About the RoleWe advise large U.S. banks, broker-dealers, and insurers on the most consequential
cyber security problems they face - the ones that show up in MRAs, MRIAs, Consent Orders.
As a Senior Consultant on our Cyber & Regulatory Remediation team, you will lead client-facing workstreams that translate regulator findings into defensible, executable remediation plans, and then drive those plans to closure alongside CISO, Risk, and Audit leadership.
This is not a generic GRC role. You will own the substance: writing remediation roadmaps that an OCC, FRB, or NY DFS examiner will accept, hardening the controls that fail under exam, and personally pushing technical workstreams - incident response, vulnerability and patch management, and identity - across the finish line.
What You'll Do- Lead regulatory remediation programs. Translate MRAs, MRIAs, Matters Requiring Attention, Consent Orders, and 500.17 (NY DFS) cybersecurity event notifications into prioritized remediation plans with defensible milestones, evidence requirements, and validation criteria.
- Run point with examiners and internal audit. Prepare clients for FRB, OCC, FDIC, NY DFS, SEC, and FFIEC exams and continuous-monitoring touchpoints. Draft response letters, walkthroughs, and evidence packages. Defend the work.
- Drive technical remediation, not just documentation. Partner with client CISO, IT Risk, Infrastructure, and IAM teams to actually close findings - not just status-report them. Push for engineering outcomes, not slideware.
- Run cyber incident response engagements. Lead or co-lead client-side IR for material events: containment strategy, forensic coordination, regulator and law-enforcement notification timing, executive and board communications, and post-incident remediation.
- Strengthen vulnerability and patch management programs. Assess current-state VM/patch operations, design risk-based SLAs, build exception governance, and operationalize tooling (Qualys, Tenable, Rapid7, Wiz, ServiceNow VR) so remediation actually happens at SLA.
- Lead IAM remediation workstreams. Drive privileged access management, joiner-mover-leaver, recertification, segregation-of-duties, and identity governance improvements. Reduce standing privilege and clean up the access debt regulators flag.
- Coach the team. Mentor analysts and consultants. Review their deliverables. Raise the bar on what "good" looks like in a remediation deliverable.
- Grow the practice. Contribute to proposals, thought leadership, and methodology assets. Identify follow-on work with existing clients.
Required Regulatory ExpertiseYou should be able to walk into a client room and speak credibly to at least three of the following frameworks and regimes - not from a study guide, but from having done the work:
- Federal Reserve Board (FRB) / SR 11-7 model risk, SR 20-24 and SR 21-14 cyber and operational resilience guidance, MRAs and MRIAs.
- OCC Heightened Standards (12 CFR Part 30, Appendix D) and OCC cyber risk expectations.
- NY DFS Part 500 - including the 2023 amendments: CISO reporting to the Board, governance, 72-hour incident notification, ransomware payment notification, asset inventory, MFA, encryption, and Class A company requirements.
- FFIEC Cybersecurity Assessment Tool, IT Examination Handbook (Information Security, Business Continuity, Operations).
- SEC Cybersecurity Disclosure Rules (Regulation S-K Item 106, Form 8-K Item 1.05) and Reg S-P amendments.
- NIST CSF 2.0, NIST 800-53, NIST 800-171; ISO/IEC 27001/27002; CIS Controls.
- SOX ITGC, PCI DSS 4.0, GLBA Safeguards Rule, and SOC 1/SOC 2 attestation work - nice-to-have.
Required Technical & Operational Expertise Cyber Incident Management- Hands-on experience leading or coordinating IR for ransomware, business email compromise, third-party breach, insider, and nation-state events.
- Working knowledge of NIST SP 800-61, MITRE ATT&CK, and the practical mechanics of containment, eradication, and recovery in complex enterprise environments.
- Comfort coordinating across legal, privacy, communications, forensics (Mandiant, CrowdStrike, Kroll, Unit 42), insurance, and regulators under time pressure.
- Experience drafting and defending incident notifications and regulator communications under NY DFS Part 500, SEC 8-K Item 1.05, GDPR, and state breach laws.
Vulnerability Remediation & Patch Management- Demonstrated experience designing or remediating enterprise VM programs: scanning coverage, risk scoring (CVSS, EPSS, KEV), SLA design, exception governance, and metrics.
- Operational familiarity with Qualys, Tenable (Nessus / Tenable.io / Tenable.sc), Rapid7 InsightVM, Wiz, Microsoft Defender for Cloud, and ServiceNow Vulnerability Response.
- Patch management at scale across Windows, Linux, network, container, and cloud workloads - including the political work of getting business units to actually patch.
Identity & Access Management (IAM)- Strong grasp of IAM domains: identity governance and administration (IGA), privileged access management (PAM), authentication and federation, joiner-mover-leaver, access certification, and SoD.
- Working experience with at least two of: SailPoint, Saviynt, Okta, Azure AD / Entra ID, Ping, CyberArk, BeyondTrust, Delinea.
- Practical experience reducing standing privilege, designing role models, and remediating common findings (orphaned accounts, toxic combinations, shared service accounts, weak recertification).
