R3 is a financial innovation firm that leads a consortium partnership with over 100 of the world’s leading financial institutions. We work together to design and deliver advanced distributed ledger technologies to the global financial markets.
R3 has employees based in over 11 (and counting!) countries across the globe, with our headquarters in London, alongside office locations in New York City and Singapore. Our vibrant and centrally located offices are filled with collaborative spaces, healthy (and some not so healthy!) snacks and state of the art work spaces and equipment.
The Information Risk Consultant shall support in the design and maintenance of the policies and organisational controls within R3’s information security management system. Reporting to the information security manager, and part of a small team of information security specialists, you will ensure that the control environment supporting R3’s twin missions of enterprise software vendor and operator of the Corda Network is appropriately designed to address the information risks faced by R3. In particular you will be helping to develop the control environment for the Corda Network, a publicly-available internet of Corda enterprise blockchain nodes. You’ll be working to help enhance the control environment for a new technology stack and provide assurance for some demanding customers.
You’ll be used to working in environments with comprehensive security control environments, but have the insight to bring a risk-based approach to a fast-moving company with a start-up culture. This is an opportunity to help “write the book” on building a security control environment for enterprise blockchain. If this sounds like you, read on….
Responsibilities (the Information Risk Consultant will …. )
- Support the Security Risk Manager in the delivery of GRC activities for R3.
- Facilitate different types of risk assessments (people, process & technology) and support the tracking of risk remediation activities via R3 risk register.
- Ensure risk treatment plans are communicated to appropriate stakeholders and track risk remediation activities through to completion.
- Assist with the creation of Information Security metrics (KPI/KRI) for the team and own the delivery of appropriate reporting.
- Support the Risk Manager in the development, operation and maintenance of R3’s security control environment (ISMS) including information security policies, standards and guidelines (non-technical).
- Own and manage the relationship with internal stakeholders for the annual review of policies and standards.
- Manage the policy exemption process for R3, handling requests and reporting on non-compliance.
- Identify emerging security requirements from Corda Enterprise users and Corda Network participants, and ensure that capabilities to meet those are baked-in to R3 products and network operations.
- Prepare for and assist with external assessments of R3’s security control environment (R3 anticipates undergoing a SOC 2 assessment within a year).
- Develop the assurance program as a positive differentiator for R3. Assist with client due diligence and vendor risk management activities as required.
Qualifications (the must haves …. )
- First and foremost we want you to love what you do. You’ll need to be a security evangelist within R3 and the community of Corda Network participants, both current and future.
- You’ll have three or more years experience in a direct information security role specialising in governance, risk and compliance activities.
- We believe that we work better as a team, and hope you share that belief. You’ll be working in a diverse group of people with a variety of skills and backgrounds, a high level of emotional intelligence will be assumed.
- You’ll need excellent communication skills, both verbal and written. You will assist in defining the ISMS and creating the appropriate documentation to support.
- R3’s control environment is risk-driven. A working knowledge of ISO 27005 would be great, but experience with other standards will probably be acceptable.
- You will have relevant experience of conducting information security assessment and/or assurance activities. Financial services experience would be ideal, but experience in other areas such as large consultancy, telecoms or other critical infrastructure may also be a good fit.
- You will have had experience working within a well-known security control framework, such as the ISO 27000 family, COBIT or NIST cybersecurity framework. You will have worked in an organisation certified to ISO 27001 or that has undergone SOC 2 assessments.
- You will have a solid appreciation of the variety of technical controls available to R3 including endpoint security, identity and access management, network security controls (firewalls, VPN), intrusion detection and security event management/log analysis tools. You won’t be expected to be hands-on with these tools, but you’ll certainly need to be aware of how they fit within the control environment which you will help to design and operate.
Qualifications (the nice to haves…)
- Relevant professional qualifications would be great. We’d love an ISO 27001 lead implementer on the team. We have ISACA and ISC2 members already, so we’ll obviously look favourably on professional certifications from those bodies. You’ll need to demonstrate that any certifications you claim are valid and current (we will check).
- Understanding of public key infrastructure would be very useful. We’d be particularly interested to hear from people who’ve worked in internal PKI teams or for commercial CAs.
- An engineering or science degree would be great, as would an appropriate MSc. Appropriate career experience is just as important though. Be prepared to tell us all about that experience.
- Vibrant, centrally located offices (with snacks provided)
- Private Medical & Dental (location dependent)
- Retirement scheme & life insurance
- Enhanced parental leave & family friendly policies
- Competitive vacation allowance
- Working from home & flexible working (as needed and agreed)
- A competitive salary that reflects your experience and merit
- Discretionary Equity Based Incentive Plan
- Discretionary bonus (or commission based incentive plan)
- Employee Referral Program
Our values are our DNA. They define what we stand for and guide how we work together internally and with our customers, partners, and shareholders.
The success of our customers is paramount. We build strong relationships and strive to create the best possible experience for them.
We bring together all parts of the ecosystem and give our customers the tools and environment to work together to change their industries.
We have the agility of a small company, but the confidence and ambition of the industry-defining titan we aspire to become.
We demand excellence and take pride in our products and services.