Director of Information Security

About The Position

Requirements

• 10+ years of progressive experience in cybersecurity, infrastructure security, or enterprise technology risk.
• Experience in a regulated financial institution (OCC or FDIC supervised preferred). 
• Demonstrated experience leading security strategy in cloud or hybrid environments.
• Experience overseeing third-party and fintech technology risk. 
• Demonstrated ability to lead cross-functional initiatives. 
• Experience engaging directly with regulators and auditors. 
• Strong program management capabilities.
• High integrity, executive presence and clear communication skills.
• Proven working knowledge of requirements for GLBA, SOC, FFIEC and PCI and OCC and FDIC guidance on data security and IT examination requirements.
• Experience with auditing processes, including Network Security, SDLC/Change Management and IT related functions.
• Knowledge of the global IT Risk Regulatory Landscape and Risk Management Model (e.g. Threats, Vulnerabilities, and Controls)
• Strong technical skills (application and operating system hardening, vulnerability assessments, security audits, TCP/IP, intrusion detection systems, firewalls, etc.)
• Experience in developing and maintaining a technology Risk Assessment process.
• Must be well versed in industry accepted IT control frameworks (e.g. SSAE16/18, SAS70, or ISO17799 audit reports).
• Project and program management concepts and controls experience.
• Must possess a high degree of integrity and trust along with strong communication skills and ability to work individually, within a team and with other business groups.
• Experience or understanding of Disaster Recovery, Business Continuity, and Incident Response initiatives.
• Must have ability to develop policies and procedures and communicate effectively.
• Understanding of federal and other regulatory requirements and the ability to keep current.
• Experience working with federal examiners.
• Must be open to working on-call.
• BS/MA degree in related technical and security disciplines.
• Ability to understand and follow instructions in English.
• Ability to sit for extended periods of time, twist, bend, sit, walk use hands to twist, handle or feel objects, tools or controls, such as computer mouse, computer keyboard, calculator, stapler, telephone, staple puller, etc., reach with hands and arms, balance, stoop, kneel, talk or hear.
• Specific vision abilities required by the job include close vision, distance vision, peripheral vision, depth perception and the ability to adjust focus.

Nice To Haves

• Certifications in data security and/or auditing procedures not required but preferred.
• Familiarity with banking related software (Fiserv preferred).

Responsibilities

• Lead and continuously evolve the Bank’s Information Security Program aligned with 12 CFR Part 30, Appendix B, the FFIEC Information Security Booklet, the OCC Cybersecurity Supervision Work Program, NIST CSF, and regulatory guidance.
• Conduct or direct the annual enterprise-wide IT risk assessment using NIST CSF 2.0, the CRI Profile, or equivalent framework, identifying threats, vulnerabilities, and risk levels for all information assets.
• Develop and execute a multi-year enterprise security roadmap aligned with business strategy and modernization initiatives.
• Manage the cybersecurity self-assessment process using the Bank’s selected framework, the Cyber Risk Institute Framework, ensuring findings are documented, tracked, and reported to the Board.
• Serve as the primary security advisor to executive leadership and Board committees.
• Provide regulator reporting on cyber risk posture, threat landscape and remediation status.
• Partner with IT Infrastructure and Transformation leaders to ensure security-by-design across: Network architecture Cloud platforms  Endpoint management API security architecture Identity & access management Core banking and fintech integrations Artificial Intelligence (AI) integrations
• Establish secure architecture standards for hardware, networking, segmentation, encryption and endpoint detection.
• Drive adoption of modern security principles including Zero Trust architecture and secure cloud governance. 
• Oversee the vulnerability management and patch management lifecycle, monitoring remediation timelines against risk-based SLAs and escalating deficiencies to senior management.
• Oversee: Threat detection and response, Incident response program, Penetration testing and vulnerability management, SOC oversight 
• Monitor evolving cyber threats, AI-driven risks and geopolitical threat activity. 
• Lead incident response coordination and regulatory notification processes when required.
• Lead and Chair the Vendor Management and Third-Party Risk program.
• Conduct information security due diligence on all prospective fintech partnerships during the planning and selection stages of the third-party risk management lifecycle 
• Review and evaluate SOC 2 Type 2 reports, penetration test results, vulnerability assessments, and BCP/DR documentation for all third-parties (including fintech partners) at least annually, or more frequently for critical relationships.
• Participate in the Bank’s Fintech Committee providing independent risk opinions on information security dimensions of new and existing partnerships.
• Assess security architecture of API integrations, data flows, and credential management between the Bank and third-parties, ensuring encryption in transit and at rest, access controls, and monitoring are commensurate with risk.
• Monitor fintech partner compliance with the Bank’s information security requirements on an ongoing basis, including incident notification obligations under contractual SLAs.
• Evaluate fourth-party (subcontractor) risk for critical fintech partners, ensuring contractual provisions address subcontractor security standards, approval requirements, and audit rights.
• Evaluate emerging technologies and associated risk profiles prior to deployment.
• Ensure bank service provider contracts include notification obligations that meet regulatory requirements, and that designated points of contact are current.
• Coordinate with critical third-party service providers to assess their BCP/DR capabilities and resilience, including review of TSP continuity testing results.
• Serves as primary security liaison for all IT Audits.
• Serve as primary security liaison for OCC, FDIC, and external examiners. 
• Maintain compliance with GLBA, FFIEC IT Handbook, NIST, PCI and SOC reporting standards.
• Oversee timely remediation of any audit or regulatory findings.
• Ensure compliance with notification requirements of all relevant regulatory agencies and documented decision criteria for determining when a “notification incident” has occurred.
• Maintain the Bank’s state breach notification matrix and coordinate customer notification processes in compliance with applicable state laws for each jurisdiction where affected customers reside.
• Oversee: Data classification standards, Data Loss Prevention (DLP), Encryption standards, Secure data lifecycle management
• Align information security with enterprise data governance initiatives.
• Monitor the CFPB’s evolving data security enforcement posture and ensure the Bank maintains multi-factor authentication, adequate password management, and timely patching to mitigate UDAAP exposure.
• Track developments in the Section 1033 Personal Financial Data Rights rulemaking and assess implications for the Bank’s data-sharing security controls, API standards, and authorized third-party oversight.
• Coordinate with Legal and Compliance on data protection requirements arising from state privacy laws, ensuring appropriate controls are in place for each jurisdiction where the Bank operates or serves customers.
• Own the enterprise Business Continuity Management. 
• Oversee Business Continuity and Disaster Recovery frameworks in partnership with enterprise risk. 
• Ensure cyber resilience testing and tabletop exercises are conducted regularly. 
• Integrate operational resilience planning into infrastructure modernization efforts.
• Direct the Business Impact Analysis process, establishing Recovery Time Objectives (RTO), Recovery Point Objectives (RPO), and Maximum Tolerable Downtime (MTD) for all critical business functions
• Ensure BCP/DR plans address ransomware-specific recovery scenarios, including air-gapped and immutable backup validation, and that restoration procedures are tested at least annually
• Lead enterprise security awareness and training programs. 
• Foster a culture of security ownership across all business lines.
• Partner with HR and leadership to embed security accountability into performance management, including phishing simulations and role-based training for privileged users.
• Establish and maintain the Bank’s AI and emerging technology acceptable use policy, define approved use cases, prohibited activities, and approval workflows for all AI tools deployed internally or through third-party and fintech partner relationships in collaboration with Digital Transformation, Information Technology, and Fintech teams.
• Classify each AI tool as a “model” or “non-model” under the OCC’s model risk management framework, and apply risk-proportionate governance controls including documentation, validation frequency, and ongoing monitoring commensurate with each tools’ materiality and complexity.
• Conduct or coordinate information security risk assessments for all AI deployments, evaluating data ingestion controls, training data integrity, prompt injection and adversarial attack vectors, output monitoring, access controls, and data leakage prevention.
• Implement shadow AI detection and prevention controls to identify unauthorized AI tool usage by employees, contractors, and fintech partners, including monitoring for unapproved cloud-based AI services and browser-based AI plugins accessing Bank data.
• Evaluate the Bank’s AI vendor contracts for information security adequacy, including provisions for model documentation and audit rights, restrictions on use of Bank data to train other models, material model change notification requirements, subcontractor disclosure, and regulatory examination access.
• Monitor and report to senior management on the evolving AI regulatory landscape, including OCC guidance, the Treasury Financial Services AI Risk Management Framework, NIST AI Risk Management Framework 1.0, state AI laws, and federal preemption developments affecting the Bank’s compliance obligations.
• Evaluate  and determine if the Bank should adopt the Treasury Financial Services AI Risk Management Framework’s AI Adoption Stage Questionnaire and applicable control objectives as the Bank’s primary governance framework, scaled to the Bank’s current AI maturity and risk profile.
• Include AI governance status, emerging technology risks, and AI-related incidents or findings in the quarterly Board Risk Committee report and the annual Appendix B report.
• Serve as the Bank’s formally designated Security Officer.
• Administer and periodically review the Bank’s written Security Program addressing robbery prevention, physical safeguards and employee safety. 
• Ensure appropriate security devices and procedures are in place across all banking offices and facilities, including alarm systems, surveillance, access controls and cash handling safeguards.
• Coordinate with Director of Branch leadership and Operations on physical security risk assessments and mitigation strategies; serve as Chair of the Physical Security Committee conducting quarterly meetings.
• Provide periodic reporting to Executive Management and the Board of Directors regarding physical security risks and program effectiveness. 

Benefits

• Employee Stock Ownership Plan & 401k Plan 
• Healthcare (Medical, Dental, Vision, Telehealth, Life insurance)
• 12-week Paid Parental Leave and Medical Leave: With a cap of 20 weeks for eligible team members who qualify for both Medical and Parental Leave related to the birth of a child
• $5,000 Family Care Reimbursement: Childcare, Elder Care, Student Loan Debt, Pet expenses, Down Payment Assistance
• PTO from 13 to 23 days depending on tenure. Cashout and Carryover options
• 10 Days Sick Time
• 11 Paid Holidays
• 4 Days Volunteer Time
• 2 Days Self Allowance Time
• Tuition Assistance