Cybersecurity Audit Director - job 2 of 4

You Lead the Way. We’ve Got Your Back.

With the right backing, people and businesses have the power to progress in incredible ways. When you join Team Amex, you become part of a global and diverse community of colleagues with an unwavering commitment to back our customers, communities and each other. Here, you’ll learn and grow as we help you create a career journey that’s unique and meaningful to you with benefits, programs, and flexibility that support you personally and professionally.

At American Express, you’ll be recognized for your contributions, leadership, and impact—every colleague has the opportunity to share in the company’s success. Together, we’ll win as a team, striving to uphold our company values and powerful backing promise to provide the world’s best customer experience every day. And we’ll do it with the utmost integrity, and in an environment where everyone is seen, heard and feels like they belong.

Join Team Amex and let's lead the way together.

American Express’ Internal Audit Group (IAG) has reinvented our audit process and is leading the financial services industry with our Audit NextGen, Data-Driven Continuous Auditing, and Auditor of the Future initiatives. Each uniquely support our Winning Aspiration to be a world class internal audit function that:

• Provides data-driven and technology-enabled assurance
• Delivers timely risk insights that are business-aware and forward-looking
• Supports our colleagues with experiences that prepare them to be enterprise leaders

Collectively, IAG’s strategic initiatives, combined with our greatest asset – our people – enable IAG to utilize advanced data analysis capabilities, provide greater and continuous assurance, and help ensure quality products and services are provided to American Express customers. 

IAG’s innovative Data-Driven Continuous Auditing approach has led to patent-pending technology assets over our uniquely developed audit methodology and technology enablers. 

We are looking for those who share our mission and aspirations and are passionate about the use of data and technology in a collaborative, people-focused environment.

About the Internal Audit Group at American Express

Our Internal Audit Group is a worldwide function with 300+ team members and offices across nine countries within American Express. Our mission is to protect and enhance organizational value by providing independent, objective, risk-based assurance, advisory services and to influence the way the company manages risk.

We are committed to growing our audit staff significantly as we continue to expand and enhance the Internal Audit Group. Our assurance and risk professionals have diverse backgrounds including internal controls, consumer compliance, technology, operational risk, financial accounting, data analytics, and banking operations. Our audit teams align to key risk areas and business units to ensure IAG can provide comprehensive and risk-based audit coverage. In addition, IAG has a Professional Practices group responsible for managing audit operations, quality, and standards; regulatory relations; reporting; training and professional development; and key internal capabilities and technologies.

About the Role:

Our Internal Audit group is seeking an eager Cybersecurity Audit Director to help advance and grow our audit coverage across our cybersecurity audit portfolio. In this role, the ideal candidate will be the team leader for auditors to provide assurance over areas such as application security, infrastructure security, cybersecurity incident readiness and response, encryption management, and cloud services. This is an exceptional opportunity for you to showcase and further expand your audit skills, and knowledge!

About the Team:

The cybersecurity audit portfolio spans the information technology through the enterprise. Audit coverage includes auditing first-line information security processes. The cybersecurity audit team is heavily focused on utilizing a data driven auditing approach across the audit portfolio.

The Key Responsibilities of the role include:

• Lead a team of approximately five technology audit colleagues provide internal audit assurance over first-line information security processes, and deliver cybersecurity thought leadership to the team
• Plan and lead execution of cybersecurity audits on the company annual audit plan
• Ensure that audits delivery assurance and objectives by setting the audit scope, developing test plans, and leading colleagues to evaluate the design and operating effectiveness of cybersecurity controls, including testing control effectiveness with analytics-based testing
• Analyze regulatory and industry cybersecurity requirements and frameworks over risk management, technology, and information security
• Maintain the team's resources, training program, recruiting pipeline, and execute the screening and selection process
• Monitor a portfolio of cybersecurity audit analytics, assess results, & use data to tell the business story, and work with audit and business colleagues to validate findings
• Evaluate cybersecurity audit results, synthesize audit findings across the project, draft audit reports and ensure effective and efficient execution of audits in conformance with professional and department standards, budgets, and timelines
• Present audit objectives, scope, and results to senior management and technology subject matter experts, clearly articulating the potential impact of control gaps in a highly professional and proficient manner
• Assist other team leaders, senior auditors, and staff auditors in accomplishing team objectives and producing results
• Execute multiple simultaneous global audit projects of all sizes and complexity across multiple business areas including integrated audits that consider financial, operational, compliance and technology risk
• Effectively coach, teach, mentor and develop junior colleagues and co-sourced resources in geographically diverse locations across all aspects of their role, the audit and analytic lifecycle, audit methodology, and technology processes & controls
• Monitor industry cybersecurity trends and emerging risks and propose potential changes to the IAG audit universe to ensure audit coverage evolves with the risk environment
• Occasionally lead a team of approximately five technology audit colleagues provide internal audit assurance over first-line information technology general control processes
• Assume full performance management responsibility for assigned staff

Minimum Qualifications

• 7+ years of relevant technology audit experience
• 4+ years of leadership experience managing audit teams and stakeholders
• Big 4 public accounting firm audit experience
• Experience testing all IT General Control technology control domains
• BA, BS, or equivalent degree in accounting or technology related field
• Certified Information Systems Auditor (CISA) or Certified Information Systems Security Professional (CISSP)
• An industry recognized cloud certification, e.g., ICS2 CCSP, or complete within 12 months of hire date.
• Knowledge and experience in the application of control theory and professional auditing practices including the audit lifecycle
• Strong knowledge of information security and infrastructure related terminology and concepts (e.g., zero trust, defense in depth, hybrid cloud, infrastructure as code, virtualization, public key infrastructure (PKI), etc.)
• Prior experience in applying cybersecurity concepts and controls/countermeasures in public cloud environments (Amazon Web Services, Google Cloud, etc.).
• Prior experience in analyzing regulatory and industry cybersecurity frameworks (NIST, FFIEC, CRI, MITRE ATT&CK) and applying guidance to audits of cybersecurity controls
• Demonstrated ability to serve as a cybersecurity mentor or coach to junior team members, including prior experience in creating training materials and delivering cybersecurity training to audit teams and departments
• Ability to break-down a complex problem into components, solve them using data analysis, process knowledge and risk/control knowledge, and communicate results and control recommendations with transparency and integrity
• Strong written and verbal communication skills that deliver quality, actionable and beneficial feedback to management on potential control issues and solutions to close gaps.
• Effectively leads a team in a fast-paced environment to drive business results, utilizing related project management skills, employing creative thinking, and the ability to work on competing priorities

Preferred Qualifications

• Financial services industry strongly preferred
• 10+ years of relevant technology audit experience
• BA or BS in Cybersecurity, Information Systems, Computer Science, or related field
• Certified Information Systems Security Professional (CISSP)
• Certified Cloud Security Professional (CCSP)
• Experience leading teams in technology, cybersecurity, or information security risk management
• Experience with using data analytic tools, data visualization, key risk indicators (KRIs), key performance indicators (KPIs), and scorecards / dashboards
• Background in information systems, data analytics or information technology 

Non-considerations for sponsorship: Employment eligibility to work with American Express in the U.S. is required as the company will not pursue visa sponsorship for these positions.

Salary Range: $130,000.00 to $205,000.00 annually + bonus + equity (if applicable) + benefits

The above represents the expected salary range for this job requisition. Ultimately, in determining your pay, we’ll consider your location, experience, and other job-related factors.

We back our colleagues and their loved ones with benefits and programs that support their holistic well-being. That means we prioritize their physical, financial, and mental health through each stage of life. Benefits include:

• Competitive base salaries 
• Bonus incentives 
• 6% Company Match on retirement savings plan 
• Free financial coaching and financial well-being support 
• Comprehensive medical, dental, vision, life insurance, and disability benefits 
• Flexible working model with hybrid, onsite or virtual arrangements depending on role and business need 
• 20+ weeks paid parental leave for all parents, regardless of gender, offered for pregnancy, adoption or surrogacy 
• Free access to global on-site wellness centers staffed with nurses and doctors (depending on location) 
• Free and confidential counseling support through our Healthy Minds program 
• Career development and training opportunities

For a full list of Team Amex benefits, visit our Colleague Benefits Site.

American Express is an equal opportunity employer and makes employment decisions without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, veteran status, disability status, age, or any other status protected by law. American Express will consider for employment all qualified applicants, including those with arrest or conviction records, in accordance with the requirements of applicable state and local laws, including, but not limited to, the California Fair Chance Act, the Los Angeles County Fair Chance Ordinance for Employers, and the City of Los Angeles’ Fair Chance Initiative for Hiring Ordinance. For positions covered by federal and/or state banking regulations, American Express will comply with such regulations as it relates to the consideration of applicants with criminal convictions.

We back our colleagues with the support they need to thrive, professionally and personally. That's why we have Amex Flex, our enterprise working model that provides greater flexibility to colleagues while ensuring we preserve the important aspects of our unique in-person culture. Depending on role and business needs, colleagues will either work onsite, in a hybrid model (combination of in-office and virtual days) or fully virtually.

US Job Seekers/Employees - Click here to view the “Know Your Rights” poster and the Pay Transparency Policy Statement.

If the links do not work, please copy and paste the following URLs in a new browser window: https://www.dol.gov/agencies/ofccp/posters to access the three posters.