Chief Information Security Officer

About The Position

Requirements

• Minimum 10 years of working experience with information security, audit, compliance and/or related knowledge preferably in banking or a highly regulated industry.
• CISO designation and associated certifications e.g. CISSP, CISM, CISA, at a prior financial institution of similar scope and scale.
• 10+ years of managerial experience in information security.
• Proven experience in disaster recovery planning, risk assessment, and policy writing.
• Enterprise level experience including managing and successfully delivering cross functional initiatives.
• Experience in leading projects and multi-tasking with diverse groups and locations.
• Advanced knowledge of applicable US laws and regulations as they relate to Information Security and the effective management of Information Security Risks.
• Ability to understand new laws and regulatory requirements and how they relate to security and compliance and present the overall risk to the Bank.
• Demonstrable experience in implementing strategic plans and managing an information security program.
• Exceptional and proven leadership capabilities – communication, influence & negotiation, conflict resolution, people management, relationship management (internal/external), and team building.
• Proven ability to successfully partner with internal clients and vendors to align strategy with deliverables, identify business challenges and develop alternatives to mitigate.
• Strong service management and service delivery orientation.
• Excellent written, oral, and interpersonal communication skills.
• Ability to present ideas in at appropriate levels for different audiences.
• Proven ability to work within a changing environment and lead the implementation of change.
• Ability to apply change management principles to initiatives of variable sizes and degrees of complexities.
• Ability to assess the impact or potential impact of change management initiatives of various sizes and degrees of complexities on business financial and performance.
• Advanced level of creativity, strategic thinking and problem management skills.
• Ability to conduct and direct research into information security issues.
• Self-motivated, self-directed, attentive to detail, and able to multi-task.
• Ability to effectively prioritize and execute tasks in a high-pressure environment.
• Bachelor's Degree in computer science, management information systems, business administration (or a related discipline).
• An equivalent combination of education and/or relevant professional experience may be considered in lieu of a degree.
• Professional security management certification as a Certified Information Systems Security Professional (CISSP).

Nice To Haves

• Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or other similar credentials are recommended.

Responsibilities

• Enterprise Cybersecurity Strategy & Governance Define and execute a risk based information security strategy aligned with the Bank’s business objectives, digital initiatives, and regulatory requirements.
• Establish and maintain the Bank’s Information Security Program, including policies, standards, procedures, and governance frameworks.
• Partner closely with the Chief Operating Officer and Enterprise Risk Management to integrate cybersecurity risk management into core operational processes and the Bank’s overall risk management framework.
• Provide independent challenge and credible oversight of technology and business initiatives from a cybersecurity risk perspective.
• Board and Executive Engagement Serve as the primary executive responsible for communicating cybersecurity risks, trends, and overall security posture to senior management, the Enterprise Risk Committee, and the Board of Directors.
• Maintain direct and unrestricted access to the Board of Directors and its committees on cybersecurity and information security risk matters.
• Develop and present clear, actionable cyber risk metrics, key risk indicators (KRIs), and maturity assessments to support informed decision making.
• Advise executive leadership on material cybersecurity risks, risk trade offs, and mitigation strategies.
• Regulatory, Audit & Examiner Management Ensure compliance with GLBA, applicable privacy and cybersecurity regulations, and regulatory guidance.
• Own and manage the enterprise wide GLBA Risk Assessment and other cybersecurity risk assessments.
• Act as the primary point of contact for regulators, internal audit, and external auditors on information security matters, including the timely remediation of findings and issues.
• Regulatory updates to the OCC and FDIC must demonstrate Information Security program governance effectiveness, risk awareness, control maturity, incident readiness, and board oversight.
• Incident Response, Escalation & Operational Resilience Maintain executive oversight of the Bank’s cybersecurity incident response and crisis management framework.
• Has authority to escalate, contain, suspend, or recommend cessation of systems, vendors, or business processes during cybersecurity incidents where material risk to the Bank exists, with direct escalation to the COO, CEO, and Board as appropriate.
• Lead or direct response efforts for significant security incidents, including investigation, coordination with Legal, Compliance, ERM, Operations, and external parties as required.
• Partner with the COO to integrate cybersecurity risk into operational resilience, business continuity, and disaster recovery strategies.
• Technology, Data & Cloud Security Oversight Provide governance and oversight for security architecture across on premise, cloud, SaaS, and hybrid environments.
• Establish data classification, protection, and encryption standards to safeguard sensitive, confidential, and customer information.
• Oversee identity and access management governance, including privileged access controls and authentication standards.
• Third Party & Vendor Cyber Risk Own the Bank’s third party and vendor cybersecurity risk management framework in coordination with Third Party Risk Management, Operations, and Procurement.
• Ensure cybersecurity risk is assessed, monitored, and managed throughout the vendor lifecycle, including fintech partners, cloud providers, AI enabled solutions, and other critical service providers.
• Security Awareness & Risk Culture Establish and maintain a comprehensive security awareness and education program that promotes a strong, enterprise wide risk aware culture.
• Champion accountability for cybersecurity responsibilities at all levels of the organization.
• Leadership & Talent Development Lead, develop, and retain a high performing information security organization.
• Set clear goals, performance expectations, and development plans for direct reports.
• Foster a culture of integrity, accountability, collaboration, and continuous improvement