Information Security Risk Manager

The Information Security Risk Manager, under the direction of the Head of Global Information Risk, is tasked with protecting information assets in support of Hogan Lovells business objective and in conformity with firm policies.  The Information Security Risk Manager is a core member of the broader Information Security Team and is tasked with continually improving the security posture of Hogan Lovells through providing security-related guidance, developing and assessing compliance with security policies and standards, executing the security risk management approach, and evangelizing security matters throughout the company. The Information Security Risk Manager will manage a program to identify, classify, remediate, and mitigate security risks and vulnerabilities throughout the firm.

JOB DESCRIPTION

The Information Security Risk Manager will be responsible for maturing and maintaining the firm’s Risk Management Program through the use of supporting GRC solutions, identifying and managing risk resulting from having performed risk assessments and communicating the firm’s IT and cybersecurity risk posture to both internal and external stakeholders.

The ideal candidate will possess the skills necessary to develop and maintain the requisite inputs and outputs from the firm’s risk management program on an on-going basis, to include:

• Maintaining the firm’s IT / Security Risk Register and liaison with Privacy and ORM/ERM stakeholders to ensure alignment
• Developing mature, audience-appropriate metrics that convey the firm’s risk posture
• Developing or leveraging existing risk assessment templates, security questionnaires and surveys to aid in the effective execution of risk assessments in order to support the firm’s relevant certifications
• Conducting targeted risk assessments to assess process maturity and impact to the organization
• Recommending security controls and/or corrective actions for mitigating technical and business risks
• Managing projects and enhancement solutions that result from assessment findings and recommendations
• Researching, identifying, and consulting with subject-matter experts to recommend risk mitigating solutions
• Managing and maintaining exceptions to the firm’s established policies, standards and industry norms
• Developing trend reporting to identify areas of focus and risk concentration
• Maintaining the firm’s security policies and standards while performing assurance activities to assess firm-wide compliance
• Continually seek to improve the firm’s security risk assessment methodology to make them more efficient and effective
• All members of the firm are encouraged to participate in our Global Responsible Business program
• Other duties as assigned

QUALIFICATIONS/REQUIRED SKILLS

• Working knowledge of established cyber security risk management concepts, control standards, technologies and frameworks: NIST RMF/CSF, ISO 27001:2022 and ISO 27005:, ISO 27005:2022, etc.)
• General understanding of GRC and information security fundamentals and industry best practices related to the protection of information, such as exception handling, policy development and maintenance and engagement with auditors in relation to these business processes
• Experience documenting business processes, policy and/or standards
• Proven track record of supporting, preferably managing, a Risk Management Program with supporting metrics and escalation strategies
• Ability to communicate information about the vision and direction of our information security program to firm leadership and business stakeholders
• Strong verbal and written communication skills, including the ability to translate risk management concepts into business language
• Must be able to communicate clearly and effectively with people from all levels of the firm while handling multiple priorities
• Must be highly organized and driven, work well with others, be process- and solutions-oriented, and have an absolute commitment to excellence and integrity
• Ability to visualize, plan, and execute on areas of process improvement that increase the efficiency and delivery of our security capabilities

EDUCATION, CERTIFICATIONS, AND/OR EXPERIENCE

• Five (5) to seven (7) years experience total across information technology, information security, and program management domains
• Three (3)+ years experience in risk management and security governance
• Experience performing risk assessments and managing risk, developing risk-based strategy, and driving results based on risk-based fundamentals
• Information security certifications preferred (CISSP, CISA, CRISC, etc.)

HOURS

Core hours are Monday through Friday, 9:00 a.m. to 6:00 p.m. Must be flexible to work additional hours.

Washington, DC: The annualized salary range for this position is $169,445 to $188,775 depending on the candidate's overall experience and other job-related factors permitted by law.  

Full time employees may be eligible for a discretionary bonus. In addition, full time employees as well as some part time employees, will be eligible for the firm’s fringe benefits as they currently exists. Please find out more about our benefit programs here https://www.hoganlovells.com/en/global-careers/careers-in-the-united-states/career-categories/professional-services/roles/benefits

This job description sets forth the responsibilities of this position and may be changed from time to time as shall be determined.

Hogan Lovells is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, pregnancy, age, national origin, disability, sexual orientation, gender identity or expression, marital status, genetic information, protected Veteran status, or other factors protected by law.

Hogan Lovells complies with federal and state disability laws and makes reasonable accommodations for applicants and candidates with disabilities. If reasonable accommodation is needed to participate in the job application or interview process, please contact our Benefits Department at LeaveofAbsence_US@hoganlovells.com.