Cyber and IT Risk Manager

The primary responsibilities of a Cyber and IT Risk Manager at Johnson Matthey include developing and implementing a comprehensive cyber and IT risk management program, ensuring alignment with business goals and risk appetite, conducting thorough assessments of control environments, and maintaining assurance processes for cyber and IT controls. Moreover, this important role involves communicating risks clearly to stakeholders in a non-technical manner to enable informed decision making.

Candidates for the Cyber and IT Risk Manager position at Johnson Matthey should possess a solid understanding of cyber and IT controls, relevant legislation such as GDPR, and industry standards like ISO27001. Ideal candidates will have practical experience in risk management best practices, ability to communicate effectively with business stakeholders, and background in cybersecurity controls and audit processes.

The Cyber and IT Risk Manager ensures compliance with regulations at Johnson Matthey by staying up to date with regulatory and legislative developments related to cyber and IT. This involves assessing changes that impact the company and developing action plans to meet compliance requirements while keeping senior management informed of any relevant updates necessitating action.

Essential skills for success as a Cyber and IT Risk Manager at Johnson Matthey include a thorough understanding of cyber security controls and the ability to articulate cyber and IT risks in business-focused terms. Familiarity with various enterprise software technologies, IT general controls, and risk management best practices are also critical, as is the capability to identify and remediate control gaps effectively.

Johnson Matthey offers several benefits to Cyber and IT Risk Managers, including competitive salaries, hybrid and flexible working options, and various health and financial wellbeing benefits. These include retirement savings, life and disability insurance, medical plans, and commuter allowances, all designed to support employees both professionally and personally in their careers.

To manage cyber risks effectively, I would establish a structured risk management program that includes regular assessments and prioritization of risks. Communication with stakeholders is key, so I would ensure risks are presented in an easily understandable manner, likely utilizing risk matrices and clear documentation to facilitate informed decisions.

In previous roles, I have implemented and managed various cyber security controls, particularly aligned with industry standards such as ISO27001. My experience includes developing internal policies, conducting audits, and ensuring compliance, which has enabled me to identify and remediate vulnerabilities proactively.

I would adopt a tailored training approach, offering sessions designed for different stakeholder groups. I believe in using relatable examples and practical scenarios to make the content engaging, ensuring stakeholders understand the implications of cyber risks on the business and their roles in mitigating those risks.

Communication plays a vital role in my responsibilities as a Cyber and IT Risk Manager. I focus on simplifying complex technical data into business terms, ensuring that stakeholders at all levels understand potential risks and implications, enabling informed decision-making, and cultivating a risk-aware culture within the organization.

I actively subscribe to industry publications, attend webinars, and engage in professional networks to stay informed on the latest regulations and best practices in cyber and IT. I also participate in relevant training sessions to enhance my knowledge and exchange experiences with peers in the field.

In a previous experience, I discovered a significant control failure in the IT access rights process. I led a task force to conduct a comprehensive audit, identified the root causes, and worked on implementing a new framework that included stricter access controls and regular reviews, significantly reducing similar incidents.

I employ a mix of techniques to assess cyber security effectiveness, including internal audits, penetration testing, and regular risk assessments. By analyzing results and establishing metrics, I can continuously monitor performance and recommend improvements where necessary.

To handle resistance from stakeholders, I would first seek to understand their concerns and address them directly through dialogue. Providing data and case studies that highlight the potential impacts of inadequate cyber security can help to create buy-in, and I would collaborate closely to identify mutually acceptable solutions.

I have worked extensively with risk assessment frameworks such as NIST. This included adapting its guidelines to fit organizational needs, conducting assessments based on MITRE ATT&CK, and utilizing best practices to fortify our cybersecurity posture against evolving threats in the industry.

My motivation for working in cyber and IT risk management stems from the evolving nature of technology and its impact on business. I find it fulfilling to protect companies from cyber threats and contribute to building a more secure environment, aligning my work with sustainability and safety goals that resonate with today's world.