IT Information Security Manager

About The Position

Requirements

• Bachelor’s degree in engineering (Computer/Telecommunications/Electrical) or Computer Science, or equivalent experience.
• 7–10+ years in cybersecurity/GRC/architecture, with 3+ years leading security or SOC teams.
• Experience in financial services and regulated environments; direct interaction with auditors and regulators.
• Implementation of NIST CSF/ISO 27001, PCI DSS, and cloud‑security practices (OCI/AWS).
• Comprehensive and balanced knowledge base that spans technical expertise, business acumen, and leadership skills to manage the organization's strategic security posture effectively.
• Bilingual ( Spanish and English).
• Customer-focused and service-oriented.
• Strong verbal, written, and negotiation skills to retain the existing customer base.
• SIEM, EDR, DLP, SOAR, IAM/PAM, data governance, encryption, WAF, CSPM, SASE/CASB, DevSecOps, and secure SDLC.
• Networks and perimeter controls; Zero Trust, segmentation, VPN/SD ‑ WAN.
• Incident handling and forensics; vulnerability platforms (e.g., Qualys).
• Fortinet NSE 4/7 or higher; Cisco CCNA/CCNP; CompTIA Network+/Security+; ITIL v4 Foundation.
• Cloud certifications with networking emphasis: AWS (Advanced Networking/SAA), OCI (Networking/Architecture).
• Executive communication and leadership; stakeholder management and cross ‑ functional influence.
• Critical thinking, risk‑ based prioritization, results orientation; bilingual Spanish/English.
• Availability for on ‑ call duties and off ‑ hours incident handling; travel to branches as needed.
• Successful background check per internal and regulatory policies.

Nice To Haves

• Certifications (preferred/strong) CISSP (strong), CISM/CRISC, ISO 27001 Lead Implementer/Lead Auditor, CCSP (cloud).
• PCI ‑ ISA/PCIP, GIAC (GCIH/GCIA/GPEN), AWS Security Specialty / OCI Architect/Professional, ITIL v4.

Responsibilities

• Manage the Information Security Unit, through defining the strategy, the team roles, responsibilities, development, performance objectives, and metrics for high-level execution.
• Define the cybersecurity strategy and roadmap based on NIST CSF / ISO 27001 / COBIT, with KPIs/OKRs, budget, and executive metrics.
• Establish and maintain policies, standards, and procedures (access, encryption, data classification/retention, secure SDLC, third parties, DR/BCP).
• Drive integrated risk management: risk register, periodic assessments, risk appetite, treatment plans, and reporting to Risk Committee/Executive leadership.
• Ensure compliance with GLBA, FFIEC, PCI DSS, SOX ‑ITGC, ISO 27001, OCIF/FDIC guidelines, and privacy frameworks (GDPR/CCPA, as applicable).
• Coordinate internal/external audits and regulatory exams; remediate findings and evidence controls, documentation, and metrics.
• Govern third parties and critical vendors (TPRM): due diligence, security/SLA clauses, SOC 1/2 reviews, escalations, and continuity.
• Design and implement Zero Trust architectures, segmentation, SASE/CASB, WAF, encryption in transit and at rest, KMS/HSM, and centralized telemetry.
• Govern the security stack (e.g., SIEM, EDR, DLP, EPP, Microsoft Defender, Fortinet, email security, MDM) and automation (SOAR) to reduce MTTR.
• Lead vulnerability and patch management (e.g., Qualys): continuous scanning, risk ‑based prioritization (CVSS/EPSS), remediation SLAs, and validation.
• Coordinate penetration tests/Red Team and hardening aligned to CIS/NIST benchmarks.
• Design and operate security in OCI and AWS: CSPM, cloud IAM, secure networks (VPC/VNet), container security, secrets/keys, logging, and alerting.
• Ensure VPN/SD ‑WAN connectivity and edge controls, with event logging and detections centralized in the SIEM.
• Govern SSO, MFA, RBAC/ABAC, the joiner‑mover‑leaver lifecycle, access reviews, and PAM (privileged accounts), integrating AD/Azure AD and cloud directories.
• Enforce segregation of duties (SoD) and least privilege across all critical systems.
• Maintain the IRP (Incident Response Plan) with playbooks and SOC runbooks; coordinate with Legal/Communications and regulatory notification as required.
• Lead digital forensics, root‑cause analysis, and lessons learned with improvement plans.
• Co‑lead BCP/DR with Technology and Operations: BIA, RTO/RPO, and periodic multi‑site/multi‑region exercises (on‑prem/cloud).
• Business Continuity
• Vendor & Cost Management
• Documentation & Continuous Improvement (BAU)
• Leadership, Team, and Vendors