About Us

Ascend is the largest credit union in Middle Tennessee and one of the largest credit unions in the United States, with over $3 billion in assets. With an occupation-based field of membership, Ascend is focused on the expansion and diversification of the select employee groups it serves, which creates greater security for the credit union and its member-owners. Approximately 650 employees serve more than 207,000 members from 29 Middle Tennessee branch locations, Regional Operations Center, Teller Center and Corporate Headquarters. Ascend recognizes that its employees are critical to the credit union’s sustained success and future growth. Our employees are the face of the credit union and their personal successes fuel the success of the team. Through collaboration between employees, management, our membership and our Board, we fuel an engine that propels the credit union forward.

What We Offer

Thank you for your interest in a career with Ascend Federal Credit Union! Being employed by Ascend is vastly different than just holding a job. The credit union prides itself on providing employees rewarding career opportunities, competitive benefits and a unique work culture. The credit union’s commitment to its employees is fostered by its commitment to the member-owners, ensuring dedicated and engaged employees to serve the membership. Ascend’s vision to be the most loved credit union in our market by employees and members alike has earned the credit union distinctions including Federal Credit Union of the Year (NAFCU, 2015), Best Credit Union to Work For (2016, 2017, 2018, 2019, 2020, and 2021) and Training Top 125 (2015, 2016, 2017, 2018, 2019, and 2020).

Overview

The Manager of Information Security is responsible for overseeing the design and implementation of all facets of Ascend's cybersecurity program. The Manager will provide vision and leadership to ensure Ascend is properly managing all information security risks regarding systems, software, and data assets. The Manager will work with IT and business leaders to build effective cybersecurity governance and risk mitigation strategies. This leadership role comprises a variety of activities, including tactical, operational, and strategic activities in support of Ascend's information security program. These activities include strategic support, security liaison, architecture/engineering support, and operational support across all aspects of Information Technology, spanning networks, virtual and physical servers, software development, vendor applications, client technology, and cloud platforms. The Manager of Information Security will report directly to the Chief Information Officer.

Responsibilities

• Develop, implement and monitor a strategic, comprehensive enterprise information security and IT risk management program to ensure that the integrity, confidentiality and availability of information is owned, controlled or processed by the organization.
• Manage the enterprise's information security organization, including hiring, training, staff development, performance management, and quarterly performance reviews.
• Facilitate information security governance through the implementation of a hierarchical governance program, including the formation of an information security steering committee or advisory board.
• Develop, maintain and publish up-to-date information security policies, standards and guidelines. Oversee the approval, training, and dissemination of security policies and practices.
• Create, communicate and implement a risk-based process for vendor risk management, including the assessment and treatment for risks that may result from partners, consultants and other service providers.
• Develop an information security budget and manage it within approved variances.
• Work with HR & Training to create and manage information security and risk management awareness training programs for all employees, contractors, and approved system users.
• Work directly with the business units to facilitate IT risk assessment and risk management processes, and work with stakeholders throughout the enterprise on identifying acceptable levels of residual risk.
• Provide regular reporting on the current status of the information security program to enterprise risk teams and senior business leaders.
• Create a framework for roles and responsibilities regarding information ownership, classification, accountability and protection.
• Develop and enhance an information security management framework based on FFIEC, NIST, and other applicable standards.
• Provide strategic risk guidance for IT projects, including the evaluation and recommendation of technical controls.
• Coordinate information security and risk management projects with resources from the IT organization and business unit teams.
• Ensure that security programs comply with relevant laws, regulations and policies to minimize or eliminate risk and audit findings.
• Define and facilitate the information security risk assessment process, including the reporting and oversight of treatment efforts to address negative findings.
• Monitor the external threat environment for emerging threats and advise relevant stakeholders on the appropriate courses of action.
• Develop and oversee effective disaster recovery policies and standards to align with enterprise business continuity management program goals. Coordinate the development of implementation plans and procedures to ensure that business-critical services are recovered in the event of a security event. Provide direction, support and in-house consulting in these areas.
• Liaise with external agencies, such as regulatory examiners and other advisory bodies, as necessary, to ensure that the organization maintains a strong security posture.
• Serve as the subject matter expert (SME) to assist with security department’s law enforcement contacts as well as offer input on insurance coverage levels related to cybersecurity threats.
• Work with various stakeholders to identify information asset owners to classify data and systems as part of a control framework implementation.
• Work with the IT and business stakeholders to define metrics and reporting strategies that effectively communicate successes and progress of the security program.
• Consult with IT and security staff to ensure that security is factored into the evaluation, selection, installation and configuration of hardware, applications and software.
• Recommend and coordinate the implementation of technical controls to support and enforce defined security policies.
• Research, evaluate, design, test, recommend or plan the implementation of new or updated information security hardware or software, and analyze its impact on the existing environment; provide technical and managerial expertise for the administration of security tools.
• Manage the day-to-day activities of threat and vulnerability management, identify risk tolerances, recommend treatment plans and communicate information about residual risk.
• Manage and coordinate operational components of incident management, including detection, response and reporting. Participate in Change Management forums and boards.
• Manage security incidents and events to protect corporate IT assets, including intellectual property, regulated data, and the company's reputation.

Qualifications

• Bachelor's Degree Information Systems, Computer Science, Information Assurance or equivalent work experience required
• 10-15 years Minimum 10 years of IT experience, required
• Five years in an Information Security Role required
• Two years in a supervisory capacity required
• Strong leadership skills and the ability to work effectively with business managers, IT engineering and IT operations staff.
• Exhibit excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives.
• Ability to establish and manage to an IT financial budget.
• Ability to lead and motivate cross-functional, interdisciplinary teams to achieve tactical and strategic goals.
• Excellent verbal, written and interpersonal communication skills, including the ability to communicate effectively with the IT organization, project and application development teams, management and business personnel.
• In-depth knowledge and understanding of information risk concepts and principles as a means of relating business needs to security strategy and controls.
• Experience developing and maintaining policies, procedures, standards and guidelines.
• Experience with common information security management frameworks, such as FFIEC, NIST, the IT Infrastructure Library (ITIL), and Control Objectives for Information and Related Technology (COBIT) frameworks.
• Knowledge of and experience in developing and documenting security architecture and plans, including strategic, tactical and project plans.
• Strong analytical skills to analyze security requirements and relate them to appropriate security controls.
• In-depth understanding of operating systems, networking protocols, software development, client technologies, and cloud computing platforms.
• Experience with vulnerability scanning and penetration testing.