Join a role that's central to our technological controls and standards, offering a unique opportunity to shape the firm's tech controls strategy in alignment with various standards and regulatory requirements.

As a Tech Risk & Controls Lead at JPMorgan Chase within the Cybersecurity Technology and Controls, you will be responsible for  the firm’s control design, governance, standardization, and measurement across all the Cyber domains. Your primary focus will be leading and managing the Security Configuration Management domain. This role ensures that foundational and advanced controls across platform, network, endpoint and application security configuration are governed by clearly defined standards and measurable control objectives. This position blends deep technical understanding of controls and tooling with architectural oversight and governance rigor ensuring that the firm’s operational controls are consistently engineered, validated, and improved across both cloud‑native and on‑premises environments.

Job responsibilities

• Lead the development of technical control objectives and standards for Security Configuration Management and other Cyber domains.
• Leverages enterprise-authorized AI capabilities within the work environment to accelerate cybersecurity architecture analysis and decisioning (e.g., risk identification and documentation), validating outputs and handling data according to sensitivity and security requirements.
• Define measurable performance and effectiveness metrics for each control category, integrating telemetry, automation, and operational metrics into governance dashboards.
• Uses enterprise-authorized AI capabilities within the work environment to accelerate synthesis of risk/control evidence and draft executive-ready reporting, validating outputs and handling data according to sensitivity and security requirements
• Promotes reuse-first, AI-assisted approaches to streamline recurring control testing and issue/action-plan management routines, ensuring human review and alignment to auditability and regulatory expectations
• Partner with security engineering and operations teams to evaluate control sufficiency against threat models, regulatory expectations, and internal policies.
• Govern control implementation and sustainment across hybrid ecosystems (cloud, data center, and user endpoint environments), ensuring consistent security posture.
• Assess and guide integration of firm wide configuration drift monitoring tools (Evolven, Puppet, Chef, Wiz etc…) with JPMC's GRC ecosystem to align with standardized control objectives.
• Provide strategic insight into the control posture to architecture and risk governance leadership, driving continuous improvement in control effectiveness and efficiency.
• Collaborate across architecture, operations, and GRC teams to ensure security configuration, network and endpoint controls align with enterprise configuration standards, policies, and frameworks.
• Drives reuse-first adoption of AI-assisted security validation within SDLC/toolchain routines, improving control testing and remediation quality with traceability/auditability and resiliency expectations.
• Formal training or certification with 5+ years of experience in cybersecurity controls architecture, security engineering, or operations leadership (various Cyber domains).
• Proficient in designing or governing technical control frameworks across hybrid environments (AWS, Azure, on‑premises).

Required qualifications, capabilities, and skills

• Professional certifications such as Cloud Certifications (AWS Solutions Architect, AWS Security Specialist), CISSP, CISM, or GIAC.
• Experience designing metrics and governance frameworks for Security Configuration Management, SOC, network security, or endpoint control domains.
• Strong working knowledge of GRC tools like Archer, infrastructure as code, and control enforcement in dynamic and hybrid environments.
• Demonstrated experience using enterprise-authorized AI capabilities within the work environment to support technology risk and controls workflows with strong validation habits and awareness of data sensitivity.
• Ability to review and validate AI-assisted risk summaries and recommendations before use, escalating when uncertain and ensuring outcomes align to security, auditability, and regulatory expectations.

#CTC