Director of Information Security (Information Security Officer)

About The Position

Requirements

• Bachelor’s degree from a four-year college or university
• 5 years of banking senior management information security officer experience OR 10+ years’ experience in senior management, with direct leadership experience in three or more of the functional areas covering cybersecurity, third-party risk vendor management and incident response.
• Prior tenured Information Security Officer leadership role experience.
• Strong tenured experience implementing and managing financial institution compliance functions, cybersecurity, third-party vendor risk management, incident response management, information security, risk assessment creation.
• Expertise in enterprise-wide banking knowledge and in-depth regulatory understanding.
• Superior ability to read, analyze, and interpret government rules, regulations, interpretive letters, trade journals, and legal documents.
• Must be able to respond to common inquiries from regulatory agencies, courts, and outside consultants.
• Strong management skills.
• Ability to prioritize tasks and manage multiple projects at one time.
• Ability to interact effectively with all levels of staff and management.
• Excellent interpersonal skills.
• Strong problem solving and project management skills.
• Effective oral and written communication skills.
• Willingness to work flexible hours if necessary.
• Computer experience with Microsoft Word and Excel.

Nice To Haves

• Training and cross-training of staff.
• Assign staff one off advancement opportunities to assist with their growth potential.
• Maintain cyber forensic consultants and ongoing program enhancements as warranted.
• Prepare senior management and Information Technology Steering and Cyber Committee (ITSCC) policies reports and dashboards to identify the effectiveness of the cyber program.
• Identify and assess cybersecurity risks, including potential threats.
• Communicate security risks and strategies to senior management and the Board of Directors when necessary.
• Maintain membership with cyber advisory councils and intelligence organizations such as FS-ISAC, CISA, ABA, InfraGard, FDIC and other government cyber agencies.
• Adhere to the regulatory notification rules.
• Establish and maintain a new vendor, ongoing vendor, contract/renewal changes and termination processes within the risk assessment program.
• Following regulatory guidance, develop and maintain the appropriate policy, procedures, workflows, and Board awareness processes.
• Perform ongoing and new vendor reviews covering SOC reports along with User Entity Control outlines, Business Continuity Plan, disaster recovery and testing, information and cybersecurity, insurance coverage, financial statements, information technology security vendor calls as required, and obtain and review the FFIEC Report of Examination reports on required vendors.
• Maintain ongoing vendor monitoring as warranted.
• Report to the ITSCC ongoing important updates and implement regulatory guidance updates as required.
• Prepare documentation for the quarterly ITSCC meetings, manage setting up the agenda topics and prepare the correspondence.
• Coordinate communication, logging, cyber insurance notification, regulatory and vendor notifications as determined as following the Computer Security Notification Rule.
• Determine corrective action items, follow through with reporting and seeking resolutions.
• Maintain the Incident Response Playbook to address evolving events and changes.
• Maintain Incident Response Plan documents, logs, email chains, postmortem discussions, regulatory and cyber insurance notifications as needed and report to the Information Technology Steering and Cyber Committee.
• Follow regulatory guidance to maintain the Incident Response Program and Reporting.
• Continually train ITC team members and maintain cyber security consultant contacts.
• Oversee and review Information Security Reporting (specific security application reports).
• Create, update, and maintain annual risk assessments that cover detecting, monitoring, and reviewing risk threat awareness.
• Perform the NIST CSF 2.0 cybersecurity risk assessment in conjunction with our vendor and involve other departments as required.
• Perform the Department Cybersecurity risk assessment to gather our Manager’s cybersecurity awareness and security measures.
• Involve our IT Department and IT vendors to perform the R-SAT - ransomware toolkit.
• Perform the data protection risk assessment in conjunction with the vendor.
• Manage the initial review/update of the templates, outline updates as necessary and send out to department management for updating.
• Review all risk assessments, prepare the cover memorandums, evaluate takeaway items, and obtain all sign offs.
• Present to the ITSCC and Board Compliance Committees annually.
• Manage the Artificial Intelligence User Acceptance Policy, training documentation and coordinating policy documentation as required by regulatory guidance.
• Assist the Chief Information Officer with artificial intelligence meetings, documents and other requests.

Responsibilities

• Manage the Information Technology Compliance Department, including training, policies, cybersecurity, third-party vendor risk management, incident response, information security, and AI User Acceptance Policy.
• Serve as the head coordinator and lead manager for the Cybersecurity Program, implementing security strategies, establishing threat intelligence monitoring, and reporting cyber risks.
• Develop and deliver security awareness training programs for Team Members and the Board of Directors.
• Form cyber security networking relationships with government offices and maintain membership with cyber advisory councils and intelligence organizations.
• Report to the ITSCC ongoing important cyber-security updates and follow regulatory guidance updates.
• Serve as the head coordinator and lead manager for the Third-Party Vendor Risk Management Program, implementing strategy, regulatory guidance, and objectives.
• Establish and maintain processes for new vendors, ongoing vendors, contract renewals, and terminations within the risk assessment program.
• Develop and administer Incident Response events, policy, procedure, playbook scenario outlines, meetings, and quarterly testing requirements.
• Invoke the Incident Response Plan when warranted, alert Executive Management, coordinate communication, logging, and notifications.
• Manage, design, and host quarterly incident response testing sessions, determining corrective actions and reporting resolutions.
• Develop, maintain, and enforce the Bank’s Information Security Program and related policies and procedures.
• Oversee and review Information Security Reporting.
• Develop and implement a comprehensive information security strategy that aligns with the Bank’s business goals and risk tolerance.
• Develop, maintain, and enforce the Bank’s Business Continuity / Disaster Recovery Policy.
• Create, update, and maintain annual risk assessments covering detecting, monitoring, and reviewing risk threat awareness.
• Perform various risk assessments including NIST CSF 2.0, Department Cybersecurity, R-SAT, GLBA Data Protection and Privacy, and Third-Party Risk Vendor Management.
• Manage the Artificial Intelligence User Acceptance Policy, training documentation, and coordinating policy documentation.
• Assist the Chief Information Officer with artificial intelligence meetings, documents, and other requests.
• Responsible for managing the monthly and annual budget process for ITC.
• Process invoices.
• Manage the monthly core critical system change review.
• Create core system security reports and disseminate them to appropriate department managers for review and signoff.
• Develop and maintain proper compliance and regulatory controls within the department.
• Develop and maintain processes and procedures within the department.
• Prepare and manage the department budget.
• Create and update the departments’ policies and procedures.
• Serve on various committees within the Bank and outside user groups.
• Comply with all applicable regulations and Bank policies regarding employment and employment law.
• Participate in annual compliance and other job-related training.
• Comply with applicable bank regulations, Bank policies and procedures.
• Comply with Bank’s internal privacy and ethics standards.