Director of Information Security

Description

About BankFund:

BankFund Credit Union is a full-service financial cooperative that was organized and chartered in 1947 as a convenient place for employees of the World Bank Group and International Monetary Fund and their families to save and to obtain credit. Located in Washington, DC, BankFund maintains three full-service branches downtown with our headquarters located near Farragut West metro station. This position is classified as a hybrid role which means that on-site work will be expected. After completion of training for the role, staff generally work on site 40% of the time but this is subject to change based on health and safety standards and operational need. 

Summary:

The position serves as the Director of Information Security (DIS) for the Credit Union which includes designing, defining and implementing the Credit Union’s Information/ Cyber Security program while protecting the business from cyber security threats. The DIS will serve as the strategic and security operations leader of a comprehensive enterprise cyber security program to ensure the availability, integrity, and protection of the members, business partners, and business information assets and technologies.

Responsibilities:  

Strategic Enablement

• Develops an information security vision and strategy that is aligned to organizational priorities. 
• Develop and execute the ongoing development and implementation of the cyber security program and manage the portfolio and implementation of security projects and controls.
• Develop review and enforce Information Security policies, processes, procedures and manage changes to existing policies and procedures to ensure regulatory compliance. 
• Monitor and report on compliance of security policies, as well as the enforcement of policies across the Organization.
• Manage the process of analyzing and assessing the current and future threat landscape, as well as providing the Executive Management team with a realistic overview of risks and threats in the enterprise environment. 
• Develop and manage an information security risk management program to assess and communicate risks.
• Develop and manage budget projections based on short and long-term goals and objectives. 
• Manage a staff of security professionals, hire and train new staff, conduct performance reviews, and provide leadership and coaching, including technical and personal development programs for team members.
• Prepare, present, coordinate and/or support formal reporting to Executive Management, the Information & Technology Steering Committee, the Board Committees regarding programs, policies and procedures and processes that are monitored or managed by the DIS. 

Tactical

• Manage and respond to security audit findings reported by auditors and examiners. 
• Work as a liaison with vendors and legal to establish and manage mutually acceptable contracts and service-level agreements. 
• Manage technology security issues and incidents, participate in problem and change management forums to assess and communicate risks. 
• Serve as an active and contributing participant in the Information Technology Steering Committee (ITSC). 
• Work with the Executive Management team and business stakeholders to define metrics and reporting strategies that effectively communicate successes and progress of the security programs and strategy. 
• Provide support and guidance for legal, audit, and regulatory compliance efforts.

Technical

• Lead and Supervise Security Operations and threat intelligence activities. 
• Manage cybersecurity technologies and continuously assess and implement new controls that improve the security posture of the organization.
• Monitor and respond to security incidents, threats, breaches, and anomalies. 
• Implement and manage security technologies and programs (e.g., Data Classification, Identity and Access Management, EDR, XDR, SIEM) 
• Monitor and enforce security controls that support defined security policies. 
• Leverage industry best practices and frameworks to establish and enforce security standards across the technology landscape. 
• Actively participate in the Change Advisory Board to assess, document, and communicate security risks to technology changes. 
• Lead the development of security standards and best practices for assessing existing and/or new technologies.
• Collaborate with IT team and Business Owners and staff to develop and execute a program that ensures the security standards and controls are factored into the evaluation, selection, installation, and configuration of all systems including hardware, applications, and software.
• Develop strong working relationship with Risk Management, Audit and Business Owners to develop and implement controls and configurations aligned with security policies and legal, regulatory and audit requirements.

Additional Duties:

• Creates a risk-based process for the assessment and mitigation of any information security risk in the ecosystem consisting of supply chain partners, vendors, consumers and any other third parties
• Collaborates and liaises with the data privacy officer to ensure that data privacy requirements are included where applicable
• Collaborates and liaises with Risk Management and Internal Audit for audits and assessments of security controls
• Coordinate, measure and report on the technical and operational aspects of security management. 
• Manage the day-to-day activities of threat and vulnerability management, identify risk tolerances and exceptions, recommend remediation plans, and communicate information about residual risk. 
• Design, coordinate and oversee security testing procedures to verify the security of systems, networks, and applications, and manage the remediation of identified risks.
• Manage and coordinate operational components of cyber security incident management, including detection, response, and reporting. 
• Create and maintain a knowledgebase comprising a technical reference library, security advisories and alerts, information on security trends and practices, and laws and regulations. 
• Facilitate and regularly conduct Cyber Security Awareness training programs across the Organization. 
• Manage security project portfolio and provide expert guidance on security matters for other projects. 
• Assist and guide the disaster recovery planning team in the selection of recovery strategies and the development, testing and maintenance of disaster recovery plans. 
• Ensure audit trails, system logs and other monitoring data sources are reviewed periodically and are in compliance with policies and audit requirements. 
• Manage and maintain industry leading Cyber Security Maturity Assessment tools (examples: Gartner, NIST) to measure and calibrate the organization’s baseline cybersecurity posture, and to assess the maturity levels of the controls in place. 
• Manage outsourced vendors that provide information security operations functions for compliance with contracted service-level agreements. 
• Participate in annual Bank Secrecy Act (BSA) and Office of Foreign Assets Control (OFAC) training and demonstrate knowledge and understanding of the BSA and OFAC, including the immediate reporting of unusual or suspicious activity to the Risk Management Department.  Undertake additional training specific to daily responsibilities and as required to ensure continued compliance with all applicable regulations.
• Successfully participate in annual Information Security refresher training. Comply with the Information Security Policy, including the immediate reporting of unusual or suspicious activity to CIO and Security Officer. Follow all procedures to protect company computers from viruses, and to maintain the security and confidentiality of Credit Union data. 
• Ensure the Credit Union’s safe harbor protections as allowed by the BSA.  Understand that if confronted with knowledge of existence of a Suspicious Activity Report (SAR), an obligation exists to preserve the confidentiality of that SAR, as well as any information that may reveal the existence of a SAR.  Maintain awareness of, and immediately report to the Compliance Officer, any unauthorized disclosure of a SAR, or unauthorized disclosure of information related to a SAR. Understand that failure to do so is a violation of federal law and may lead to both civil and criminal penalties for SAR disclosure violations.
• Is available at all times for contact by a mobile communication device and, as needed, provides telephone support, coordinates the response and remediation of production incidents, or reports to the Credit Union.
• Undertakes other work-related duties as assigned by the Chief Information Officer.

Requirements

Requirements and Qualifications:

• A minimum of eight years of IT experience, with six years in an IT security role and at least four years in a supervisory capacity.
• Strong leadership skills and the ability to work effectively in a team driven environment within IT and across the organization.
• The ability to interact and build strong relationships at all levels and across all business units and understand business imperatives.
• A strong understanding of the business impact of security threats, tools, technologies and policies.
• Strong leadership abilities, with the capability to develop and guide the IT security team members and IT staff, and work with minimal supervision.
• Excellent verbal, written and interpersonal communication skills, including the ability to communicate effectively with the IT organization, project teams, management and business stakeholders; in-depth knowledge and understanding of information risk concepts and principles as a means of relating business needs to security controls; a strong understanding of information security concepts, protocols, industry best practices and strategies.
• Experience working with legal, audit and compliance staff.
• Experience with common information security management frameworks, such as National Institute of Standards and Technology (NIST), International Standards Organization (ISO) 2700x, the IT Infrastructure Library (ITIL) and Control Objectives for Information and Related Technology (COBIT) frameworks.
• Familiarity with applicable legal and regulatory requirements, including, but not limited to GLBA, FFIEC, and PCI.
• Proficiency in performing risk, business impact, control and vulnerability assessments, and in defining treatment strategies.
• Knowledge of and experience in developing and documenting security architecture and plans, including strategic, tactical and project plans.
• Strong analytical skills to analyze security requirements and relate them to appropriate security controls.
• Familiarity with the principles of cryptography and cryptanalysis.
• Experience in application technology security testing (white box, black box and code review).
• Experience in system technology security testing (vulnerability scanning and penetration testing).
• Experience with security systems (firewalls, intrusion detection systems, data loss prevention, content filtering, end-point security), database technologies, architectural reviews and PCI-DSS.
• Experience with risk assessment, threat and incident management methodologies. 
• Experience with public/private/hybrid cloud-based environments.
• Experience with securing Linux, Unix and Windows servers. 

Education Requirements: 

• BS in Computer Science, Information Security, Cybersecurity, or equivalent real world experience.
• Information security industry certification (CISSP, SSCP, GIAC, GSEC, CISM, CITSM, CISA, etc.) strongly preferred
• Certifications in Cloud (Azure, AWS), Microsoft, Cisco, Checkpoint, VMWare technologies preferred.

For internal purposes, this position is graded as Exec-17. 

The anticipated annualized base salary range for this position is $183,000 to $244,000. Final base salary for this role will be based on the individual’s job-related experience, skillset, training, certifications and market demands. The benefits available for this full-time position include but are not limited to: medical, dental, and vision insurance, 401(k) plan, life insurance coverage, disability benefits, tuition assistance program and paid time off, including paid parental leave benefits. In addition to base compensation salary, this role position is eligible for an annual incentive plan.

Salary : $183,000 - $244,000