Head of Cyber Resilience at S&P Global

Centreville, Virginia, United States -

Full Time

Start Date

Immediate

Expiry Date

15 Aug, 26

Salary

0.0

Posted On

17 May, 26

Experience

10 year(s) or above

Remote Job

Yes

Telecommute

Yes

Sponsor Visa

Skills

Offensive Security, AI Security Governance, Red Teaming, Purple Teaming, Penetration Testing, Breach and Attack Simulation, Continuous Threat Exposure Management, AI Red Teaming, Cloud Security, Vulnerability Management, MITRE ATT&CK, AI Posture Management, Risk Management, Incident Response, Strategic Leadership, AI Enablement

Industry

Financial Services

Description

Head of Cyber Resilience Grade: 15 About the Role We are seeking a highly experienced and forward-thinking Head of Cyber Resilience to lead a new corporate function at the intersection of proactive offensive security, emerging artificial intelligence technologies, and enterprise cybersecurity. This senior leadership role reports to the Chief Information Security Officer and is responsible for defining and executing the organization's critical cybersecurity resilience strategies, including comprehensive offensive security programs (red teaming, penetration testing, breach and attack simulation) to continuously validate our defenses, as well as driving the enterprise AI security strategy encompassing both the security of AI systems (AI governance) and the application of AI to enhance security capabilities (AI enablement). The leader will operate with a high degree of autonomy, driving material impact across the business through thought leadership, strategic prioritization, and hands-on program execution. Key Responsibilities Strategic Leadership (35%) Develop and maintain a cybersecurity resilience roadmap that addresses both near-term tactical needs and long-term strategic goals across all relevant domains, including offensive security and continuous threat exposure management. Design and champion a Continuous Threat Exposure Management (CTEM) strategy, integrating offensive security insights and continuous validation into enterprise risk management. Define and own the enterprise AI security strategy, aligning with broader organizational security philosophy, risk appetite, and business objectives. Champion AI security governance frameworks, policies, and standards across divisions, functions, and business lines. Provide executive-level guidance on AI risk, emerging threats, regulatory trends, and industry best practices related to artificial intelligence systems and advanced persistent threats (APTs). Partner with senior stakeholders across Cyber Defense, Architecture & Engineering, Identity & Access Management (IAM), and Governance, Risk & Compliance (GRC) to transform operations through the use of AI and offensive security insights. Represent the organization in external forums, industry groups, and client engagements as a subject matter expert on cyber resilience and offensive security operations. Tactical Execution (55%) Proactive Security & Continuous Validation (Offensive Security) Red & Purple Teaming Lead enterprise-wide red team operations to simulate advanced adversary tactics, techniques, and procedures (TTPs) aligned with the MITRE ATT&CK framework. Partner closely with the SOC and Cyber Defense teams in Purple Teaming exercises to continuously improve detection engineering, threat hunting capabilities, and incident response procedures. Develop and execute adversary emulation campaigns targeting critical business processes, crown jewel assets, and high-value data repositories. Establish metrics and reporting frameworks to measure defensive capability improvements resulting from red team engagements. Breach and Attack Simulation (BAS) Implement, manage, and scale Breach and Attack Simulation platforms (e.g., AttackIQ, Cymulate, Picus Security, Pentera) to continuously and automatically validate the efficacy of security controls across network, endpoint, cloud, and identity environments. Design BAS scenarios that replicate real-world attack chains, ransomware campaigns, and data exfiltration techniques. Integrate BAS findings into vulnerability management workflows and security control optimization initiatives. Establish continuous validation cadences aligned with change management cycles and threat landscape evolution. Penetration Testing Oversee comprehensive internal and external penetration testing programs, including network infrastructure, web applications, APIs, mobile applications, cloud environments (AWS, Azure, GCP), and physical security assessments. Manage relationships with third-party penetration testing firms and establish quality standards for external assessments. Ensure rigorous tracking and timely remediation of identified vulnerabilities through integration with vulnerability management and GRC platforms. Conduct specialized testing for emerging technologies, including containerized environments (Kubernetes, Docker), serverless architectures, and IoT/OT systems. Vulnerability & Exposure Management Drive a risk-based vulnerability management program that prioritizes remediation based on exploitability, threat intelligence, asset criticality, and offensive security findings. Leverage threat intelligence feeds and exploit databases (e.g., CISA KEV, Exploit-DB) to inform prioritization decisions. Implement attack surface management capabilities to continuously discover and assess internet-facing assets, shadow IT, and third-party exposures. Establish SLAs for vulnerability remediation based on severity, exploitability, and business context. Resilience Testing & Tabletop Exercises Design and facilitate executive and technical tabletop exercises simulating ransomware attacks, data breaches, supply chain compromises, and AI-specific incidents. Lead cyber range exercises and controlled attack simulations to test incident response plans, business continuity procedures, and crisis communication protocols. Implement chaos engineering principles to test the resilience of security controls, monitoring systems, and recovery capabilities under adversarial conditions. AI Governance (Security for AI) Oversee and evolve the Model Registry, ensuring all AI/ML models are catalogued, version-controlled, and subject to appropriate security and risk controls. Lead the AI Security Posture Management (AISPM) program to continuously assess and remediate security risks across the AI/ML environment. Direct AI Red Teaming exercises to proactively identify vulnerabilities in AI systems, models, and pipelines (e.g., prompt injection, model inversion, data poisoning, adversarial examples). Define and enforce Guardrails for MCP Servers, AI Agents, and Models to prevent misuse, data leakage, and other AI-specific threats. Ensure robust Identity and Access Management controls are applied to AI Agents and MCP Servers, in collaboration with the enterprise IAM function. Own the AI Supply Chain Security program, governing the security evaluation of third-party models, tools, datasets, and AI service providers. Implement Observability and Threat Monitoring capabilities to detect anomalous AI behavior, adversarial inputs, and model drift with security implications. Drive AI Threat Modeling practices across the SDLC and MLOps pipelines to proactively identify and mitigate AI-specific attack vectors. Lead AI Inspection and Discovery initiatives to maintain a comprehensive inventory of AI assets, shadow AI usage, and unapproved model deployments across the enterprise. Oversee Cloud AI Security for platforms including AWS Bedrock, GCP Vertex AI, and other cloud-hosted AI/ML services, ensuring appropriate security configurations and controls are in place. AI Enablement (AI for Security) Drive the adoption of AI and machine learning capabilities across key security domains, including: GRC: Leveraging AI to automate risk assessments, control testing, and compliance reporting. Cyber Defense: Applying AI/ML to enhance threat detection, incident response, and SOC operations. IAM: Utilizing AI-driven analytics for behavioral baselines, anomaly detection, and access intelligence. Architecture & Engineering: Embedding AI-assisted security tooling into development pipelines and security architecture reviews. Offensive Security: Employing AI-powered tools for automated vulnerability discovery, exploit development assistance, and attack path analysis. Evaluate, select, and govern AI-powered security tools and vendors, ensuring alignment with enterprise security standards and supply chain requirements. Develop internal AI literacy and capability uplift programs for security teams to responsibly and effectively leverage AI technologies. Operational Management (10%) Manage budget and resource allocation for the Cyber Resilience, Offensive Security, and AI Security functions, ensuring cost-effective delivery of the program. Establish and track key performance indicators (KPIs) and metrics to measure the effectiveness and maturity of proactive security testing and AI Security programs, including: Mean time to detect (MTTD) and remediate (MTTR) vulnerabilities identified through offensive testing Security control validation coverage and effectiveness rates Red team success rates and defensive improvement trends AI security posture scores and risk reduction metrics Report on program status, risks, and priorities to senior leadership and relevant governance committees. Manage vendor relationships and contracts related to penetration testing firms, BAS platforms, and AI security tooling. Decision-Making & Problem Solving Makes autonomous decisions that directly impact the success of the Cyber Resilience function and the broader organization's risk posture. Exercises expert judgment to navigate highly complex, ambiguous, and novel security challenges where established frameworks may be limited or absent. Balances innovation enablement with risk mitigation, making pragmatic risk-based decisions in a rapidly evolving technology landscape. Determines appropriate scope, frequency, and intensity of offensive security operations based on threat intelligence, risk assessments, and business priorities. Executes priorities and broad plans consistent with overall enterprise strategy and organizational philosophy, with limited escalation required. Key Interactions Internal: CISO, CTO, Head of AI Officer, Division/Function Heads, Enterprise Architecture, Legal & Compliance, Data Science and ML Engineering teams, SOC and Cyber Defense teams, and business unit stakeholders. External: Large and complex clients, strategic technology partners, AI platform vendors (e.g., AWS, Google Cloud, Microsoft), offensive security vendors and consultancies, regulatory bodies, and industry working groups. Qualifications & Experience Required 10+ years of progressive experience in cybersecurity, with a significant and demonstrable focus on cyber resilience, offensive security/penetration testing, AI/ML security, cloud security, or emerging technology risk. Proven experience leading offensive security functions, including red/purple teaming, penetration testing, and continuous threat exposure management programs. Deep understanding of the MITRE ATT&CK framework, adversary emulation techniques, and modern attack methodologies across network, application, cloud, and identity domains. Deep subject matter expertise across multiple AI security domains, including AI governance, model security, cloud AI platforms, AI red teaming, and AI supply chain risk. Proven track record of defining and executing security strategy at a senior level within a complex, matrixed organization. Extensive knowledge of cloud AI/ML platforms, including AWS Bedrock, GCP Vertex AI, and equivalent services. Strong understanding of AI/ML frameworks, MLOps pipelines, and the AI system development lifecycle. Experience leading AI red team exercises, threat modeling engagements, and security posture assessments for AI systems. Familiarity with emerging AI security standards, regulatory guidance (e.g., NIST AI RMF, EU AI Act, OWASP LLM Top 10), and industry frameworks. Demonstrated experience working across GRC, Cyber Defense, IAM, and Engineering functions. Preferred Experience implementing and managing Breach and Attack Simulation (BAS) tools such as AttackIQ, Cymulate, Picus Security, or Pentera. Offensive security certifications such as OSCP (Offensive Security Certified Professional), OSCE (Offensive Security Certified Expert), GPEN (GIAC Penetration Tester), GWAPT (GIAC Web Application Penetration Tester), or GXPN (GIAC Exploit Researcher and Advanced Penetration Tester). Experience with attack surface management platforms and continuous exposure assessment tools. Knowledge of exploit development, reverse engineering, and malware analysis. Experience with MCP (Model Context Protocol) server security and agentic AI security architectures. Background in adversarial machine learning, model robustness, or AI-specific threat intelligence. Prior experience building or scaling an AI Security or Offensive Security practice from the ground up. Relevant certifications such as CISSP, CISM, CCSP, or emerging AI security certifications. Experience in financial services, technology, or another highly regulated industry. Familiarity with threat intelligence platforms (e.g., MISP, ThreatConnect) and integration of threat intelligence into offensive security operations. What Success Looks Like In the first 12–18 months, the successful candidate will have: Established a clear, board-ready Cyber Resilience and AI Security strategy and multi-year roadmap. Implemented a continuous validation framework using Breach and Attack Simulation (BAS) and established a regular cadence of Red/Purple team exercises. Successfully integrated offensive security findings into the broader risk management and remediation lifecycle, measurably reducing the organization's attack surface. Stood up or significantly matured core AI Security capabilities, including AISPM, AI Red Teaming, and AI Supply Chain Security. Built strong cross-functional relationships and positioned the Cyber Resilience function as a business enabler, not just a risk control. Delivered measurable improvements in security posture across cloud AI platforms, internal model environments, and traditional enterprise infrastructure through validated security control effectiveness. Embedded AI-powered capabilities into at least two core security function areas (e.g., Cyber Defense, GRC). Demonstrated quantifiable improvements in detection and response capabilities through purple team collaboration and continuous validation programs. If you like wild growth and working with happy, enthusiastic over-achievers, you'll enjoy your career with us! It is the policy of Mobility to provide equal employment opportunity (EEO) to all persons regardless of age, color, national origin, citizenship status, physical or mental disability, race, religion, creed, gender, sex, sexual orientation, gender identity and/or expression, genetic information, marital status, status with regard to public assistance, veteran status, or any other characteristic protected by federal, state or local law. In addition, Mobility will provide reasonable accommodations for qualified individuals with disabilities. Mobility delivers Essential Intelligence® that shapes decision making. We provide the world’s leading organizations with the right data, connected technologies and expertise they need to move ahead. As part of our team, you’ll help solve complex challenges that equip businesses, governments and individuals with the knowledge to adapt to a changing economic landscape.

Responsibilities

Lead the corporate cyber resilience function by defining strategies for offensive security and enterprise AI security governance. Oversee red teaming, penetration testing, and the integration of AI to enhance security capabilities across the organization.