management, regulators, and Citigroup and Citibank boards' sub-committees, developing trend analyses and thematic reporting.
• Manages multiple teams of professionals. Recruits staff, develops talent, builds effective teams, and manages a budget. Identifies internal talent and fills key positions, attracts talent with required expertise to meet the risk profile of the business, builds deep bench strength and develops appropriate succession plans.
• Possesses a broad and comprehensive understanding of multiple disciplines (Audit, Risk, Technology, Information Security, Compliance, and Training) and of different Audit standards, policies and local regulations; applies a broad and comprehensive understanding of high risk areas.
• Leads the delivery of learning and development programs and is a recognized leader in training and developing others.
• Develops approaches to promote knowledge sharing and promulgates management best practices across Internal Audit and both Citibank and Citigroup.
• Delivers cost effective and efficient management of audit teams and audit engagements.
• Ensures IA anticipates/meets/exceeds the requirements and expectations of Citibank's and Citigroup's regulators.
• Works closely and collegially within IA and with line management and control functions to ensure efficient and effective provision of independent audit assurance.
• Collaborates across businesses and functions to improve the identification, quantification, measurement, management, reporting and controls in governance, risk management and internal control environments.
• Takes responsibility and accountability of audit's coverage and reporting on common high risks areas such KYC, AML, Fraud, Technology, Sanctions, and Consent Orders and other enforcement action compliance.
• Actively supports and drives the IA's and management's efforts for Citi to have a "Strong" internal audit function and for Citi to have "Strong" control functions.
• Fully supports and endorses the Quality Assurance function of Internal Audit and promptly accepts and remediates deficiencies found by QA.
• Ensures the adoption of the appropriate portions of the Citigroup and Citibank Audit Committee Charters and the Internal Audit Charter for applicable legal entities.
• Proactively advances integrated auditing concepts. Leverages Internal Audit's Centres of Excellence to improve audit processes and coverage. Qualifications:
Bachelor of Science or equivalent; Masters preferred.
Related certifications (CISSP, CISA or similar) are a plus.
Computer Science or Computer Engineering qualification and Certifications in the Cyber/ Infosec area will be an advantage. Job Family Group:
Internal Audit Job Family:
Audit Time Type:
Citi is an equal opportunity and affirmative action employer.
Qualified applicants will receive consideration without regard to their race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or status as a protected veteran.
Citigroup Inc. and its subsidiaries ("Citi") invite all qualified interested applicants to apply for career opportunities. If you are a person with a disability and need a reasonable accommodation to use our search tools and/or apply for a career opportunity review Accessibility at Citi
View the " EEO is the Law
" poster. View the EEO is the Law Supplement
View the EEO Policy Statement
View the Pay Transparency Posting