The AVP, Information Security is a critical member of the CIO’s team. This position requires a visionary leader with sound knowledge of business management and a working knowledge of cybersecurity technologies covering the corporate network as well as the broader digital ecosystem. This person will proactively work with business units and ecosystem partners to implement practices that meet agreed-on policies and standards for information security. Candidates should understand IT and must oversee a variety of cybersecurity and risk management activities related to IT to ensure the achievement of business outcomes where the business process is dependent on technology
This role will work closely with the CIO, technology security partners, and business stakeholders to ensure the information security program follows industry best practices, adheres to all Federal and State laws and regulations governing and applicable to the Credit Union, including the Bank Secrecy Act, and aligns with company stakeholder needs and expectations.
Responsible for implementing and running the enterprise information security program.
Provides risk assessments, risk reports, strategy and operating model, program updates, and advises the CIO on all matters pertaining to information security and their potential impact to the business and its stakeholders.
Accountable for the maintenance, enhancements, and monitoring of a strategic, risk-management-based information security program to ensure the availability, integrity and confidentiality of information across the company.
Functions as a thought leader and change agent to the organization and provides recommendations in the analysis and discussion of security policies, standards and practices, and guides the acquisition of advanced security controls.
Creates and manages a targeted information security awareness training program for all employees, contractors and approved system users, and establishes metrics to measure the effectiveness of this security training program for the different audiences.
Evaluates security risk and acts expeditiously in making decisions and recommendations, while considering the business impact.
Manages the enterprise's information security organization, consisting of direct reports and indirect reports. This includes hiring, training, staff development, performance management and annual performance reviews. Recommend staffing levels, and resources to support best practices and business operations.
Leads and coordinates, internally and externally, responses to security incidents, providing timely reports during the incident and remediation, as well as proposing solutions to anticipate, prevent, or mitigate future incidents.
Creates or enhances security policies, standards, processes and procedures.
Enhances and maintains information security risk mitigation plans, including leading security incident response in prevention, investigation, mitigation and reporting activities.
Oversees outside consultants for independent security audits, engagements and monitoring, including regular penetration and vulnerability testing.
Stays up-to-date on information security and safety protocols.
Balances information security needs with the organization's strategic business plan, identifies risk factors with evolving business plans, and proposes mitigating solutions.
Exercises extreme confidentiality as the scope of work will include access to sensitive data and financial perspectives.
Relevant experience managing security for companies that leverage cloud technologies such as Amazon Web Services (AWS), Agile methodology, Iaas, and ITIL.
Experience with common information security management frameworks, such as International Standards Organization (ISO) 2700x and Control Objectives for Information and Related Technology (COBIT) frameworks.
Excellent written and verbal communication skills, interpersonal and collaborative skills.
The ability to communicate security and risk-related concepts to technical and non-technical audiences.
Must be able to effectively liaise with internal direct reports and senior management as well as external customers, clients, partners and stakeholders.
Must be a critical thinker, a thought leader, and a change agent to the organization.
Proven track record and experience in developing information security policies and procedures.
Strong project management, financial/budget management, scheduling and resource management skills.
Ability to lead and motivate cross-functional, interdisciplinary teams to achieve tactical and strategic goals.
Strong knowledge of regulatory rules and standards that govern information security practices in the financial services industry, such as SEC, FINRA, CFTC/NFA, BSA and state and federal privacy laws.
Certification as a Certified Information Security Systems Security Professional (CISSP), Certified Chief Information Security Officer (CCISO), or Certified Information Security Manager (CISM).
Min 7 years of experience in a combination of risk management, information security and IT or OT roles (at least five must be in a senior leadership role).
A four year degree in Computer Science, Information Systems Management, Business Administration, Risk Management, or a related field.
Vacaville, California, United States