The selected colleague will work at an MUFG office or client sites four days per week and work remotely one day. A member of our recruitment team will provide more details.
The Control Testing Lead will be responsible for leading a team that plans, executes, documents, and reports results for technology control testing across cloud and on-premises environments. This role will manage direct reports, establish testing priorities, oversee quality of execution, and drive consistent control testing practices across technical domains. The role requires strong knowledge of cybersecurity, cloud security, technical controls, infrastructure control design, software development lifecycle practices, and risk-based assurance methodologies.
This position will serve as a team leader within a broader Cybersecurity GRC control assurance operating model, accountable for directing testing activities, developing team capability, influencing control quality, and providing insight to engineering, security architecture, application, infrastructure, audit, risk, and compliance stakeholders. The role will work extensively with Cybersecurity GRC to align testing priorities, evidence standards, issue rationale, reporting expectations, and remediation themes while helping ensure that controls are appropriately designed, operating effectively, supported by reliable evidence, and aligned to regulatory, internal policy, and industry framework requirements.
Key Responsibilities- Lead and manage a team responsible for control testing activities across cloud, hybrid, and on-premises environments, with emphasis on cloud services, infrastructure, identity, access, configuration, logging, monitoring, vulnerability management, and change management controls.
- Set testing strategy, define annual and quarterly priorities, oversee risk-based test plans, and ensure test scripts, walkthrough procedures, evidence requests, sampling approaches, and testing documentation are consistent and defensible.
- Manage direct reports by setting goals, assigning work, reviewing deliverables, providing coaching, supporting career development, and maintaining accountability for quality, timeliness, and risk-based judgment.
- Assess control design and operating effectiveness by reviewing system configurations, architecture patterns, policies, procedures, tickets, logs, screenshots, reports, and other supporting evidence.
- Drive continuous, automated control monitoring and assurance to reduce manual, point-in-time validation
- Evaluate technical controls across cloud platforms, including identity and access management, network segmentation, encryption, key management, logging, monitoring, workload protection, vulnerability remediation, backup and recovery, and secure configuration baselines.
- Evaluate on-premises technical controls across servers, databases, network devices, endpoints, applications, data centers, and supporting infrastructure.
- Review software development lifecycle and secure delivery controls, including secure design, threat modeling, code review, testing, deployment pipeline controls, release management, change approvals, segregation of duties, and production deployment governance.
- Identify control gaps, evidence deficiencies, design weaknesses, and operating issues, document clear observations, risk impacts, root causes, and practical remediation recommendations.
- Work extensively with Cybersecurity GRC, compliance, audit, application, infrastructure, cloud engineering, and security architecture stakeholders to validate control performance, align on testing expectations, resolve control evidence questions, and support consistent issue treatment.
- Provide leadership, coaching, and technical guidance to control testers, analysts, and stakeholders on testing methodology, evidence standards, technical control concepts, documentation quality, and audit-ready conclusions.
- Own testing progress, issue status, remediation themes, management reporting, audit readiness, risk and control forums, assurance routines, and continuous improvement of the control testing function.
Required Qualifications- 10+ years of experience in technology risk, IT audit, cybersecurity, control testing, cloud security, infrastructure security, or related technical assurance roles, including experience leading teams or managing direct reports.
- Strong understanding of cloud and hybrid control environments, with practical knowledge of on-premises infrastructure control concepts.
- Strong understanding of AI models and ability to define and execute appropriate assessment strategy
- Demonstrated experience testing technical controls, including access management, privileged access, change management, vulnerability management, logging and monitoring, encryption, backup and recovery, incident response, configuration management, and network security.
- Strong understanding of software development lifecycle practices, secure delivery methods, deployment controls, release management, and production change governance.
- Ability to lead testing teams, manage performance, review workpapers, develop talent, resolve execution blockers, and maintain consistent quality across concurrent testing activities.
- Strong analytical judgment with the ability to assess control design and operating effectiveness using evidence-based testing.
- Ability to interpret technical evidence and translate findings, risk themes, control gaps, and remediation trends into clear documentation, leadership messaging, and actionable management reporting.
- Strong communication and stakeholder management skills, including the ability to engage technical and non-technical audiences, challenge control design constructively, and influence outcomes.
- Ability to manage multiple testing workstreams, prioritize risk-based activities, escalate risks appropriately, and deliver high-quality outcomes within established timelines.
Education- Bachelor's degree in computer science or a closely related discipline, or an equivalent combination of formal education and experience
Other Details
- The typical base pay range for this role for NY/NJ is between $147k - $194k depending on job-related knowledge, skills, experience, and location. Non NY/NJ is 144k-180k
- This role may also be eligible for certain discretionary performance-based bonuses and/or incentive compensation. Additionally, our Total Rewards program provides colleagues with a competitive benefits package (in accordance with the eligibility requirements and respective terms of each) that includes comprehensive health and wellness benefits, retirement plans, educational assistance and training programs, income replacement for qualified employees with disabilities, paid maternity and parental bonding leave, and paid vacation, sick days, and holidays. For more information on our Total Rewards package, please click the link below.
- VISA sponsorship is not available for this position
The above statements are intended to describe the general nature and level of work being performed. They are not intended to be construed as an exhaustive list of all responsibilities duties and skills required of personnel so classified.
