**Director, Business Information Security Officer**

at PAGAYA New York, NY **About Pagaya**

**Help Shape the Future of Finance**

Pagaya is a financial technology company working to reshape the lending marketplace, for investors, by using machine learning, big data analytics, and sophisticated AI-driven risk analysis. With its current focus on consumer credit and real assets, PAGAYAs proprietary suite of solutions and pipelines to banks, fin-tech lenders and others was created to actively find greater value for institutional investors. PAGAYAs models create additional value to that pipeline as well, by increasing liquidity and, in turn, increasing opportunities for access to credit.

We move fast and smart, identifying opportunities and building end-to-end solutions from AI models and unique data sources to new business partnerships and financial structures. Every PAGAYA team member is solving new challenges every day in a culture based on collaboration and community. We all make an impact regardless of title or position.

**Our Team**

The company was founded in 2016 by seasoned finance and technology professionals, and we are now 400 strong in New York, Tel Aviv, and LA. You will be surrounded by some of the most talented, supportive, smart, and kind leaders and teamspeople you can be proud to work with!

**Our Values**

* **Continuous Learning**: Its okay to not know something yet, but have the desire to grow and improve.

* **Win for all:** We exist to make sure all participants in the system win, which in turn helps Pagaya win.

* **Debate and commit:** Share openly, question respectfully, and once a decision is made, commit to it fully.

* **The Pagaya way:** Use first principles thinking to support our needs, but is unique to Pagaya.

**About the Role**

The Director, Business Information Security Officer will lead the US affiliate, Pagaya Investments US LLCs, efforts to successfully implement and provide ongoing management and oversight of all relevant information security controls/solutions. The BISD will work closely with our Israeli Office of the CISO, and its security architectural team to evaluate and implement cyber security solutions in the domains of Cloud, IAM, DLP, mobile and endpoint security, security monitoring, security training and more to protect Pagaya?s core assets, data and IP.

The ideal candidate has a unique set of skills that enables them to build and collaborate with our diverse network of partners and Global Information Security team having both direct impact and influence on Pagayas rapidly growing business. The BISD will have an opportunity to work with the industrys most advanced security technologies, continually growing ones technical and managerial skills to protect and ensure Pagayas continuing expansion efforts.

**Responsibilities**

You will be responsible for our security solutions technology stack for the US throughout the project lifecycle (including evaluation, implementation, management and ongoing operations, including reporting/metrics). Ensure all security solutions meet the localized business, regulatory and technical needs of the US affiliate, and report upstream to the Office of the CISO and Global CISO.

* Work closely with Pagaya?s Global Security Engineering team, architecture and SecOps team members within the Office of the CISO to ensure consistent cross-company implementation of controls.

* Drive the secure deployment of a global security solution stack focused on cloud (IaaS and SaaS), mobile and endpoint related controls.

* Assist the Global CISO in the development, implementation and maintenance of up-to-date information security procedures, standards and guidelines and oversee the localized approval, training, and dissemination of security policies and practices.

* Manage a defense in depth approach that addresses all cross-department security requirements.

* Share and communicate end-to-end security solutions and the enterprise security posture (both orally and written) to executives, business sponsors, and customers and partners in a clear and concise manner that is in the vernacular of each group

* Create and manage information security and risk management awareness training programs for all US employees, contractors and approved system users.

* Work directly with the other business units to facilitate IT risk assessment and risk management processes, and work with stakeholders throughout the enterprise on identifying acceptable levels of residual risk.

* Facilitate the information security risk assessment process, as well as support audit programs such as internal security audits, ISO 27001, SOC2 and SOX audits, including the gathering of audit evidence, reporting and oversight of treatment efforts to address any negative findings/gaps.

* Manage business unit security incidents and events to protect corporate IT assets, including intellectual property, regulated data and the company's reputation.

* Monitor business unit metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increase the maturity of the security.

* Manage outsourced US vendors that provide information security functions for compliance with contracted service-level agreements.

* Manage and coordinate operational components of US-based incident management, including detection, response and reporting.

* Work with various stakeholders to identify information asset owners to classify data and systems as part of a control framework implementation.

* Manage the day-to-day activities of threat and vulnerability management, identify risk tolerances, recommend treatment plans and communicate information to the Global CISO about residual risk.

* Ensure localized audit trails, system logs and other monitoring data sources are reviewed periodically and comply with policies and audit requirements.

* Develop and oversee effective disaster recovery policies and procedures to align with the enterprise business continuity management program goals. Coordinate the development and testing of business unit specific plans and procedures to ensure that business-critical services are recovered in the event of a security event. Provide direction, support and in-house consulting in these areas.

* Create and support POC/demos and present security solutions relevant to the business unit to the company relevant stakeholders

**Requirements**

7 years of proven InfoSec management experience including hands-on information Security experience with key technologies such as endpoint security, email security, DLP, mobile device management, and SIEM.

* In-depth knowledge of a comprehensive stack of layered security controls and the technical aspects of their deployment and management.

* Experience with Cloud delivered solutions (IaaS, PaaS, SaaS AWS)

* Knowledge in the majority of security domains such as: IAM, Cloud access broker (CAB), DLP, Endpoint Protection and Cloud native security solutions (focused on AWS), as well as security incident and event monitoring.

* 6 years of proven experience in defining security requirements and deployment of solutions.

* Experience in leading cross-domain solutions

* In-depth knowledge of information security concepts, design/architecture, and methodologies

* Security-related certifications (CCSP, CISSP, CISM, CISA, etc.) are a plus.

* Experience supporting both internal and external security and compliance audits of an enterprise within a regulated industry such as financial services.

* Continuous learner with flexible mindset who has demonstrated the ability to be a nimble and creative thinker within an ever-evolving and dynamic organization.

* A self-starter with a solutions and consultative oriented mindset and strong attention to detail

* Exceptional communication, presentation, and stakeholder management skills, proven ability to partner across diverse stakeho