Deputy Chief Information Security Officer - Bank

Mercury•Portland, OR

1d•$242,700 - $353,950•Remote

About The Position

The Deputy Chief Information Security Officer (CISO) will serve as the operating second to the CISO, owning the bank-entity scope of Mercury's 2LOD Information Security program. This role is responsible for ensuring the program is examiner-ready by default, maintaining a coherent policy architecture, evidenced controls, a credible gap-remediation track record, and a tested incident response program with documented exercise history. This is a build-and-defend role, requiring direct interaction with OCC examiners, FFIEC IT audit teams, the Chief Risk Officer, and the board's risk committee, where the individual will be accountable for all aspects of the bank-scoped policies and control inventory. Mercury is a fintech company providing banking services through Choice Financial Group and Column N.A., Members FDIC.

Requirements

8+ years in Information Security, with 3+ years inside a regulated bank, trust bank, or de novo bank charter effort.
Deep FFIEC and OCC fluency, including working knowledge of the FFIEC CAT, FFIEC IT Examination Handbook, BSA/AML IT supervisory expectations, and OCC Heightened Standards.
Direct examiner-facing experience, having defended a control to an OCC, FDIC, or Federal Reserve examiner.
Ability to draft board-ratifiable policies and supporting standards that operationalize intent.
Demonstrated operating discipline, including running cadences, writing executive-level status reports, and maintaining currency of controls, evidence, and risk registers.
Understanding of the three-lines-of-defense model and experience serving in the oversight role (2LOD).

Nice To Haves

Prior Deputy CISO or equivalent senior 2LOD role at a national bank, trust bank, or large credit union.
Charter or de novo bank experience.
Strong technical baseline, with the ability to challenge architecture reviews and read incident timelines credibly.
CISSP, CISM, or CRISC certifications.

Responsibilities

Own the bank-entity 2LOD InfoSec program, including governance, policy, risk, and oversight scoped to the chartered bank.
Manage examiner posture, including OCC, FFIEC, FDIC, and FRB examiner inquiries, ownership of the examiner-ready narrative, and coordination of evidence.
Lead remediation of identified FFIEC IT control deficiencies to charter readiness ahead of the OCC pre-opening examination.
Manage the bank-scoped policy stack (Policy / Standard / Procedure), including ratification cycles, MRCC memos, and board approvals.
Partner with the Chief Risk Officer on bank continuity, resilience, and recovery, including tabletop exercises and full-scale drills.
Manage relationships with internal audit (3LOD) and external assessors (SOC 2, FFIEC CAT, regulator-led IT examinations).
Ensure Third-Party Risk Management (TPRM) evidence meets bank-grade scrutiny for critical service providers and material outsourcing arrangements.
Coach and grow the GRC sub-team, run a recurring training cadence, and build the bench depth required for a national bank.