The Information Security Risk Oversight Manager serves as a key member of the Cybersecurity Risk Oversight team within the Second Line of Defense (2 Lo. D). This role is accountable for providing independent oversight and credible challenge of the First Line Information Security program to ensure risks are appropriately identified, assessed, managed, monitored, and reported in alignment with regulatory requirements, industry standards, and internal risk appetite. This position is intentionally designed for a senior, autonomous professional who can manage their own oversight portfolio, prioritize work based on material risk, and engage effectively with Information Security Services, Technology teams, and senior leadership. Key Responsibilities. Provide independent oversight and credible challenge of the Information Security program across multiple security pillars, including governance, risk assessments, controls, metrics, and issue management. Perform risk-based assessments of first line security practices, identifying gaps, weaknesses, thematic concerns, emerging risks, and control deficiencies. Develop and articulate independent risk opinions supported by sound analysis, evidence, and professional judgment. Evaluate alignment of first line activities with applicable laws, regulations, regulatory guidance, industry standards (e.g., NIST 800-53, FFIEC, PCI, NIST CSF 2.0, etc), and internal policies. Monitor key risk indicators, security metrics, assessment results, and issue trends to identify systemic risks or areas requiring escalation. Escalate material risks, control weaknesses, or ineffective risk management practices through appropriate governance and reporting channels. Act as a subject matter expert on information security risk, providing insights and guidance to stakeholders while maintaining 2 Lo. D independence. Build and maintain strong, professional relationships with first line stakeholders while confidently challenging assumptions, conclusions, and risk positions when necessary. Contribute to executive-level risk reporting by clearly summarizing risk posture, trends, and areas of concern in a concise and defensible manner. Stay current on evolving cybersecurity threats, regulatory expectations, and industry best practices to continuously strengthen oversight effectiveness. Basic Qualifications. Bachelor's degree, or equivalent work experience. Typically more than ten years of applicable experience. Preferred Skills/ Experience. Strong foundational understanding of information security domains (e.g., vulnerability management, identity and access management, application security, cloud security, security governance, incident management). Demonstrated ability to perform risk assessments and oversight activities with depth, critical thinking, and professional skepticism. Experience operating in or with a Second Line of Defense, audit, or regulatory environment is strongly preferred. Proven ability to work independently and autonomously, managing priorities and delivering high-quality work with limited direction. Strong written and verbal communication skills, including the ability to translate technical risk into clear, executive-ready insights. Ability to engage confidently with senior stakeholders while maintaining independence, objectivity, and professionalism. Relevant certifications (e.g., CISSP, CISA, CRISC, CISM) are preferred but not required. This role requires working from a U.S. Bank location three (3) or more days per week. If there’s anything we can do to accommodate a disability during any portion of the application or hiring process, please refer to our disability accommodations for applicants.