SVP III, Chief Information Security Officer (CISO)

Position Summary

Ensuring the security of millions of card members is our most important priority. The CISO balances this against the need to innovate and advance business capabilities and is an enabler, solutions provider, and trusted partner for various business and department leaders.

The CISO is responsible for the Bank’s Information Security Management Program including Governance, Risk Management, Threat Intelligence, and Assurance.  The CISO chairs the Information Security Committee and partners with Information Technology leadership on Security Operations.

Information security responsibilities will include, but may not be limited to, data protection, mobile and endpoint security, threat detection, vulnerability management, application security architecture, identity and access management, cyber resiliency, network security architecture, information security policy, including network access and monitoring policies, employee education, etc.

We’re looking for an intelligent, articulate, and persuasive leader who can serve as an effective member of the senior management team and who is able to communicate security-related concepts to executives and a broad range of technical and non-technical staff.  The ideal candidate will be a strategic thinker, looking at new and emerging threats and getting ahead of them; advancing new techniques and industry best practices.

The CISO is the Information Security subject matter expert and is expected to contribute guidance and expertise on a wide range of business topics including, but not limited to, information technology and information security policy, enterprise and technology risk management, data privacy, data governance, emerging technology and new and emerging threats.

Summary of Essential Job Functions

• Design/improve security practices for existing and new technology capabilities to manage security vulnerabilities, including legacy banking systems, third-party applications, as well as newer architectures (cloud, etc.)
• Overall accountability to develop, implement, and maintain the information and cyber security management program, including security policy, standards, guidelines, and procedures.
• Periodically update the cyber security strategy to incorporate new technology and manage new & emerging threat information
• Manage the information security budget, including roadmap and delivery of security initiatives
• Stay current on technological change to understand the evolving security threat landscape, and ways to manage risks
• Ensure information security compliance with the changing laws and applicable regulations in Banking and Financial Services, including (but not limited to) the Gramm-Leach-Bliley Act Cybersecurity requirements
• Oversee periodic Federal examination, security audits, internal threat hunting, internal & third-party penetration tests, simulations, control testing, and other assurance activities to validate controls.
• Collaborate with adjacent colleagues in Business Continuity Planning, Enterprise Risk Management, Audit, and Physical Security.
• Oversee incident response planning, as well as the investigation of security incidents, including impact analysis, root cause analysis, and recommendations for remediation and control enrichment
• Present regular executive-level reporting on the status and progress of the Information Security Management Program.  Create awareness of new & emerging risks and the company’s preparedness
• Hire, manage, and train security team, employees, contractors, and third parties
• Create or curate information security awareness training and communicate best practices and risks to all parts of the business
• Perform other duties as assigned

Position Requirements

• Bachelor’s Degree in a relevant field of study.
• 10+ years of experience leading teams in information security in a regulated industry, preferably at a high-volume Banking or Financial Services institution, or healthcare
• 10+ years of experience with information security architecture and enterprise technology such as: Firewalls, SIEM, DLP, VPN, DMZ, MFA, WAF, Intrusion Detection/Prevention, Encryption, Anti-virus, Anti-Malware, SOC operations, forensics, identity management, etc.
• Working knowledge (experienced preferred) of AI/ML and Generative AI security risks and the technical and procedural controls used to manage them.
• CISSP, CISM, or similar professional certification
• Collaborative and action-oriented management style (big plus is the ability to be hands-on)
• Excellent written and verbal communication skills and high level of personal integrity
• Innovative thinking and leadership with an ability to find safe and secure solutions for business needs
• Experience with legacy banking systems as well as cloud / elastic computing across virtualized environments, hybrid/multi-cloud infrastructures, and externally managed services
• Experience implementing security solutions in enterprise, cloud, and hybrid cloud environments.
• Experience with Federal financial institution examination procedures including examination preparation and presentation
• Excellent understanding of the Office of the Comptroller of the Currency (OCC) mid-sized bank regulatory guidance (as pertains to information security).
• Excellent understanding of information security standards including ISO 17799/27001/27002, NIST Cybersecurity Framework, the Center for Internet Security, CISA Cross Sector Cybersecurity Performance Goals, Cloud Security Alliance, the Payment Card Industry’s Data Security Standard (PCI-DSS), NIST standards on security and privacy controls, encryption, authentication, cloud computing, NIST frameworks for risk management, including the AI risk management framework.

Preferred

• Bachelors degree in Information Security, Cybersecurity, Computer Science, Computer Engineering, or MIS; Master’s degree in any of these fields preferred.
• Demonstrated experience in AI governance, AI security, and AI programs within a regulated environment.
• Experience with contract and vendor negotiations and management including managed services
• Experience in modern software development practices, such as Agile, Waterfall, Rapid, etc.
• Excellent understanding of Federal Financial Institutions Examination Council (FFIEC) procedures including information technology and information security guidance.