Senior Cyber Hygiene Governance/ Engineer Operations

The Senior Cyber Hygiene Governance holds overall subject-matter responsibility for the cyber hygiene governance framework with a strong focus on audit and evidencing requirements. The role ensures that cyber hygiene controls (Govern/Identify/Protect) are clearly defined, consistently implemented, effectively monitored and audit-ready. It acts as a central interface for internal and external audits as well as supervisory reviews in the context of cyber hygiene.

Your tasks

Governance Framework & Policies

• Design, maintain and continuously improve the cyber hygiene governance framework (policies, standards, SLAs, RACI, exception and risk acceptance processes)
• Ensure that cyber hygiene requirements are clear, consistent and operationally implementable (especially for vulnerability, patch and baseline configuration management)

Regulatory Requirements & Compliance

• Translate regulatory and 2nd Line of Defense requirements (e.g. DORA, BAIT, MaRisk, NIS 2, PCI-DSS, SOC2-like frameworks) into concrete cyber hygiene controls and control objectives
• Regularly assess the effectiveness of implemented controls, identify control gaps and drive remediation measures

Audit Preparation and Support

• Act as central point of contact for Internal Audit, external auditors and supervisory authorities on cyber hygiene topics
• Plan, coordinate and support audits and reviews (incl. preparing stakeholders, providing evidence, creating overviews and mappings of controls)
• Ensure audit-proof documentation of controls, roles, processes, decisions, exceptions and risk acceptance cases
• Support definition, evaluation and follow-up of audit findings, management actions and remediation plans until closure

Reporting, KPIs & KRIs

• Define, evolve and maintain KPIs, KRIs, scorecards and reporting models for cyber hygiene, including an audit and compliance perspective
• Prepare executive-ready reports for CISO, Risk Management, Compliance, Internal Audit and steering committees

Interface to Security Problem Management

• Ensure that structural insights from Security Problem Management (root causes, trend analyses, recurring weaknesses) are reflected in governance artefacts and control requirements
• Support prioritisation of issues with high relevance for audits and regulatory compliance

Advisory, Training & Awareness

• Advise business and IT stakeholders and senior management on cyber hygiene governance, controls and audit expectations
• Develop and deliver guidelines, training and FAQs on governance and audit requirements related to cyber hygiene
• Coach Junior and Regular Governance Specialists, especially on audit-ready documentation and interaction with auditors

Your profile

Professional Experience

• Several years of experience in cyber security governance, IT risk management, internal/external audit or comparable roles in regulated industries (ideally financial services / critical infrastructure)

Technical & Domain Knowledge

• Deep knowledge of relevant security frameworks and regulatory requirements (e.g. ISO 27001/2, DORA, BAIT, MaRisk, NIS 2, PCI-DSS, SOC2-like frameworks)
• Strong understanding of cyber hygiene controls (vulnerability, patch and configuration management) and how to evidence them to auditors and regulators
• Experience in control design and assessment (design & operating effectiveness) and in deriving remediation measures from audit findings
• Experience with defining and using KPIs/KRIs for governance and audit-related reporting

Methodological & Personal Skills

• Strong strategic, conceptual and systemic thinking with a focus on traceability, auditability and sustainability of solutions
• Excellent communication, facilitation and stakeholder management skills – especially in dealing with Audit, supervisory bodies, CISO, Risk Management and IT
• High resilience and professionalism in critical audit and escalation situations

Languages & Certifications

• Excellent English skills (written and spoken); German is a strong plus
• Relevant certifications are an advantage (e.g. ISO 27001 Lead Implementer/Lead Auditor, CISM, CRISC, CISA)

Our Benefits

• 30 days of vacation
• Flexible work
• Employee conditions
• Professional training & development
• Capital-forming benefits
• Friendly work environment
• Diverse tasks
• Work-life balance

30 days of vacation; Flexible work; Employee conditions; Professional training & development; Capital-forming benefits; Friendly work environment; Diverse tasks; Work-life balance

The company

Commerzbank is the leading bank for the Mittelstand and with a comprehensive portfolio of financial services a strong partner for corporate client groups and private and small-business customers in Germany. We are a bank that is characterized by a fair and cooperative relationship with one another and with our customers.

We appreciate working in inspiring teams of people who bring a diverse background. We offer a creative environment and excellent career development opportunities. Work Life Balance is very important to us. And of course, we know that a good job also includes an attractive salary.

Contact

Would you like to become a member of a strong and dedicated team? If so, please submit your application online. If you have any further enquiries about this role, please contact Linh Jasmin Vo +49 69 935349407 or email her at [email protected].