Role Overview

The Lead Information Security Officer for Asset Management is a critical leadership position responsible for defining, implementing, and overseeing the comprehensive information security and cybersecurity risk posture specifically within the Asset Management Private business. This role is pivotal in balancing commercial objectives with robust security controls, ensuring the division's resilience against an evolving threat landscape, and protecting client assets and data.

This leader will directly manage and provide strategic direction to teams responsible for Governance, Risk & Compliance (GRC), Application Security & Advisory, and Product Security functions within Asset Management. Crucially, this role also involves the oversight and guidance of embedded Technology Risk Officers who are assigned to various Asset Management Private business vertical. The objective is to foster a unified and proactive approach to risk management, ensuring regulatory compliance, and enabling secure technological innovation across all Asset Management initiatives.

Key Responsibilities

• Work with internal application development teams that are developing the next generation of critical business applications, enable them to understand Information Security and Business Resiliency control requirements, and advise on the integration of these controls into their applications
• Collaborate with the global Application Security Risk, Business Continuity, Risk Measurement, and other global Technology Risk teams to develop and integrate best-in-class security and resiliency controls and practices.
• Communicate the impact of technology risks and the approach to mitigation/acceptance and provide risk assessment and advisory services to technology engineers, and technology and business management.
• Assess existing applications for design-related security risks and assist teams in determining appropriate remediation steps
• Provide guidance to engineering leadership and application developers on existing and emerging threats in the web and mobile application space.
• Drive adoption of embedded application security controls as part of the Software Development Life Cycle (SDLC).
• Provide deep subject matter expertise to application teams in secure application design and development approaches and techniques.
• Contribute to the technical understanding, adoption and convergence of information security standards, solutions and tools.
• Work with engineers to develop customized security testing strategy to complement the existing security testing program managed by Technology Risk.

Skills and Experience Required

• Experience: 5+ years of progressive experience in Multi domain Information Security experience such as vendor security, application security, vulnerability management, data loss prevention, data encryption, and infrastructure security.
• Regulatory & Risk Expertise: Expert knowledge of global financial regulations (e.g., SEC, FINRA, GDPR, CCPA) and proven experience applying risk management methodologies such as FAIR (Factor Analysis of Information Risk) or similar frameworks.
• Leadership & Management: Proven ability to build, mentor, and lead high-performing global teams of security professionals.
• Program Management: Proven track record involving collaboration with engineering, technology, second line risk functions and audit partners to deliver projects and facilitate resolution of audit issues within committed timelines.
• Communication: Exceptional written and oral communication skills, with the ability to articulate complex technical risks and solutions clearly to both technical and executive audiences.
• Risk Management: Expertise in performing risk assessments, identifying gaps in compliance with information security policies, and recommending effective mitigation strategies.
• Security Standards: Familiarity with leading security standards and frameworks such as NIST, OWASP, SANS Top 20, PCI DSS, and CIS Controls.

Technical Depth: Expertise in Technology Risk data analytics (metrics reporting and dashboarding) and Reviewing Software Development Lifecycle best practices e.g., code reviews, vulnerability scan report analysis to advise application development teams on for secure practices and frameworks, and other application security best practices

Preferred Qualifications

• BS or MS degree in Computer Science, Cyber Security, Information Security, or a related technical field.
• Relevant industry certifications such as CISSP, CISM, CRISC, CISA, or cloud-specific security certifications (e.g., AWS Certified Security – Specialty).
• Experience with leveraging AI/ML to solve security problems and scale operations.
• Knowledge of secure coding languages (e.g., Python, Java, Go).

ABOUT GOLDMAN SACHS

At Goldman Sachs, we commit our people, capital and ideas to help our clients, shareholders and the communities we serve to grow. Founded in 1869, we are a leading global investment banking, securities and investment management firm. Headquartered in New York, we maintain offices around the world.

We believe who you are makes you better at what you do. We're committed to fostering and advancing diversity and inclusion in our own workplace and beyond by ensuring every individual within our firm has a number of opportunities to grow professionally and personally, from our training and development opportunities and firmwide networks to benefits, wellness and personal finance offerings and mindfulness programs. Learn more about our culture, benefits, and people at GS.com/careers.

We’re committed to finding reasonable accommodations for candidates with special needs or disabilities during our recruiting process. Learn more: https://www.goldmansachs.com/careers/footer/disability-statement.html

© The Goldman Sachs Group, Inc., 2023. All rights reserved.

Goldman Sachs is an equal opportunity employer and does not discriminate on the basis of race, color, religion, sex, national origin, age, veterans status, disability, or any other characteristic protected by applicable law.