Information Security Risk Consultant

BOK Financial's cybersecurity team is at the core of the organization's digital defense, ensuring the confidentiality, integrity, and availability of sensitive financial and personal data. With deep expertise in areas like databases, networks, firewalls, and encryption, the team safeguards the bank's advanced technology infrastructure against evolving cyber threats. Their work supports secure digital operations and drives innovation, enabling BOK Financial to deliver seamless and protected banking experiences.

The Information Security Risk Consultant supports the Information Security team by performing risk assessments, advising on remediation strategies, and contributing to the development of security frameworks and methodologies. The consultant will work closely with business units, technology teams, and external partners to ensure alignment with regulatory requirements and internal policies. The position also contributes to the continuous improvement of risk management processes and supports the implementation of security controls across projects and systems.

We lead with a deep commitment to cybersecurity because protecting sensitive financial and personal data is essential to earning and maintaining trust. Security is more than a responsibility-it's a mindset woven into every decision, driven by collaboration, innovation, and continuous learning. Our focus is on empowering individuals to grow while making a meaningful impact on the safety and resilience of our digital environment.

• You will conduct independent security risk assessments across applications, systems, infrastructure, processes, and vendors.
• You will ensure compliance with internal policies and external regulations such as GLBA, SOX, PCI, and FFIEC guidelines.
• You will advise project teams on implementing appropriate security controls to meet compliance requirements.
• You will develop and maintain risk assessment frameworks that address emerging threats and evolving regulations.
• You will assist in vendor due diligence and recommend contract language to mitigate security risks.
• You will evaluate exception requests and define temporary security controls until full compliance is achieved.

This level of knowledge is normally acquired through a Bachelor's Degree in Computer Science, Information Assurance, Technology or a related field, and 8+ years of experience in Information Security or 10+ of IT experience or equivalent combination of education and experience. Prior experience in the financial services industry is preferred.

Information Security, Risk Management, or Internal Audit certifications are desirable (Security +, CISSP, CISA, CRISC, GIAC)

• Understanding of strategic business risks.
• Ability to identify and assess the potential impact of cyber security risks.
• Thorough knowledge of risk assessment procedures, policy creation, cyber security technologies, and security attack vectors.
• Knowledge and understanding of business needs and business planning, systems analysis and application development.
• Ability to support business units in understanding residual risk and mitigation tactics.
• Basic knowledge of a broad range of standards and frameworks, such as ISO 27001, NIST, PCI DSS, FFEIC, GLBA, etc.
• Ability to effectively adapt to rapidly changing technology and apply it to business needs.
• Excellent analytical, critical thinking and problem-solving skills.
• Excellent ability to prioritize, organize and handle multiple tasks simultaneously.
• Ability to translate technical concepts to non-technical audiences.
• Excellent verbal and written communication skills and the ability to communicate risk assessment findings to business stakeholders in a way that drives decisions on appropriate risk strategies.