Chief Information Security Officer

About The Position

Requirements

• Strong English language communication skills (spoken and written) with the ability to communicate complex security risks and technologies to non-technical stakeholders.
• Deep understanding of applicable regulatory frameworks and guidance.
• Deep understanding of cybersecurity architecture: zero-trust, cloud workload security, network segmentation, IAM/PAM, encryption, logging/ telemetry
• Deep understanding of cyber operations: threat hunting, incident response, digital forensics, SOC operations, vulnerability management, secure SDLC
• Deep understanding of supply chain cyber risk: due diligence, contractual controls, continuous monitoring, and resilience expectations.
• Able to think strategically, exercise good judgement and effectively improve critical thinking skills.
• Strong leadership skills, able to motivate and drive behaviors and success.
• Excellent People Skills including active listening.
• Customer Service Skills
• Time Management Skills
• Detail Oriented
• Ability to work both independently and with others at all levels.
• Ability to mentor junior team members.
• Bachelor’s degree in cybersecurity, information systems, computer science, engineering, or related field.
• 10–15+ years in cybersecurity, information security, or technology risk; 5+ years must be in a regional bank (or comparable regulated financial institution).
• Must have the proven ability to serve as an effective member of a senior management team, be an effective leader to a team of highly trained personnel and consultants; form, manage and lead committees and interact effectively with law enforcement agencies, risk and data managers, auditors, consultants, vendors, and stakeholders.
• Demonstrated success presenting to Boards and regulators; direct experience with FFIEC exams.
• Experience leading SOC/IR, IAM modernization, resilience programs, and third-party risk assurance.
• Experience governing cyber programs aligned to NIST CSF 2.0 and FFIEC expectations.
• Requires repetitive movement.
• Requires standing and/or sitting for prolong periods of time.
• Requires lifting to 50 lbs.
• Requires using hands to handle, control or feel objects.

Nice To Haves

• Master’s degree preferred (cybersecurity, information assurance, business, or technology management).
• Professional Certifications (Preferred): CISSP, CISM, CRISC, CISA, CCSP, or GIAC level technical certifications.

Responsibilities

• Support the Chief Risk Officer in ensuring a strong, resilient, and adaptable second line of defense (2LOD), as it relates to information security, to meet the changing requirements in banking.
• Embrace the role of a technology risk officer.
• Ensure the Bank complies with federal and state regulations including but not limited to GLBA, HIPPA, PCI-DSS, CCPA, NIST, and FFIEC guidelines.
• Evolve, maintain, and communicate a clear information security vision and program to minimize risk, ensuring integrity, confidentiality, and availability of data.
• Ensure annual Board reporting, policy review/approval, and governance consistent with GLBA.
• Evolve, maintain, and enforce the Information Security Program, policies, procedures, and standards.
• Evolve, maintain, and enforce the Physical Security Program, policies, and procedures.
• Maintain measurable security metrics/KRIs and present high quality, decision-making useful dashboards to executives and the Board.
• Align program maturity and reporting to NIST CSF 2.0 outcomes.
• Manage and be responsible for control testing in accordance with ERM standards and ensure compliance with network, hardware, and software security standards.
• Manage and be responsible for the GLBA and other information security risk assessments in accordance with ERM standards.
• Identify, evaluate, and prioritize security risks across the Bank, implementing, and managing a framework to mitigate these risks.
• Lead security operations, threat detection, continuous monitoring, digital forensics, and incident response.
• Conduct periodic simulations and tabletop exercises; maintain regulator ready playbooks.
• Govern vulnerability management and penetration testing, ensuring timely risk-based remediation.
• Lead the Computer Security Incident Response Team (CSIRT) to detect, contain, investigate, and recover from cyberattacks.
• Define enterprise security architecture incorporating zero trust, cloud security models, network segmentation, encryption baselines, identity governance, and telemetry.
• Oversee design and integration of security requirements into technology development, acquisition, and maintenance (DA&M).
• Partner with Technology leadership to shape resilient, scalable architectures that meet regulatory expectations while enabling innovation.
• Communicates technology risk tradeoffs and investment needs in business terms.
• Monitor security trends, new regulations and innovative technologies, identify strategies and techniques to address new challenges.
• Partner with Information Technology teams to evolve the Bank’s technology architecture and posture while ensuring the safety of the Bank’s data and network.
• Govern enterprise IAM, including provisioning, de provisioning, privileged access, and continuous monitoring.
• Enforce MFA or equivalent-strength controls across workforce, third parties, and high-risk system access, consistent with FFIEC Authentication & Access guidance.
• Drive culture changes around least privilege, access hygiene, and secure user behaviors across the enterprise.
• Oversee cyber due diligence, contract control requirements, and continuous monitoring of critical vendors and service providers, aligned with FFIEC Outsourcing guidance.
• Influence procurement, legal, risk, and business owners to adopt a secure by design approach to third party engagements.
• Oversee the security practices of vendors and third-party service providers. Coordinate with Third-Party Risk management and Information Technology teams.
• Ensure independent testing, internal audit reviews, and third-party assessments of the security program, consistent with FFIEC expectations.
• Track and close findings; provide examiners and auditors with complete, timely, and accurate evidence.
• Serve as primary executive interface with regulators on cyber matters; demonstrate transparency, discipline, and command of program details.
• Manage and be responsible for the GLBA and other information security risk assessments in accordance with ERM standards.
• Organize and lead efforts to progress towards, secure and maintain SOC and ISO certification.
• Manage and develop the Bank Security team.
• Develop and deliver training programs to educate staff on security best practices.
• Oversee enterprise security awareness and phishing simulations.
• Prepare annual budgets and manage them.
• Perform other duties as assigned by management.
• The CISO is responsible for providing the on-call schedule to their team on a monthly cadence and will ensure that there is sufficient coverage for after-hours support. The CISO will function as an escalation point for Deputy Chief Information Security Officer (DCISO), the information security architects and analysts and may provide end-user support after hours in the event additional resources are required. CISO and DCISO must ensure that cell phones are on and available in the event of end-user support call or outage alert via text message. Management is expected to be available to respond to critical situations, even on a non-scheduled workday.
• Complies with all State and Federal Banking regulatory requirements, including but not limited to: BSA, Anti-Money Laundering OFAC, CIP, Financial Elder Abuse Reporting, Sexual Harassment, Information Security, and privacy requirements. Acts as the control point for the office to ensure that all CIP, BSA, OFAC requirements, procedures and time frames are met.