Technology Risk Lead - MBD

Location(s) US-NY-New York
Job ID
Schedule Type
Full Time
Vice President
Project/Program Manager, Security Engineer
Merchant Banking Division
Business Unit
Investing & Lending Engg
Employment Type


We invest in corporate equity and debt, real estate equity and debt, and infrastructure-related assets and companies. Merchant Banking operates on a global platform and our team works in a fast-paced, exciting environment. We look for individuals with versatile skills and a passion for investing.


The Merchant Banking Division has a small engineering team with an out-sized impact on the division’s internal information technology, investments in other firms, and acquisition of other firms.


Merchant Banking Division is looking for a mid-level VP to lead cybersecurity and technology risk embedded within the Merchant Banking Division (MBD) of Goldman Sachs. Goldman Sachs is critical infrastructure for the US and global financial system. We face the most sophisticated threats in the world, including organized crime and sovereign state attackers.


*We are open to both NYC and Dallas*



Your role will be fourfold: (1) ensure that MBD-developed or acquired software and systems are architected and implemented to be resilient and secure (2) manage the portfolio of risks and associated uplifts for MBD’s software and systems (3) participate in the portfolio risk management and business development processes of the division (4) create a lightweight and scalable program to assess and manage risk in current and potential portfolio companies and (5) help MBD assess whether or not to make particular investments in cybersecurity and technology companies.


The first two roles are to serve as the cybersecurity solutions architect and manager of risk (50% time).


In its technology stack, MBD faces two primary sources of risk: (a) the risk of insecurity of either MBD developed or vendor applications and (b) the security of the sensitive information that MBD must transfer for its business. In particular, MBD’s reliance on third-parties and advisers for due diligence, such as accountants and law firms, presents potential data leakage risk and associate reputational or regulatory impact. 


To address these risk, the MBD Tech Risk VP would: identify tooling and controls to better protect the sensitive information MBD transfers inside and outside the firm; manage the cybersecurity risk of MBD apps, both internal and vendor. This would include managing vulnerabilities and implementing firmwide priorities, such as demising hardware or software that are no longer supported by a vendor; and shape the architecture, design, and implementation (code reviews) of new MBD applications to ensure that cybersecurity is built into the application.


The third role is to address cybersecurity risks in portfolio companies (~45% time).


A cybersecurity incident at a portfolio company in which the firm maintains a majority interest may result in both direct and indirect financial loss. A cybersecurity incident at a portfolio company may also cause immediate reputational harm to GS even where we do not maintain direct control over the company’s operations.


The MBD Tech Risk VP would build upon the work of existing consultants and advisers by: triaging the cybersecurity risk of portfolio companies based on their particular business, data, and regulatory environment; creating a program to assess the adequacy of portfolio companies’ existing controls; some assessments would be done by this individual, others by contractors; and overseeing uplifts to portfolio companies’ controls.


The fourth role is to advise MBD on Cybersecurity Investments (5% time)


A small part of this role would serve to provide subject-matter expertise on particular investment targets in the cybersecurity or broader technology fields.


This position is in New York (preferred) or Dallas and will report directly to the head of MBD Engineering, with a dotted line to the firm’s Global CISO. You will be a senior individual contributor. Success will be defined in part by managing the above risks without having to hire additional full-time employees.


Job Responsibilities:

  • Provide direction on application and system security risks (cloud, web services, mobile apps, client-server architectures)
  • Shape and advise on risk decisions related to both on-premise infrastructure and public cloud
  • Represent firmwide TechRisk requirements to the business and drive adoption  
  • Maintain risk portfolio for the MBD business. This includes identifying and tracking key risks associated with the business and providing expert knowledge of security risks for technologies such as, web, mobile, networks, operating systems and client/server architectures
  • Ensure that all critical applications have an assigned security champion and assist security champions fulfill responsibilities
  • Support MBD Engineering leadership by representing the division’s risk at relevant technology risk committees
  • Act as a key partner and integration point between MBD and firmwide TechRisk teams, processes and frameworks
  • Drive development, implementation, and adoption of information security standards and solutions
  • Partner with the MBD Operating Council, Digital Advisory Council and Software Council to maintain and enhance cyber risk identification, scoring and mitigation advise for our portfolio companies
  • Assist deal teams and Operating Council members, to evaluate potential investments in cybersecurity and technology businesses, and subsequent to any investment, help those companies in their growth
  • Establish a scalable process that ensure continuous oversight for portfolio companies


Basic Qualifications:

  • We want experience measured in success and professional development, not necessarily measured in years of “time served”, but it’d be hard to imagine this wasn’t accumulated over at least 7 years
  • You are expected to have some technical expertise in application security and controls, although you will not be expected to develop software yourself
  • You will need to work collaboratively and build coalitions across teams and divisions, helping your counterparts understand and make risk decisions
  • Communications skills necessary to engage in technical discussions with other Engineering groups, but also to convey the same concepts and issues at a high level to senior leadership
  • Exceptional written and oral communication skills with a proven ability to articulate complex ideas, express and defend a point of view, and influence outcomes
  • Experience running security at scale, using tools, processes, and outside consultants to ensure that you can have an impact across lots of systems and companies


Preferred qualifications:

  • Experience with managing risks in external companies: third parties, fourth parties, subsidiaries, or investments
  • Experience performing architecture and code reviews
  • Experience driving control uplift programs for existing and legacy applications


At Goldman Sachs, we commit our people, capital and ideas to help our clients, shareholders and the communities we serve to grow. Founded in 1869, we are a leading global investment banking, securities and investment management firm. Headquartered in New York, we maintain offices around the world.

We believe who you are makes you better at what you do. We're committed to fostering and advancing diversity and inclusion in our own workplace and beyond by ensuring every individual within our firm has a number of opportunities to grow professionally and personally, from our training and development opportunities and firmwide networks to benefits, wellness and personal finance offerings and mindfulness programs. Learn more about our culture, benefits, and people at

We’re committed to finding reasonable accommodations for candidates with special needs or disabilities during our recruiting process. Learn more:

© The Goldman Sachs Group, Inc., 2020. All rights reserved.
Goldman Sachs is an equal employment/affirmative action employer Female/Minority/Disability/Veteran/Sexual Orientation/Gender Identity