Job Description:
• Own and continuously mature the enterprise Information Security Program.
• Align controls and architecture with NIST CSF, NIST 800-53, FFIEC guidance, PCI DSS, and SOC requirements.
• Conduct proactive program assessments and identify security gaps before they become issues, working cross-functionally to execute upon risk mitigation objectives.
• Develop and execute a multi-year security roadmap aligned to business growth and regulatory expectations.
• Present clear, risk-based recommendations to executive leadership and the Board.
• Translate strategy into measurable execution plans with defined milestones.
• Drive remediation of audit, regulatory, and penetration testing findings.
• Ensure strong incident response, vulnerability management, and change management and development programs.
• Implement metrics that demonstrate real risk reduction and program effectiveness.
• Lead and develop a high-performing Information Security team.
• Provide clear direction, prioritization, and performance accountability across detection engineering, vulnerability management, application security, and security architecture functions.
• Oversee operation and optimization of core security tooling, budget, and contract renewal management, including SIEM/XDR platforms (e.g., Wazuh), vulnerability management (e.g., Tenable), application security testing (e.g., Veracode), and related monitoring and detection systems.
• Ensure security diagrams, architecture artifacts, and workflow documentation accurately reflect implemented controls and are audit-ready.
• Establish measurable performance objectives and operational KPIs for the security team in collaboration with teams responsible for execution (MTTR, vulnerability remediation SLAs, detection coverage, control validation, etc.).
• Drive automation and continuous improvement across monitoring, alert triage, vulnerability remediation, and DevSecOps integration.
• Build a culture of ownership, urgency, and technical depth cross-functionally associated with the program.
• Maintain sufficient hands-on familiarity with security tooling and architecture to effectively challenge assumptions, validate control effectiveness, and provide technical direction when needed.
• Assist in the management of Nymbus’ risk log with the ability to identify, manage, and make security risk recommendations.
• Develop a deep understanding of our platform, cloud architecture (AWS/GCP), integrations, and AI initiatives.
• Partner with the CTO, engineering, product, NOC, and operations leaders.
• Ensure strong embedded security controls into SDLC, DevOps, and cloud-native development practices.
• Enable secure innovation rather than slow it down.
• Serve as the subject matter expert in banking security and regulatory expectations.
• Lead SOC/PCI audit readiness and regulatory exam preparedness.
• Engage confidently with regulators, auditors, and bank and credit union clients and prospects.
• Establish governance frameworks for secure and responsible AI usage.
• Assess model risk, data protection, and security implications of AI-driven products.
• Stay ahead of evolving regulatory expectations in AI and fintech.
Requirements:
• 10+ years of progressive experience in information security leadership.
• Significant experience in banking, financial services, or regulated fintech.
• Deep knowledge of:
• NIST CSF & NIST 800-53
• FFIEC guidance
• PCI DSS
• SOC audits
• Experience leading cloud-first security programs (AWS and/or GCP).
• Demonstrated ability to independently assess risk and make defensible decisions.
• Strong executive communication and cross-functional leadership skills.
• Experience operating in high-growth or fast-changing environments.
• Preferred certifications: CISSP, CISM, CRISC or equivalent.
Benefits:
• Annual Cash Bonus and Equity Options commensurate with the role level and experience.
• Fully Remote.
• 401(k) plan.
• Insurance - Health, Dental and Vision.
• Time Off.