Join a role that's central to our technological controls and standards, offering a unique opportunity to shape the firm's tech controls strategy in alignment with various standards and regulatory requirements.

As a Tech Risk & Controls Director at JPMorgan Chase within the Cybersecurity Technology and Controls, you will be responsible for the firm’s control design, governance, standardization, and measurement across all the Cyber domains. Your primary focus will be leading and managing the Security Configuration Management domain. This role ensures that foundational and advanced controls across platform, network, endpoint and application security configuration are governed by clearly defined standards and measurable control objectives. This position blends deep technical understanding of controls and tooling with architectural oversight and governance rigor ensuring that the firm’s operational controls are consistently engineered, validated, and improved across both cloud‑native and on‑premises environments.

Job responsibilities

• Lead the development of technical control objectives and standards for Security Configuration Management and other Cyber domains.
• Define measurable performance and effectiveness metrics for each control category, integrating telemetry, automation, and operational metrics into governance dashboards.
• Partner with security engineering and operations teams to evaluate control sufficiency against threat models, regulatory expectations, and internal policies.
• Govern control implementation and sustainment across hybrid ecosystems (cloud, data center, and user endpoint environments), ensuring consistent security posture.
• Assess and guide integration of firm wide configuration drift monitoring tools (Evolven, Puppet, Chef, Wiz etc…) with JPMC's GRC ecosystem to align with standardized control objectives.
• Provide strategic insight into the control posture to architecture and risk governance leadership, driving continuous improvement in control effectiveness and efficiency.
• Collaborate across architecture, operations, and GRC teams to ensure security configuration, network and endpoint controls align with enterprise configuration standards, policies, and frameworks.

Required qualifications, capabilities, and skills

• Formal training or certification with 10+ years of experience in cybersecurity controls architecture, security engineering, or operations leadership (various Cyber domains).
• Proficient in designing or governing technical control frameworks across hybrid environments (AWS, Azure, on‑premises).
• Good knowledge of modern enterprise security toolsets and their control capabilities, including security configuration and drift management, network segmentation, endpoint protection, and detection/response.
• Hands on building and measuring technical control effectiveness through metrics, telemetry, and compliance automation.
• Exceptional communication and leadership skills with a track record of influencing technology strategy and control adoption at scale.
• Deep familiarity with NIST (800-53 and 800-128 are required), ISO, CIS, and zero‑trust control frameworks.

Preferred qualifications, capabilities, and skills

• Professional certifications such as Cloud Certifications (AWS Solutions Architect, AWS Security Specialist), CISSP, CISM, or GIAC.
• Experience designing metrics and governance frameworks for Security Configuration Management, SOC, network security, or endpoint control domains.
• Strong working knowledge of GRC tools like Archer, infrastructure as code, and control enforcement in dynamic and hybrid environments.

#CTC