Description

Job Overview: CFSB is seeking and experienced Information Security Officer (ISO) that will be responsible for designing, establishing, maintaining, and enforcing a corporate-wide information security management program to ensure the integrity, confidentiality, and availability of information owned, controlled, and processed by the institution. This position is responsible for identifying, evaluating, mitigating and reporting on information security risks in a manner that meets compliance and regulatory requirements, and aligns with and supports the risk posture of the Bank. This role serves as the Banks designated Privacy Officer.

Key Responsibilities:

• Develop and maintain the Bank’s strategic information security program and plan, taking into consideration business and legal requirements, and the identification, measurement, monitoring and reporting of the related risk and criticality. Cultivate and foster consensus among stakeholders to ensure enterprise-wide adoption.
• Develop, maintain and enforce the Bank’s information security policies and practices designed to protect sensitive corporate assets, ensure data privacy, and comply with laws and regulations, including those from the Federal Financial Institutions Examination Council (FFIEC), Payment Card Industry (PCI) and other applicable privacy laws. Familiarity with Service Auditor Reports such as SSAE16 Service Organization Controls [SOC] reports.
• Manage the information security aspects of contractors and outsourcers providing technology services to the Bank, including managed security services, infrastructure engineering, operations, desktop support, and software development. Ensure compliance with the appropriate laws and regulations.
• Develop, maintain and enforce the Bank’s information security policies and procedures, for example:
  • a. Identification of sensitive data and policies/practices regarding the identification of sensitive data as well as practices for information labeling, handling and storage.
  • b. Information security as related to personnel, including role-appropriate pre-employment background checks; and Security Awareness Training, ensuring necessary and appropriate content and compliance with requirements for each employee to take the training as well as the frequency of updated training.
  • c. Network, infrastructure, application and mobile device security.
• Ensure technology solutions align with best practices and meet security requirements, including Software-as-a Service (SaaS) contracts, Software Lice contracts and customized software development solutions.
• Provide guidance and make recommendations to the Bank’s Executive Management and Board of Directors with regards to the security characteristics (i.e., advantages and disadvantages) of various technologies and business practices.
• Ensure contracts with 3rd parties contain appropriate security language, including data privacy and protection language required by state and federal laws. Develop, maintain and manage a third party security assessment program for key vendor relationship and third party providers.
• Manage the Bank’s Incident Response Plan. Perform incident response planning, including developing, maintaining and enforcing the Bank’s Incident Response Plan in addition to managing security incidents if/when they occur. This would include coordinating incidents, if applicable, with associated third party providers and, if applicable, multiple regulatory organizations, outside counsel and stakeholders.
• Coordinate, provide leadership and management for security related audits and inspections. Interface as the primary contact with regulators and third party contractors with regards to the Bank’s security posture and practices.
• Actively participate in Bank Committees related to the Information Security realm, including: Incident Response Team, Vendor Management, and Technology Advisory Council. Present as requested to the Risk Committee and other committees of the Board.
• Direct and recommend the design of the Bank’s information security systems. Update as necessary.
• Review and recommend security policies, controls and cyber incident response planning.
• Approve and oversee identity and access management (IAM) policies and system access control.
• Understand the IT threat landscape for banking and financial services industry.
• Ensure continued compliance with laws and applicable regulations.
• Schedule periodic security assessments.
• Coordinate security awareness training to all personnel and enforce compliance.
• Manage all teams, employees and third parties involved in IT security, which may include managing a team in a matrix structure.
• Hire, train and mentor security team members.
• Become a trusted business adviser. Brief the Executive Management Team on information security risk management, including strategy and necessary budget.
• Choose and recommend security products as necessary.
• Coordinate electronic discovery and digital forensic investigations.
• Ensure an inventory of technology assets, classified by sensitivity and criticality is properly maintained.

Qualifications

Skills and Qualifications:

• Bachelor degree in related discipline or equivalent work experience. Master’s degree or MBA is preferred.
• Eight (8) or more years of managerial experience in information security or closely related fields.
• Advanced background in information technology.
• Advanced knowledge of applicable US laws and regulations as they relate to the Information Risk and Information Technology Risk.
• Industry recognized Infosec certifications such as CompTIA Security , CEH: Certified Ethical Hacker, GSEC: SANS GIAC Security Essentials, CISSP: Certified Information Systems Security Professional, CISM: Certified Information Security Manager, CRISC: Certified in Risk and Information System Control strongly desired.
• Experience in implementing strategic plans and policy development.
• Advanced knowledge of business processes, management, and budgeting.
• Exceptional and proven leadership capabilities - communication, influence & negotiation, conflict resolution, people management, relationship management (internal/external), and team building.
• Proven ability to successfully partner with internal clients and vendors to align strategy with deliverables, identify business challenges and develop alternatives to mitigate.
• Strong service management and service delivery orientation.
• Strong written, oral, and interpersonal communication skills.
• Ability to present ideas in user-friendly language to a variety of constituent audiences.
• Proven ability to work within a changing environment and lead the implementation of change.
• Ability to assess the impact or potential impact of change management initiatives of various sizes and degrees of complexities on business financials and performance.
• Advanced level of creativity, strategic thinking and problem management skills.
• Ability to conduct and direct research into information risk issues.
• Ability to effectively prioritize and execute tasks in a high-pressure environment.
• Experience with vulnerability assessment tools, such as Nessus, Nexpose, or Qualys.
• Experience with penetration testing tools, such as Metasploit, Burp Suite, or Nmap.

Base Salary - $180,000 - $225,000

Base salary range does not include performance-based bonus and/or other benefits, where applicable. Actual base salary offer will vary based on skills and experience