Director, Information Security Program Manager

Director, Information Security Program Manager

At BNY, our culture allows us to run our company better and enables employees' growth and success. As a leading global financial services company at the heart of the global financial system, we influence nearly 20% of the world's investible assets. Every day, our teams harness cutting-edge AI and breakthrough technologies to collaborate with clients, driving transformative solutions that redefine industries and uplift communities worldwide.

Recognized as a top destination for innovators, BNY is where bold ideas meet advanced technology and exceptional talent. Together, we power the future of finance - and this is what #LifeAtBNY is all about. Join us and be part of something extraordinary.

We're seeking a future team member for the role of Director, Information Security Program Manager, to join our Information Security team. This role is in Washington, DC or Pittsburgh, PA

In this role, you'll make an impact in the following ways:

Role Overview

BNY is seeking a seasoned Director, Information Security Program Manager to lead the creation, authorization, and continuous governance of a FedRAMP-compliant Azure Government tenant underpinning government payment transaction services. You will own the end-to-end program-system boundary definition, documentation, ATO readiness, , and continuous monitoring-ensuring sustained compliance at FedRAMP High The ideal candidate blends rigorous compliance leadership with strong cloud security and platform enablement skills and has demonstrated success in -system subject to federal compliance.

Key Responsibilities

• Program Leadership and Governance
  
  
  
  • Own the multi-year FedRAMP roadmap for an Azure Government tenant supporting government transactions; define milestones, risks, dependencies, and decision gates.
  • Establish governance forums and operating mechanisms across engineering, cloud platform, information security, risk/compliance, legal, payment operations, and 3PAOs.
  • Maintain program OKRs/KPIs: POA&M closure velocity, control coverage, vulnerability SLAs, ConMon completeness, audit readiness, and
  • Drive disciplined change control, evidence management, , and control attestation workflows aligned to FedRAMP requirements.
  • Manage external partners and 3PAO activities (readiness, assessments, remediation),.
  
  
• FedRAMP Authorization (ATO) Readiness
  
  
  
  • Lead authoring and maintenance of FedRAMP artifacts: SSP and associated FedRAMP appendices, POA&M, policies/standards/procedures, boundary diagrams, and data flows tailored to Azure Government/GCC High constructs.
  • Define and maintain the system boundary and data categorization supporting payment transactions; align to FedRAMP High baseline.
  • Coordinate control implementation across all FedRAMP control families. .
  • Conduct gap analyses against NIST SP 800-53 controls; drive remediation plans and ensure traceability from control narratives to technical and process evidence.
  
  
• Continuous Monitoring & Operations
  
  
  
  • Stand up and run Continuous Monitoring, in alignment with FedRAMP High guidelines, for the Azure Government tenant: scanning cadence, patch cycles, configuration baseline monitoring, control effectiveness checks, incident handling, and change compliance.
  • Own POA&M lifecycle: triage findings, prioritize by risk, execute corrective actions, validate closure, reporting outstanding actions, and update artifacts.
  • Maintain real-time dashboards and reporting for control posture, exceptions, residual risk, and operational health across payment services and shared services.
  • Ensure SSP and supporting documentation are promptly updated to reflect material changes to boundary, services, configurations, or controls.
  • Coordinate security incident response processes with SOC teams and act as interface with the client throughout the incident lifecycle including root cause analysis and closure.
  
  
• Audit, Stakeholder, and External Engagement
  
  
  
  • Serve as the primary contact for internal/external audits, 3PAO assessments, and authorizing officials; coordinate evidence collection and subject matter responses.
  • Prepare teams for assessments; lead walkthroughs, demos, and artifact reviews; shepherd remediation and risk acceptance processes as appropriate.
  • Enable engineering, operations, and payment teams with training and lightweight process embeds to sustain day-to-day FedRAMP compliance.
  
  
• Risk Management and Issue Resolution
  
  
  
  • Maintain a program risk register spanning control gaps, architectural changes, data flows, vendor dependencies, and operational risks in payment services.
  • Escalate issues with quantified impact; drive compensating controls or risk acceptance decisions in partnership with risk/compliance.
  
  

To be successful in this role, we're seeking the following:

• 12+ years of program management in regulated cloud environments; 3+ years directly owning FedRAMP programs, artifacts, and Continuous Monitoring.
• Hands-on oversight, authorship, maintenance and response experience with SSP, POA&M, SAP/SAR; proven track record achieving/maintaining ATO for cloud services.
• Deep knowledge of NIST SP 800-53 control families, FedRAMP Moderate/High baselines, ConMon processes, and 3PAO engagements.
• Strong familiarity with Azure Government or GCC High and core security capabilities: identity/access, logging/monitoring, encryption, policy enforcement, landing zone patterns.
• Demonstrated success orchestrating cross-functional teams (security, cloud/platform, payments, operations, compliance, legal) to deliver complex regulatory programs.
• Exceptional communication skills: executive reporting, control narratives, audit responses, and stakeholder management.
• Bachelor's degree in information security, Computer Science, Information Systems, or related field; equivalent experience considered.

Preferred Qualifications

• Direct experience enabling government payment transactions on cloud platforms and aligning control implementations to transactional risk profiles.
• Azure-focused security experience (Defender for Cloud, Sentinel, Azure Policy/Blueprints, Key Vault, Private Link, Purview).
• Prior experience collaborating with federal agencies, sponsoring organizations, or authorizing officials for ATOs.
• Experience with security compliance to IRS 1075 requirements
• Certifications: PMP, CISSP, CCSP, CISM, Azure Security Engineer Associate, or equivalent.

Key Competencies

• Ownership and disciplined execution across multi-workstream, cross-functional programs.
• Ability to translate regulatory requirements into practical, testable technical and process controls.
• Risk-based decision-making with clear prioritization and measurable outcomes.
• Influencing and stakeholder leadership; driving alignment without formal authority.
• Documentation rigor and audit readiness; maintaining high-quality, current artifacts.
• Continuous improvement mindset; leveraging metrics to improve control posture and operational efficiency.
• Flexible work arrangements may be available in accordance with BNY policies and applicable role requirements.
• Limited travel may be required for assessments, audits, or stakeholder workshops.

Program KPIs (example targets; customizable)

• POA&M closure: 30 calendar days average for High findings; 60 for Moderate.
• Continuous Monitoring: 100% monthly reporting completeness across in-scope services.
• Configuration drift: 5% variance from baseline across evaluated resources per month.
• Vulnerability remediation: Meet or exceed FedRAMP timelines by severity category.

Audit readiness: "Green" status across evidence completeness and control demonstration prior to 3PAO assessments.

At BNY, our culture speaks for itself, check out the latest BNY news at:

BNY Newsroom

BNY LinkedIn

Here's a few of our recent awards:

• America's Most Innovative Companies, Fortune, 2025
• World's Most Admired Companies, Fortune 2025
• "Most Just Companies", Just Capital and CNBC, 2025

Our Benefits and Rewards:

BNY offers highly competitive compensation, benefits, and wellbeing programs rooted in a strong culture of excellence and our pay-for-performance philosophy. We provide access to flexible global resources and tools for your life's journey. Focus on your health, foster your personal resilience, and reach your financial goals as a valued member of our team, along with generous paid leaves, including paid volunteer time, that can support you and your family through moments that matter.

BNY is an Equal Employment Opportunity/Affirmative Action Employer - Underrepresented racial and ethnic groups/Females/Individuals with Disabilities/Protected Veterans.

Manages multiple teams responsible for organization data protection. Oversees and develops policies regarding CTS security architecture, security monitoring and auditing, incident reporting/response and forensics. Leads and oversees broad information security projects and resourcing. Liaises with business process owners to ensure ongoing alignment. Participates in the planning and implementation of security for complex CTS projects. Evaluates security applications and systems. Presents recommendations on whether to use systems to senior management. Demonstrates advanced ability to conduct cost-benefit analysis to justify investment in security and/or COB controls to mitigate risks. Presents advanced analyses to senior management with recommendations aligning customer/business needs and capabilities. Evaluates new and emerging products and technologies, recommending which technologies to implement, develops functional specifications and documentation. Monitors budgets and schedules for projects conducted by teams and ensures they are completed in a timely manner. Recruits, directs, motivates and develops staff, maximizing their individual contribution, their professional growth and their ability to function effectively with their colleagues as a team. Manages multiple information security teams. Contributes to the achievement of multiple teams' objectives. Bachelor's degree in computer science or a related discipline, or equivalent work experience required, advanced degree preferred. 12+ years of experience in information security or related technology experience required, experience in the securities or financial services industry is a plus..BNY Mellon is an Equal Employment Opportunity/Affirmative Action Employer.Minorities/Females/Individuals with Disabilities/Protected Veterans.Our ambition is to build the best global team - one that is representative and inclusive of the diverse talent, clients and communities we work with and serve - and to empower our team to do their best work. We support wellbeing and a balanced life, and offer a range of family-friendly, inclusive employment policies and employee forums.

The base salary for this position is expected to be between $147,000 and $ 310,000per year at the commencement of employment. However, base salary if hired will be determined on an individualized basis, including as to experience and market location, and is only part of the BNY total compensation package, which, depending on the position, may also include commission earnings, discretionary bonuses, short and long-term incentive packages, and Company-sponsored benefit programs.

This position is at-will and the Company reserves the right to modify base (as well as any other discretionary payment or compensation) at any time, including for reasons related to individual performance, change in geographic location, Company or individual department/team performance and market factors.