Information Security Officer

About The Position

Requirements

• BBA in business (CIS related major), BS in computer science, or equivalent degree.
• Relevant certification (i.e. CISSP, CISA, etc.) highly preferred; or willing to work towards certification.
• Preferably 8+ years of experience in information security, cybersecurity, IT audit, or a related field within the banking, financial services, or similarly regulated industry.
• Thorough understanding of FFIEC IT Examination Guidelines, and other related industry standards (GLBA, NIST, PCI, etc.)
• Excellent communication and people skills are a must:
• Ability to interact and cooperate with all levels of the bank and external parties.
• Ability to work with and train all levels of employees possessing differing levels of technical knowledge.
• Experience making presentations and creating presentation material.
• Ability to translate technical language into clear written and verbal communications for varied audiences is critical (regulators, team members, department managers, executive management and board or board committees)
• Must be able to maintain confidentiality regarding information processed, stored, or accessed is required.
• Ability to apply expertise across variety of unique business units within organization.
• Understanding of network security, endpoint security, access controls, encryption, cloud security, AI and threat detection.
• Ability to manage multiple concurrent projects.
• Strong analytical, organizational, and problem-solving skills.
• Self-driven, detail oriented, and accuracy is a must.

Responsibilities

• Oversee the bank’s information security program, ensuring accountability and alignment with strategic plans, business objectives, regulatory requirements, and industry best practices.
• Evaluate the design and effectiveness of information security controls and recommend improvements.
• Conduct periodic cybersecurity, vendor and IT risk assessments to identify vulnerabilities and threats to the bank’s information assets and operations.
• Monitor and analyze security incidents and implement risk mitigation measures.
• Oversee data governance to ensure data quality, integrity, accessibility, security, and regulatory compliance throughout its lifecycle.
• Deliver quarterly reports to Audit, Risk and Compliance (ARC) Committee and Board on security posture, emerging risks, and updates across all areas of responsibility.
• Ensure compliance with FFIEC, GLBA, NIST, PCI DSS, and other applicable regulations.
• Monitor regulatory changes and implement required updates promptly.
• Work with audit and risk teams on audit/exam preparation, providing documentation and expertise while preserving audit independence.
• Coordinate management responses and remediation plans, ensuring timely resolution and clear communication.
• Coordinate with IT to implement and maintain effective security tools and cybersecurity measures.
• Monitor and respond to alerts, incidents, vulnerabilities, and emerging threats—including AI‑related risks—and adjust controls as needed.
• Continuously evaluate and recommend improvements to security technologies to strengthen the bank’s cybersecurity posture.
• Lead the investigation and documentation of security incidents and cyber events.
• Maintain the bank’s BCP/DR programs, updating plans as technology, processes, and threats change.
• Lead testing and tabletop exercises, ensuring corrective actions are completed.
• Serve as BCP Coordinator, ensuring the Committee follows required schedules.
• Lead BCP/DR activities and communication during operational disruptions.
• Report DR‑related incidents to regulators as required.
• Maintain the incident response plan with clear procedures for security events.
• Lead response efforts with IT, legal, and senior management to contain, investigate, and recover from incidents.
• Oversee third‑party risk management, including policies, due diligence, and ongoing security assessments.
• Evaluate the security posture of new and existing vendors for compliance with bank standards.
• Provide reminders to management regarding TRPM responsibilities.
• Develop and conduct ongoing information security and cybersecurity training for all staff.
• Participate in information‑sharing groups (e.g., InfraGard, FS‑ISAC, TBA ISAO) to stay current on threats and best practices.
• Ensure annual training for employees, management, the board, and security personnel.
• Promote a strong culture of security awareness across the bank.
• Conduct phishing simulations and use results to guide training needs.