Principal Information Security Governance & Risk Management

Location: VA Winchester - Operations Full/Part Time: Full-Time Regular/Temporary: Regular

Job Description


You have goals, dreams, hobbies and things you’re passionate about.

What’s Important to You Is Important to Us
We’re looking for people who not only want to do meaningful, challenging work, keep their skills sharp and move ahead, but who also take time for the things that matter to them—friends, family and passions. And we're looking for team members who are passionate about our mission—making a difference in military members' and their families' lives. Together, we can make it happen.

Don’t take our word for it.

• Military Times 2021 Best for Vets Employers
• WayUp Top 100 Internship Programs
• Forbes® 2022 The Best Employers for New Grads
• Forbes® America's Best Employers
• Newsweek Top 100 Most Loved Workplaces
Fortune Best Workplaces for Women
Fortune 100 Best Companies to Work For®
• Computerworld® Best Places to Work in IT

Basic Purpose

The Principal, Information Security Governance & Risk Management supports Navy Federal Credit Union’s (NFCU) Information Security Division in effectively managing the Enterprise’s Information Security risks and overall program. Responsible for the strategy, management, and the overall execution of first line of defense information security risk management and governance activities at the enterprise. This role will collaborate with NFCU business unit Sr. leaders across the enterprise to identify, mitigate and manage information security risks. Uses extensive industry and real-world experience to lead information security governance and risk management activities, developing pragmatic solutions to address gaps in line with established risk appetites. Ensure information security governance and risk management activities align with strategic business initiatives, achieve business and quality objectives, mitigate risk and enhance operating procedures. Develop dashboards, metrics and reporting data to provide consultative guidance during monthly and quarterly governance committees. Promote operational efficiency and service excellence through appropriate risk controls, process improvements and training while reducing and mitigating financial losses.


•    Develop and implement a best-in-class emerging industry risks program to comprehensively and proactively identify trends, regulatory changes, reputational challenges, and misinformation that could affect NFCU or its members.  
•    Lead the development and implementation for a risk rating methodology to drive risk assessments based on the changing threat landscape and a dynamic internal operating environment.
•    Support the Information Security Standards Management and Assurance program across the enterprise to ensure right sized compliance and alignment to industry best practices.
•    Develop and lead a comprehensive Information Security Program Maturity Assessment and Risk Assessment initiatives in line with the enterprise goals and regulatory expectations. – Adjust to support library functions (framework and assessments)
•    Support the PCI Security Standards program ensuring compliance and/or assurance with the data security standards.
•    Support the Information Security Governance Function’s Change Management practices, ensuring the delivery of a consistent framework, supporting other pillars including, but not limited to, RCSA, Issues and Events, Controls Testing, GRC and Third-Party Risk Management.
•    Ensure the effective identification, mitigation and management of information security risks arising from business activities.  In addition, provide guidance and advice to senior management on the status of their control environment related to standards compliance, risk identification and control issues.  Identify critical areas to monitor and escalate issues and findings to appropriate stakeholders and governance committees.
•    As applicable, articulate implications of risks and issues related to data management and protection to sponsors and risk owners and, if necessary, assist with security exceptions or issue management
•    Translate control deficiencies into action plans and provide recommendations to enhance governance practices in alignment with risk and compliance frameworks.
•    Participate in Security-related special projects, councils, working groups, etc. as a Risk SME. 
•    Experience in developing technical documentation (policies, standards, baselines, playbooks, etc.) in support of information security requirements. 
•    Develop security processes in collaboration with operational and technical owners in conformance with documented and newly developed security requirements.
•    Ability to analyze and provide technical recommendation for solutions and tools to address information security risks.
•    Perform other duties as assigned.


•    Bachelor's degree in Information Systems, Computer Science, Engineering, Business, Mathematics, Economics, or related field, or the equivalent combination of education, training and experience
•    A minimum of 12-15 years of experience leading risk and/or compliance related activities in financial services or other relevant industry, especially Operational Risk Programs
•    Deep knowledge of federal banking safety and soundness regulations and extensive familiarity of CAMELS, FFIEC and examination approaches from NCUA, OCC, FHFA and the CFPB.
•    Extensive knowledge of industry leading risk management frameworks such as COSO, COBIT, NIST CSF, ITIL) 
•    Advanced knowledge of the PCI standards framework
•    Working knowledge of at least one data protection and/or privacy framework (e.g., DMM, DMBOK, NIST Privacy Framework)
•    Working knowledge of the MITRE attack framework
•    Extensive experience in the development of risk management frameworks along with the requisite implementation
•    Advanced knowledge of information technology systems, project processes, and application development 
•    Advanced organizational, planning and time management skills
•    Advanced research, analytical, and problem-solving skills
•    Advanced skill developing and implementing programs in a leadership role
•    Advanced skill building effective relationships with all levels of staff, management, stakeholders, and vendors, through rapport, trust, diplomacy, and tact
•    Advanced verbal, written, interpersonal, and presentation skills to communicate clearly and concisely technical and non-technical information to all levels of management and a strong EQ
•    Effective skill to influence, negotiate and persuade to reach agreeable exchange and positive outcomes
•    Advanced skill exercising initiative and using good judgment to make sound decisions

Desired Qualifications and Education Requirements

•    Graduate education in Business, Cyber/Information Security Risk, Information Systems, Computer Science, Engineering, Quantitative discipline or related field
•    Professional certifications including, but not limited to any of the following: CISA, CISM, CISSP, CGEIT, CRISC, CIA, CIPP, ISA, AWS, etc.
•    Professional or planned date for certification in Operational Risk, and/or specialized in Technology or Information Security
•    Knowledge of industry-accepted security frameworks and best practices (e.g., NIST CSF/800-53, PCI DSS, HIPAA Security Rule, etc.)

Hours: Monday - Friday, 8:00AM - 4:30PM

Location: 820 Follin Lane, Vienna, VA 22180 | 5550 Heritage Oaks Dr. Pensacola, FL 32526 | 141 Security Dr. Winchester, VA 22602

Navy Federal is now hybrid! Our standard enterprise requirement for a hybrid schedule is to report on-site 4-16 days each month. The number of days reporting on-site will ultimately be determined by the employee's leadership and business unit needs. You will learn more throughout the hiring and on boarding process.

Salary Range: $116,200 - $213,000 annually

Navy Federal Credit Union assesses market data to establish salary ranges that enable us to remain competitive. You are paid within the salary range, based on your experience, location and market position.

Posting End Date: 04/16/2023

Job postings are subject to close early or extend out longer than the anticipated closing date at the hiring team’s discretion based on qualified applicant volume.


Equal Employment Opportunity

Navy Federal values, celebrates, and enacts diversity in the workplace. Navy Federal takes affirmative action to employ and advance in employment qualified individuals with disabilities, disabled veterans, Armed Forces service medal veterans, recently separated veterans, and other protected veterans. EOE/AA/M/F/Veteran/Disability


Navy Federal reserves the right to fill this role at a higher/lower grade level based on business need. An assessment may be required to compete for this position.

Bank Secrecy Act

Remains cognizant of and adheres to Navy Federal policies and procedures, and regulations pertaining to the Bank Secrecy Act.

Employee Referrals

This position is eligible for the TalentQuest employee referral program. If an employee referred you for this job, please apply using the system-generated link that was sent to you.