Information Security Manager

Acumen Technology•Nashville, TN

23h•Hybrid

About The Position

Acumen Technology is a security-first Managed Service Provider (MSP) founded in 2016, serving financial institutions, healthcare organizations, and other businesses that take IT and cybersecurity seriously. With more than 25 years of leadership experience in financial services technology, Acumen’s deepest roots are in community banks, credit unions, and regulated financial institutions, while also supporting clients in professional services, healthcare, and construction. Acumen is SOC 2 Type II certified, FFIEC-aligned, and has been recognized on the Inc. 5000, CRN MSP 500/50 , and Nashville Business Journal’s Best Places to Wor k lists. Our vCISO practice provides hands-on security leadership to organizations that need more than guidance—they need execution. Being part of the Acumen team means more than just great work. It includes weekly in-office lunches, memorable company events, a comprehensive benefits package, and, most importantly, training in the fine art of holding entire conversations using nothing but GIFs. This is a hands-on practitioner role. You will meet with clients, assess their security posture, and then do the work - drafting the policy, completing the risk assessment, building the remediation plan, and delivering it back to the client in a finished, usable form. The right candidate thrives on the full cycle: client meeting → assessment → heads-down execution → polished deliverable back in the client’s hands You will manage a portfolio of clients that is predominantly financial institutions - community banks, credit unions, and financial services firms make up approximately 80% of the practice. The remainder includes clients in professional services, healthcare, and construction. On any given week, you might: Spend a morning walking a community bank through their pre-exam request list, then spend the afternoon drafting their written response findings. Design and facilitate a tabletop exercise for a bank's leadership team simulating a ransomware event, then write up the after-action report and deliver it within the week Review vendor SOC 2 reports that came in for a client, assess the findings, and produce a risk summary the bank's risk committee can act on Rewrite a client's outdated Acceptable Use Policy and Information Security Policy to align with current FFIEC guidance and have both ready for board approval Lead a SOC 2 readiness check-in with a professional services client, update their evidence tracker, and coordinate with their external auditor on outstanding items

Requirements

3+ years of information security experience with a strong emphasis on hands-on program execution — risk assessments, policy writing, audit preparation, and control documentation
Deep, working knowledge of the FFIEC IT Examination Handbook requirements, including the new tools available to replace the retired Cybersecurity Assessment Tool (CAT)
Direct experience completing SOC 2 readiness assessments and producing formal gap analysis and remediation documentation
Demonstrated ability to author professional-grade security deliverables - policies, risk assessments, remediation plans, board summaries - independently and to a high standard
Strong written communication skills; comfortable producing polished, client-facing documents without editorial support
Proven ability to manage multiple client engagements simultaneously with discipline, reliability, and follow-through
Active CISSP, CISM, CRISC, or equivalent certification
Direct experience preparing financial institutions for FDIC, OCC, or NCUA IT examinations and responding to regulatory findings
Familiarity with GRC platforms commonly used in financial services (e.g., Ncontracts, LogicManager, or similar)
Working knowledge of HIPAA security rule requirements for healthcare clients and general compliance frameworks applicable to professional services environments
Experience with Microsoft 365 security controls as deployed in community bank and small-to-mid-market business environments
Background in an MSP, consulting firm, or multi-client security advisory practice

Responsibilities

Serve as the primary point of contact for clients preparing for FDIC, OCC, NCUA, and state banking regulator IT examinations, owning the preparation process from start to finish
Organize and package audit requested items, complete pre-exam readiness checklists, and produce written summaries of control effectiveness that clients can hand directly to examiners
Review third-party audit findings and examination results, then draft formal written responses, corrective action plans, and remediation timelines on the client's behalf
Track open findings and recommendations to closure, producing status updates and evidence packages at each milestone
Maintain current knowledge of FFIEC IT Examination Handbook updates and translate regulatory changes into specific, actionable steps for each client
Document client check-ins using Microsoft Planner or a similar task management tool, ensuring all action items, deliverables, and blockers are clearly captured, assigned, and tracked through resolution.
Lead clients through SOC 2 Type I and Type II readiness assessments including scoping, gap analysis, control testing, and evidence collection
Produce formal gap analysis reports with prioritized remediation roadmaps in finished, client-ready form
Build and maintain client control evidence libraries and audit packages, keeping documentation current between audit cycles
Coordinate with external auditors on the client's behalf and serve as the primary point of contact throughout the audit process
Design, facilitate, and debrief tabletop exercises for community bank clients covering security incident response, business continuity, and disaster recovery scenarios
Develop realistic, client-specific exercise scenarios based on current threat intelligence and regulatory expectations for financial institutions
Produce written after-action reports documenting exercise findings, gaps identified, and recommended improvements, delivered to the client within an agreed turnaround
Update client incident response, business continuity, and disaster recovery plans based on exercise outcomes
Review third-party vendor audit reports (SOC 2, penetration tests, security assessments) on behalf of clients and produce written summaries of findings and risk exposure
Draft formal vendor risk assessment responses and management memos that clients can file, present to examiners, or include in board reporting
Maintain client vendor inventories and assessment schedules, tracking due dates and ensuring assessments are completed on time
Draft, update, and maintain client information security policies, standards, and procedures written in plain language, tailored to each client's environment, and ready to adopt without further editing
Conduct periodic policy reviews against current FFIEC guidance, NIST CSF, and SOC 2 requirements and produce updated versions that reflect any gaps or regulatory changes
Manage client policy libraries to ensure all documents are versioned, reviewed on schedule, and accessible for audit purposes
Meet regularly with client stakeholders to review program status, prioritize the work queue, and present completed deliverables
Manage a multi-client portfolio with disciplined task tracking, clear timelines, and consistent follow-through on every commitment made in a client meeting
Serve as an advisory resource during client security incidents, providing written guidance on containment, notification obligations, and regulatory reporting requirements

Benefits

100% employer paid health insurance (medical and dental)
First $1,000 of qualified medical expenses covered
Company Matching 401k
Flexible hybrid schedule
Fun working environment and culture with regular activities both for employees and their families
Family vacation bonus at 5th year

Stand Out From the Crowd

Upload your resume and get instant feedback on how well it matches this job.

Upload and Match Resume