Neil Sanyal

Information Security Director with deep expertise in building and scaling enterprise-wide security programs. Adept at translating complex technical risks into actionable business strategies, driving cross-functional alignment between security teams and organizational leadership. Experienced in championing security awareness, cultivating stakeholder partnerships, and delivering measurable program maturity gains.

Expert at collaborating with executive stakeholders and regulators to embed robust security cultures and ensure compliance with global standards.

Consultant – Information Security Risk Director at SUMITOMO MITSUI BANKING CORPORATION (2024-04 – 2026-04)

Led and owned the Governance, Risk, and Compliance (GRC) program's technology risk assessments globally, anchored to NIST CSF v2, AI RMF, CRI Profile, FFIEC, and SOX ITGC.

• Conducted cybersecurity risk and control assessments, security design reviews and threat risk assessments across global infrastructure, business applications, and cloud platforms spanning 18 group companies, 2,000+ applications and 1,200+ service owners.
• Led vendor security reviews, evaluating SOC 2 reports, ISO 27001 certifications, and penetration test results to assess vendor control maturity.
• Converted regulatory requirements into workable, delivery-ready controls and operating practices adopted across group companies.
• Tracked, managed, and drove remediation efforts for control deficiencies, vulnerability mitigation and gaps identified through internal and external audits. Coordinated regulatory examinations, and internal audits.
• Held service owners accountable for closing high-severity findings and brought down the backlog of aged items.
• Drove the working relationship with service owners, architecture, internal audit, and second-line functions.
• Collaborated with Procurement, Legal, and Third-Party Risk Management teams to embed security requirements into contracts, onboarding, and ongoing vendor oversight.
• Partnered with global Lines of Business, enterprise Information Security teams, and risk partners across regions, to challenge inherent risk assessments and improving consistency and defensibility of 100+ risk acceptances.
• Contributed to the design and continuous enhancement of global IT Risk Frameworks, policies, and procedures, driving process and tooling improvements that increased assessment efficiency by 10% while strengthening alignment with FFIEC, NIST, CRI Profile, AI RMF and internal risk appetite standards.
• Collaborated with engineering teams - leveraged AI to enhance efficiency of control automation.
• Oversaw the planning, execution, and escalation of IT disaster recovery and business continuity efforts, ensuring proper business resilience across all divisions.
• Delivered executive and Board-level reporting on global cyber KRIs, enabling escalation and resolution of high-risk issues annually, and improving leadership response time to emerging threats.
• Led annual mandatory SWIFT attestation for compliance with the Customer Security Controls Framework (CSCF).
• Managed a program of projects - lead the formulation, organization, and monitoring of interconnected programs to drive strategic cybersecurity goals including greater automation.
• Instructed and mentored team of 8 technology risk analysts, grounded in ownership, transparency, and continuous improvement. Improved assessment quality and turnaround times by ~10%.
• Contributed to targeted cybersecurity risk training programs for 2,000+ staff annually.

Director, Technology Delivery at WEBSTER FINANCIAL CORPORATION (2023-05 – 2023-12)

M&A Related position in Technology and Data

• Devised multi-year technology-delivery vision and strategy for Webster's technology group of 400 professionals.
• Gained executive level and teams buy-in to execute this strategy of transformation and delivery.
• Assessed the technology ecosystem, established performance metrics and key risk indicators (KPIs & KRIs), and rewards programs to ensure risk, customer value and impact were prioritized and addressed.
• Leveraged a strategic change management framework to maximize the transformation's adoption, effectiveness, and sustainability.

Vice President, IT Risk Manager at SYNCHRONY FINANCIAL (2015-01 – 2023-12)

Led Information Security risk program with comprehensive oversight of risk assessments, appetite alignment, and remediation tracking

• Developed and led the technology risk program, including risk assessments, risk appetite alignment, and remediation tracking.
• Independently challenged control design, defined and executed risk-based testing, and concluded on control effectiveness and residual risk to support executive decision-making for complex initiatives.
• Provided independent oversight & effective challenge across the First Line of Defense, strengthening cyber risk identification & reducing under-assessed risks by 15%, in alignment with risk appetite & key cyber KRIs.
• Planned and executed end-to-end technology risk and control assessments, effectively socializing findings with senior stakeholders and acting as the primary liaison between business and risk functions; drove remediation or risk acceptance for 15 - 25 high-impact issues annually, reducing residual risk.
• Ensured ongoing compliance of the information security program with regulatory and industry standards, partnering with IT, Legal, HR, and Product leaders to enhance policy execution effectiveness and improve control adherence rates by 15%.
• Secured SDLC / DevSecOps - integrated security controls into development pipelines, conducted threat modeling, and performed secure design reviews throughout the CI/CD lifecycle.
• Produced concise, executive-ready reporting for regulators and senior leadership of KPIs and KRIs, translating complex cyber risk data into actionable insights and improving leadership decision turnaround time.
• Built trusted, high-impact partnerships with Second and Third Lines of Defense, technology leaders, and subject matter experts, improving crossline issue resolution speed and strengthening governance effectiveness.
• Provided strategic oversight of the enterprise Information Security portfolio, managing MRIAs, MRAs, vendor relationships, intake governance, and financials for an organization of ~350 technologists, and improving portfolio cost transparency and control.
• Partnered with the CISO and senior leadership to define and execute information security strategy leveraging the Scaled Agile Framework (SAFe).
• Architected a multi-year security program roadmap with defined capability maturity milestones, aligning initiatives to business objectives while managing a budget of $25 - 40M, optimizing resource allocation, and improving cost efficiency by ~15%.
• Drove Board-level strategic initiatives for data protection and adaptive security, developing lean business cases, enhancing control frameworks, deploying new protection capabilities, and establishing performance metrics that improved data risk KRIs.
• Hands-on experience supporting Mergers & Acquisitions (M&A) security due diligence and post-acquisition integration. Performed application security assessments during M&A due diligence phases.
• Directed enterprise-wide talent management and capability development, advancing process maturity and a product-and-services mindset, and increasing delivery velocity by ~15%.
• Directed the full talent lifecycle for a 12-analyst team - recruiting, onboarding, mentoring, and performance management; translating shared objectives into individual goals through structured 1:1 cadences, transparent feedback, and targeted development plans.

Consultant – Information Security Risk Manager at AMERICAN INTERNATIONAL GROUP, INC. (AIG) (2014-01 – 2015-12)

Provided independent challenge of complex control environments across infrastructure and application domains

• Independently challenged complex control environments across infrastructure and application domains, designing and executing risk-based control testing for multiple initiatives annually to assess control design, operating effectiveness, and quantify residual risk in alignment with enterprise risk appetite.
• Converted testing results into executive- and regulator-ready risk conclusions, driving remediation or formal risk acceptance for 15 - 30 material issues per year, improving decision turnaround time by 15% and strengthening defensibility of governance and regulatory outcomes.

Vice President, IT Risk Manager at MORGAN STANLEY, INC. (2007-01 – 2013-12)

Led technology and information risk systems with independent challenge and assessment of technology control environments

• Performed independent challenge of technology control environments, designed and executed cybersecurity risk-based testing procedures, and assessed control effectiveness to determine residual risk and support informed leadership and regulatory decisions.
• Performed security architecture reviews and threat risk assessments across all enterprise technology domains, evaluating control design effectiveness within network, infrastructure, application, and data layers, and advising technology leadership on risk-proportionate security enhancements that reduced exposure by 15%.
• Designed and implemented technology and cybersecurity risk management frameworks aligned to FFIEC, NIST, and ISO standards. Executed 50 - 100 RCSAs annually and reduced risk acceptance cycle time by 20%.
• Enforced regulatory and internal risk standards across technology