Application Security Program Manager

Position Function:

The Application Security Program Manager is responsible for managing, maintaining, and overseeing the bank’s application security and identity management programs, which includes developing processes, policies/standards/procedures, and reporting to ensure application risks are appropriately minimized. This includes Core banking, on-premises, and SaaS applications. Having a deep understanding of security frameworks, risk management, and compliance standards is critical in addition to developing positive and effective partnerships with departments across the bank and bank vendors. They will serve as the Subject Matter Expert (SME) in areas related to application security controls, configurations, monitoring, response, and the overall identity management processes. 

The ideal candidate will have broad experience in technology, information security, securing applications, APIs, identity management, etc. They will work closely with the business and project teams to advocate security requirements to ensure applications and related security practices align with policies, standards, and best practices, while ensuring the security architecture and practices do not infringe on the needs of the business. The position requires taking initiative to research, resource, and be self-reliant when approaching projects and tasks, in addition to being an effective communicator.

They will be responsible for:

• Developing and maintaining information security risk management processes that are clear and understandable, workable, up-to-date, and reflect regulatory and CPB-specific requirements and issues. 
• Assisting in communicating such processes throughout the business, including holding training sessions where appropriate. 
• Assisting with the planning, coordination, implementation, and management of security measures that manage risks to systems. and data, to prevent unauthorized modification, destruction, or disclosure of information, including outsider service providers. 
• Analyzing and appraising new products and/or systems for security weaknesses and provide measures to prevent exposure and loss. 

Performs all duties and interacts with internal and external customers in a manner that is expressly aligned with the Company's Core Values of approaching all actions with a “Voyaging Spirit” and being “Positively Ohana”. Exhibits core competencies that result in consistent delivery of positive Customer Interactions, Empowerment and Ownership and demonstrates key professional and performance skills such as Active Listening, effective Oral and Written Communication, Action and Solution Oriented and Thoroughness.

Primary Accountabilities:

Conducting security assessments of systems, application design, and infrastructure to ensure appropriate security controls as part of the overall risk management practice of the organization to include, but not limited to:

• Validating application and other reference architectures for security best practices, and recommending changes to enhance security and reduce risk where applicable.
• Conducting reviews of applications to determine security flaws or other issues that would impact the confidentiality, integrity or availability of the system.
• Conducting or facilitating threat modeling of services and applications that tie to the risk and data associated with the application or services. 

Delivering operational security duties to include, but not limited to:

• Development, maintenance, and monitoring of application security tools and processes.
• Conducting incident response exercises with colleagues throughout the organization and incorporates lessons-learned into existing security architectures and practices.
• Conducting forensic analysis of security-related incidents in a manner consistent with best practices and guidance from the organization’s counsel, human resources or law enforcement.

Other departmental duties and functions including, but not limited to:

• Performing risk analyses pertaining to the security needs of the bank and prepares recommendations based on risk/exposure versus cost. Prepares and presents research findings in written and/or oral form. Presents objectives, alternatives, risk analyses, and cost/benefit analyses.
• Assists with the planning and directing of information security activities of the bank to ensure compliance with internal/external audits, and to federal and State regulations, which include FDIC, relevant sections of the Gramm-Leach-Bliley Act (GLBA), and Sarbanes-Oxley Act Section 404 provisions, and other duties to be assigned.
• Maintains an outward-facing and forward-looking view to provide solutions to ensure that the bank’s Information Security Program is current and relevant. 
• Designs, implements, and manages Information Security data identification, aggregation, analytics, and validation to meet department goals.

Collaborate in developing and maintaining application security documentation (policies, standards, procedures, templates, etc.) that may be applied towards security governance in projects and operations:

• Initiate and execute on process improvements, policy/procedure updates, etc.
• Tracking developments and changes in the digital banking and threat environments to ensure they are adequately addressed in security strategy plans. 
• Documenting data flows of sensitive information within the organization (e.g., PII or ePHI) and recommends controls to ensure this data is adequately secured (e.g., encryption, tokenization, etc.).

Serving as the Subject Matter Expert in providing guidance in the areas of application security, identity management, and API security:

• Participates in application and related infrastructure projects to provide security planning consulting.
• Partner with cross-functional teams to ensure security requirements are incorporated into processes and operations.
• Liaisons with the vendor management team to conduct security assessments of existing and prospective vendors, especially those with which the organization shares intellectual property, PII, ePHI, regulated or other protected data, including SaaS providers, cloud/infrastructure as a service (IaaS) providers, managed service providers, etc.

Program Manager Responsibilities:

• Lead and manage the bank’s application security and identity management programs, ensuring these programs effectively mitigate security risks and comply with security standards and regulations.
• Responsible for training staff on policies and standards related to application security and identity management best practices, and also training staff on methodologies in conducting risk assessments related to this area.
• Review/delegate work related to the governance and oversight of controls related to application security and identity management. 
• Lead and motivate a team to ensure high levels of engagement, performance, and productivity.
• Set clear goals and expectations for team members and provide guidance on how to achieve them.
• Conduct regular performance reviews to assess individual progress and provide constructive feedback.
• Identify skills gaps and provide opportunities for professional growth through training, mentorship, or cross-functional collaboration.

Minimum Qualifications:

Education:

• Bachelor’s Degree from an accredited 4-year university in any discipline (preferably in the fields of Information Security, MIS, Computer Science, or a related discipline) required.

Experience:

• 10 years of experience and working knowledge in information security, application security, and regulations and privacy laws pertaining to release of information, and security and access control technologies, or equivalent experience required.  (A bachelor’s degree can substitute for 2 years of work experience.)
• 2 years of management or team lead experience required. 
• 1 years of data processing analytics and related technical experience preferred.
• 1 years of experience with identity governance and administration platforms and solutions preferred. 

Physical Requirements & Working Conditions:

• Must be able to perform light physical work and to move or lift items including but not limited to boxes, files and papers up to 20 pounds unless otherwise as indicated.
• Must be able to operate and proficiently use standard office equipment, including phone, copier, personal computer and/or other work related mechanical or electronic devices and applications.
• Must be able to clearly communicate verbally and in writing with all internal and external customers. Must also be able to hear sufficiently to engage in daily discussions and interactions.
• Must be able to read and understand bank-related documents. 
• Must be able to work in a conventional office setting, involving sitting at a desk or workstation for long periods of time.   Must also be able to adapt to different work environments as needed to perform the job.

We are proud to be an EEO/AA employer M/F/D/V. We maintain a drug-free workplace and perform pre-employment substance abuse testing.