Posted:January 18, 2023
Our Client is searching for their Chief Risk & Information Security Officer.
Purpose of Position:
The Chief Risk & Information Security Officer (CRO/CISO) is responsible for the ongoing management of the Information Security Program including policies, procedures, and technical systems in order to maintain the confidentiality, integrity, and availability of all organizational information systems at (the “Bank”). This includes the oversight of the Risk Assessment, Third-Party Vendor Management, Business Continuity, and IT Audit Programs. Responsibilities also include oversight of the regulatory examination process and serving as a liaison between the Bank and regulators, specifically the OCC, FDIC, and Federal Reserve. CRO/CISO also has responsibility to develop, implement and direct an Enterprise Risk Management program for the Bank which includes systems, processes, policies, and procedures that enable the organization to effectively identify, assess, monitor and control risks from all sources. The CRO/CISO must have strong US banking experience, with a broad understanding of banking risks, technology, systems, information security and best practices.
Key Responsibilities:
Information Security
- Responsible for implementing, managing, and enforcing Information Security directives as mandated by GLBA, FFIEC, PCI Standards and other regulatory requirements
- Manage Information Security Program including policies and procedures
- Coordinate all examinations and formulate/approve all responses and follow-up items with regulators
- Manage and track recommendations and remediation efforts from examinations
- Serve as a liaison between the Bank and its regulators on all information security matters
- Ensure the ongoing integration of information security with business strategies and requirements
- Ensure that the Access Control, Disaster Recovery, Business Continuity, and Risk Management needs of the organization are properly addressed
- Ensure that the policies and processes associated with the Cybersecurity Program are maintained and adequate for the Bank
- Ensure that the policies and processes associated with the Information Security Program are maintained and adequate for the Bank
- Perform or manage ongoing IT Risk Assessments and IT Audits to ensure that
Information Systems are adequately protected and meet GLBA certification requirements - Develop IT Audit Scope, and assist in oversight and management support for scope of all other audits and compliance matters
- Work with vendors, outside consultants, and other third parties to improve Information
Security within the organization - Oversee Vendor Management program efforts to ensure adequate performance and
security practices are in place - Subscribe to threat notification networks, new regulations, and information sharing
networks to stay current on requirements and new threats to the industry - Escalate any security or compliance issues and alerts
- Help define and support process improvements
- Assist with strategic planning
- Prepare analysis of new technology deployed within the infrastructure including
hardware, software, and functional processes and determine level of risk associated with each technology including any existing or potential Fintech partnerships - Provide advice to development teams on how to achieve compliance with regulations and IT Policies and Procedures
- Performs other duties and responsibilities as requested by President & CEO
Enterprise Risk Management
- Develop and continuously evolve the Bank’s Enterprise Risk Management (ERM) Framework
- Liaise with regulators on ERM related matters as well as develop and maintain a broad knowledge and awareness of the banking industry, risk management best practices and regulatory requirements
- Apprise senior management and the Board of Directors on ERM matters and collaborate
with same to create, sustain and strengthen the Bank’s Enterprise Risk Management
program - Identify, monitor and report significant risks to which the Bank is, or is expected to be
exposed, including but not limited to; liquidity risk, credit risk, operational risk, market
risk, strategic risk, legal and regulatory risk, and reputational risk - Manage enterprise risk assessments at the operational level, including assessment of
controls - Monitor the Bank’s risk performance in relation to the Bank’s Risk Appetite Statement, strategic and business plans
- Promote a risk management culture within the Bank
- Participate in special projects and perform other duties as assigned
Policies & Procedures
- Oversee the review, at least annually, of Information Security and Enterprise Risk
Management Policies & Procedures and provide recommendations of areas deemed
appropriate for upgrading - Review and recommend changes to all policies made by business units to ensure the risk tolerances established fit within the Bank’s risk management frameworks and Risk Appetite Statement and present recommended changes to the President and CEO as well as for presentation to Board committees if required
Business Continuity
- Develop and implement the Bank’s Business Continuity Program, including policies and
procedures, testing and training, in order to improve the Bank’s resilience in the event of
a disaster - Ensure all critical documents of the Information Security and Enterprise Risk
Management Department are either safely stored off-site or are scanned into the Bank’s
computer systems - Ensure all Information Security and Enterprise Risk Management Department staff are familiar with the Bank’s Disaster Recovery Plan
- Generally, ensure that the Information Security and Enterprise Risk Management
Department has effective business continuity plans in place
Other
- Responsibility for departmental reporting and compliance requirements
- Preparation and presentation of material to Board and Management committees as
necessary - Perform role as a value-added member of the senior management team
- Other tasks as delegated by the President & CEO from time to time.
Qualifications:
- Must have 10+ years of banking experience in the United States
- Must have 5+ years of experience in IT management with a focus on physical and logical security oversight and/or enterprise risk management experience in the banking industry
- Proven working knowledge of requirements for GLBA, SOC, and PCI and OCC, FDIC,
FFIEC guidance on data security and IT Examination requirements - Experience with auditing processes, including Network Security, SDLC/Change
Management and IT related functions - Knowledge of the global IT Risk Regulatory Landscape and Risk Management Model
(e.g. Threats, Vulnerabilities, and Controls) - Strong technical skills (application and operating system hardening, vulnerability
assessments, security audits, TCP/IP, intrusion detection systems, firewalls, etc.) - Experience in developing and maintaining a technology Risk Assessment process
- Must be well versed in industry accepted IT control frameworks (e.g. SSAE16, SAS70,
or ISO17799 audit reports) - Project and program management concepts and controls experience
- Must possess a high degree of integrity and trust along with strong communication skills
and ability to work individually, within a team and with other business groups - Experience or understanding of Disaster Recovery, Business Continuity, and Incident
Response initiatives - Must have ability to develop policies and procedures and communicate effectively
- Understanding of federal and other regulatory requirements and the ability to keep current
- Experience working with federal examiners
- Must be open to working on-call
- Certifications in data security and/or auditing procedures preferred
- Familiarity with banking related software (Fiserv preferred)
- Multidimensional professional with a background in all aspects of the risk management functions in the banking industry
- Master’s or Graduate Degree is preferred
- Superior analytical and decision-making skills based on effective risk assessment/management
- Demonstrated ability to communicate, persuade and influence across all levels
- Demonstrated ability to identify, analyze and apply conceptual thinking
- Excellent verbal and written communication skills
Interested candidates please contact Stephanie Williams at swilliams@collinsrecruit.com.