Apply Now    

Cyber Security Risk & Controls Metrics Analyst

Job Description

JPMorgan Chase & Co. (NYSE: JPM) is a leading global financial services firm with assets of $2.6 trillion and operations worldwide. The firm is a leader in investment banking, financial services for consumers and small business, commercial banking, financial transaction processing, and asset management. A component of the Dow Jones Industrial Average, JPMorgan Chase & Co. serves millions of consumers in the United States and many of the world's most prominent corporate, institutional and government clients under its J.P. Morgan and Chase brands. Information about JPMorgan Chase & Co. is available at
The Cybersecurity organization’s objective is to ensure that JPMC is able to effectively detect, prevent, and respond to cyber threats against our technology infrastructure.  The scope of Cybersecurity comprises detection and monitoring of threats and vulnerabilities, managing security incidents, and evolving our preventive infrastructure to keep ahead of the threat.  We accomplish this through strong information security leadership and active collaboration with line of business information risk managers to provide high quality security solutions and services that are focused on improving the Firm's risk posture.
The Governance, Risk and Controls (GRC) Practice, within the JPMorganChase Cyber Security Office, provides the focal point for definition and oversight of Cyber Controls, together with management of our regulatory and audit relationships. Working closely with the Corporate Technology Controls Organization, the practice includes our Technology Control Officer function, cross discipline process improvement and management of Cyber’s internal and external Audit engagements. 
Within GRC, the Risk and Policies Team provides leadership for the definition of common Cyber Control Objectives (‘CCOs’) - based on threat mitigation and regulatory requirements - and applying these CCOs within the following processes: 
  1. Cyber Risk Assessment (i.e. Cyber Threat mitigation modeling)
  2. Cyber Control Standards (i.e. Control requirements - the ‘must’  statements)
  3. Cyber Control Metrics (i.e. objective measurement of Control effectiveness)
    By using common CCOs across these processes, we enable an holistic Cyber Controls Architecture, where Control Standards reflect Threat Mitigation needs, compliance against Standards is measured objectively via metrics, and control remediation priorities are identified (based on threat mitigation potential) via formal Cyber Risk Assessment.
    In 2016, the team plans to aggressively apply this approach to each of the three processes described above. Central to the plan is a complete rebuild of the Firmwide Cyber Security Control Metrics, closely integrated with the re-delivery of corresponding Standards, over a period of approximately 18 months. This role will initially be part of a small team, leading the Metrics design activity for selected areas of Cyber Policy. The project will involve partnering with Cyber Standards Owners, Practice Leads and Technology Owners and will include identification of appropriate Control Metrics, partnering with Subject Matter Experts, designing new or revised Metrics and sponsoring the draft materials through both proof-of-concept and approval.
    Whilst the focus of the role will initially be on Control Metrics, we are looking for rounded risk expertise that can equally be applied to threat mitigation/risk assessment and control/standards design. Equally important is the ability to effectively communicate, present and influence a variety of stakeholders (e.g. Cyber and other SMEs, LOB representatives, Senior Management) to gain consensus and achieve objectives.  
  • Experience in Risk Assessment and IT Controls Management methodologies, with knowledge of Industry Standards including NIST CSF, ISO27000, COBIT 5, etc., an advantage.
  • Good cross-discipline knowledge of technology, preferably from a major financial services institution.
  • A demonstrated ability to identify, articulate and design robust, effective Technology Controls and to design and deliver appropriate KPI/KRI Metrics able to accurately articulate a risk posture based on those controls. Knowledge of the JPMorganChase  ITRisk Policies, Standards and Controls framework is an advantage but not essential.
  • A demonstrated excellence in written and verbal communication skills. You are clear, precise, detailed and able to convey complex topics or requirements in simple terms, without losing necessary accuracy. You possess excellent presentation skills and use of tools (i.e. Powerpoint) to all levels in an organisation, including senior management.
  • Effective organization and leadership skills (of working groups of SMEs to identify and distil key items etc.), the ability to negotiate and influence effectively,
  • A mature, pragmatic outlook, with the ability to balance the conflicting needs of compliance, risk management, expediency and business objectives, to ensure that the Firm’s ITRisk Standards Metrics are Applicable, Appropriate and Actionable by our Technology & Operations communities.  
  • Collaborative, engaging, helpful and a strong Team Player.
  • Able to work under pressure, deliver against inflexible deadlines and with a high degree of precision.
  • Able to multi-task, to maintain progress on multiple, significant work streams concurrently.
  • A precisionist with perspective – able to work with detail when needed but without losing sight of “the big picture”.
  • A self-starter, able to prioritise, to work without direct supervision [once briefed], to lead a collaborating Team of specialists. 
Req #: 160007358
Location: Wilmington, DE US
Job Category: Technology
Employment Type: Full Time
Potential Referral Amount: 5000 US Dollar (USD)

Apply Now    

Join our Talent Community

Not ready to apply? Leave your information with us and we will keep you up to date with new career opportunities.

Join Now

Privacy Statement

Any information you provide is confidential and will only be viewed by our recruiters in an effort to fill open positions. In addition, the information you provide is subject to our privacy policy practices.

Please note that J.P. Morgan will not accept unsolicited approaches or speculative CVs, nor will J.P. Morgan be responsible for any related fees, from Third Party Firms who are not preferred suppliers.

The firm invites all interested and qualified candidates to apply for employment opportunities.

Need disability related assistance?

If you are a US or Canadian applicant with a disability who is unable to use our online tools to search and apply for jobs, please contact us by calling (US and Canada Only) 1-866-777-4690. Please indicate the specifics of the assistance needed.

Keep in touch

Not ready to apply? Leave your information with us and we will keep you up to date with new career opportunities.