Corporate Vice President - Technology and Cybersecurity Assessment & Oversight; TCAO Manager

Overview

Location Designation:
Hybrid - 3 days per quarter

As part of Risk Management, you'll play a pivotal role in safeguarding New York Life's strategic goals. By analyzing and mitigating potential risks, you contribute to three crucial areas: strengthening the company's defenses, informing sound business decisions, and advancing risk capabilities across the organization. Your expertise empowers informed risk-taking, fostering sustainable growth and protecting the financial security of millions of policy owners.

The Role Overview

The Technology and Cybersecurity Assessment & Oversight (TCAO) Manager is a key member of the Technology Risk team. The team is responsible for establishing and maintaining the organization’s Technology and Cybersecurity Risk framework and methodologies, as well as providing governance and oversight of cybersecurity project implementations and technology controls. This oversight ensures that relevant risks and controls are appropriately identified, assessed, and aligned with New York Life policies, standards, and control requirements.

The TCAO Manager is responsible for maintaining the IT Risk and Controls Catalog and for updating and enhancing the risk methodologies and models used to assess inherent and residual risk. The role also includes delivering timely, accurate risk reporting and providing prioritized, actionable risk recommendations to technology stakeholders. Continuous enhancement of risk frameworks and models is expected to reflect evolving technologies and emerging risks, including those related to Cloud computing and Artificial Intelligence.

In addition, the TCAO Manager provides governance over targeted technology domains by leading independent risk and control assessments and/or provide oversight to ensure controls are effectively mitigating risks and meeting internal, regulatory, and industry requirements.

• Technology & Cybersecurity Risk Frameworks and Methodologies
  • Maintain, enhance, and govern the enterprise Technology and Cybersecurity Risk framework to ensure alignment with New York Life policies, standards, industry frameworks and best practices, and regulatory expectations.
  • Develop, update, and document risk assessment methodologies, including inherent risk, control effectiveness, and residual risk models.
  • Ensure risk frameworks and methodologies evolve to address emerging technologies and risks, including Cloud computing, Artificial Intelligence, data security risks, etc.
  • Monitor industry trends, regulatory guidance, and leading practices to continuously strengthen risk assessment approaches.
• Risk Analysis, Reporting & Stakeholder Engagement
  • Apply risk models consistently to calculate inherent and residual risk and support risk-based decision-making.
  • Produce timely, accurate, and insightful risk reporting for senior management, risk committees, and technology leadership.
  • Translate complex technical risks into clear, actionable insights for non-technical stakeholders.
  • Provide risk-prioritized recommendations that support informed technology and business decisions.
  • Serve as a trusted risk advisor to Technology, Cybersecurity, and business partners.
• IT Risk and Controls Catalog Management
  • Own and maintain the IT Risk and Controls Catalog, ensuring risks, controls, and control mappings remain accurate, complete, and current.
  • Partner with Technology and Cybersecurity teams to validate risk and control definitions and ensure consistency across control frameworks.
  • Align the catalog with relevant regulatory, industry, and internal control requirements (e.g., NIST, ISO, CSA, internal standards).
• Risk and Control Governance & Oversight
  • Provide independent risk oversight of targeted technology controls and IT project implementations.
  • Partner with Risk and Technology teams to manage and execute targeted technology and cybersecurity risk and control assessments, ensuring scope, testing approaches, and conclusions are risk-based and defensible.
  • Evaluate the design and operating effectiveness of key technology and cybersecurity controls.
  • Ensure identified issues are clearly documented, risk-rated, and aligned to enterprise issue management standards.
• Continuous Improvement & Program Maturity
  • Identify opportunities to streamline, automate, and enhance risk assessment processes and reporting.
  • Contribute to the ongoing maturity of the Technology and Cybersecurity Risk program through improved tooling, metrics, and analytics.
  • Promote a strong risk culture by embedding risk considerations into technology planning and execution.

What You’ll Bring

• Experience:
  
  At least 8 years with strong IT and cybersecurity risk assessment experience, including:
  • Prior risk management, audit and/or consulting experience
  • Prior experience with designing and maintaining technology risk frameworks, with a strong understanding of key industry control frameworks (e.g., NIST CSF, ISO 27000, CSA CCM, CIS Controls, NIST AI, OWASP LLM Top 10, etc.)
  • Prior experience in managing, performing and documenting business,…