Manager, Risk Management at Mastercard

Our Purpose

Mastercard powers economies and empowers people in 200+ countries and territories worldwide. Together with our customers, we’re helping build a sustainable economy where everyone can prosper. We support a wide range of digital payments choices, making transactions secure, simple, smart and accessible. Our technology and innovation, partnerships and networks combine to deliver a unique set of products and services that help people, businesses and governments realize their greatest potential.

Title and Summary

Manager, Risk Management

Overview:

Who is Mastercard?

Mastercard is a global technology company in the payments industry. Our mission is to connect and power an inclusive, digital economy that benefits everyone, everywhere by making transactions safe, simple, smart, and accessible. Using secure data and networks, partnerships, and passion, our innovations and solutions help individuals, financial institutions, governments, and businesses realize their greatest potential. With connections across more than 210 countries and territories, we are building a sustainable world that unlocks priceless possibilities for all.

Mission First, People Always

Corporate Security is responsible for keeping Mastercard safe and secure from cyber and physical threats. We are a highly effective team protecting a major component of global payments infrastructure. Our Security Risk and Control Operations team is at the forefront of this effort in the “1st Line of Defense,” coordinating efforts across Corporate Security, enterprise risk management, and market-facing product teams to assess risks, implement controls to mitigate them, and provide assurance to regulators and stakeholders of Mastercard’s best-in-class performance in information security.

Overview:

We are seeking a Lead Security Control Assessor to execute testing of security controls. You will perform quality control over documented control processes, shape control testing plans, review submitted evidence, evaluate control strength, and initiate findings of any shortfalls. As a member of an enterprise-wide risk management community of practice, you will also play a key role in maturing the control testing program through standardization, automation, and reporting that provides management visibility and supports regulatory/customer requirements (e.g., PCI DSS, SOC 1/SOC 2, ISO 27001). In this position, you will:

Execute control testing (including design and operating effectiveness) across key security control domains such as access management, vulnerability management, logging/monitoring, encryption, incident response, etc.

Evaluate evidence submitted by operators of security controls, rate effectiveness, and initiate findings as required.

Facilitate remediation of control gaps by partnering with control owners, control operators, and security engineers to clarify requirements, remove blockers, agree on target dates, and escalate overdue or high-risk gaps through defined governance.

Identify and communicate priorities for security control testing across the business, leveraging relationships with security control owners, knowledge of the risk environment, and awareness of metrics on control performance

Participate in documentation of control testing procedures and drive enhancements of control testing tools.

Support internal/external assessments and audits by coordinating evidence, leading walkthroughs of control design/testing approach, and addressing inquiries in partnership with compliance and audit teams.

All About You:

The ideal candidate for this position has:

Bachelor’s degree (or equivalent practical experience) in Information Security, Information Systems, Computer Science, or related field.

Relevant certifications such as CISA, CISSP, Security+, PCI ISA, etc.

5–8 years of experience in 1st Line of Defense control testing, technology audit, risk & compliance, or security engineering with demonstrated ownership of testing/assurance outcomes.

Strong technical understanding across core security control domains.

Experience building and executing test procedures against formal standards/frameworks, including scoping, sampling, and defining evidence requirements.

Ability to produce clear, defensible test documentation with strong attention to detail and consistency.

Experience in a payment, fintech, bank, or other highly regulated environment.

Familiarity with payment security concepts and frameworks, particularly PCI DSS.

Experience with GRC platforms (e.g. RSA Archer) and evidence/workflow automation.

NICE Framework references:

Mastercard Corporate Security Roles have been aligned with the NICE framework (National Initiative for Cybersecurity Education). For this role the NICE Work Roles most closely aligned are:

Security Control Assessment (OG-WRL-012): Responsible for conducting independent comprehensive assessments of management, operational, and technical security controls and control enhancements employed within or inherited by a system to determine their overall effectiveness.

Systems Testing and Evaluation (DD-WRL-007): Responsible for planning, preparing, and executing system tests, evaluating test results against specifications, and reporting findings.

Vulnerability Analysis (PD-WRL-007): Responsible for assessing systems and networks to identify deviations from acceptable configurations, enclave policy, or local policy. Measure effectiveness of defense-in-depth architecture against known vulnerabilities.

Cybersecurity Architect (DD-WRL-001): Responsible for ensuring that security requirements are adequately addressed in all aspects of enterprise architecture, including reference models, segment and solution architectures, and the resulting systems that protect and support organizational mission and business processes.

Systems Security Analyst (OM-ANA-001): Helps ensure secure configuration and operational security requirements are implemented and verifiable in production environments.

Corporate Security Responsibility:

Every person working for, or on behalf of, Mastercard is responsible for information security. All activities involving access to Mastercard assets, information, and networks comes with an inherent risk to the organization and therefore, it is expected that the successful candidate for this position must:

Abide by Mastercard’s security policies and practices;

Ensure the confidentiality and integrity of the information being accessed;

Report any suspected information security violation or breach; and

Complete all periodic mandatory security trainings in accordance with Mastercard’s guidelines.

Corporate Security Responsibility

All activities involving access to Mastercard assets, information, and networks comes with an inherent risk to the organization and, therefore, it is expected that every person working for, or on behalf of, Mastercard is responsible for information security and must:

• Abide by Mastercard’s security policies and practices;

• Ensure the confidentiality and integrity of the information being accessed;

• Report any suspected information security violation or breach, and

• Complete all periodic mandatory security trainings in accordance with Mastercard’s guidelines.