Information Security Officer

JOB SUMMARY

The Information Security Officer (ISO) is responsible for developing, implementing, and managing the financial institution’s information security program to ensure the protection of customer data, banking systems, and network infrastructure. The ISO collaborates with senior management to mitigate cyber threats, ensure compliance with regulatory requirements, and promote a security-conscious culture across the organization.

ESSENTIAL DUTIES AND RESPONSIBILITIES:

Strategic Leadership & Governance

• Develop and maintain the institution’s Information Security Program (ISP) in alignment with FFIEC, GLBA, NIST, and other regulatory frameworks.
• Provide security guidance and recommendations to the Board of Directors, executive leadership, and IT teams.
• Oversee and update security policies, procedures, and controls to safeguard against cyber threats.

Risk Management & Compliance

• Conduct regular risk assessments to identify vulnerabilities and develop mitigation strategies.
• Ensure compliance with FDIC, OCC, FFIEC, and state regulatory agencies.
• Coordinate with auditors and examiners for security assessments and regulatory exams.
• Develop and oversee the incident response plan, ensuring prompt action in the event of a data breach or cyber incident.

Cybersecurity Operations & Infrastructure Protection

• Monitor the security posture of the institution’s network, systems, and applications.
• Collaborate with IT to ensure firewalls, intrusion detection/prevention systems (IDS/IPS), and endpoint security solutions are up to date.
• Implement and oversee multi-factor authentication (MFA), encryption, and secure access controls.
• Lead the third-party vendor security review process to ensure compliance with institution security policies.

Training & Awareness

• Develop and implement security awareness training programs for employees and executives.
• Conduct phishing simulations, cybersecurity drills, and tabletop exercises to enhance preparedness.
• Foster a security-first culture by educating staff on social engineering threats, fraud prevention, and data protection best practices.

Incident Response & Business Continuity

• Serve as the primary point of contact for cybersecurity incidents.
• Coordinate forensic investigations, incident reporting, and recovery efforts following a security event.
• Work with the Business Continuity Planning (BCP) team to integrate cybersecurity resilience into disaster recovery plans.

ADDITIONAL RESPONSIBILITIES:

• Attend seminars and meetings as appropriate
• Maintain confidentiality in accordance with the Code of Ethics
• Adhere to established security procedures
• Participate in proactive team efforts to achieve departmental and company goals.
• Work with audtiors and examiners as needed to complete audits and exams.
• Ability to work cross-functionally with IT, Compliance, and Risk Management teams.
• Problem-solving mindset with a proactive approach to threat mitigation and security improvements.

SUPERVISORY RESPONSIBILITIES:

• No supervisory responsibilities.

KNOWLEDGE, SKILLS, AND ABILITIES:

• Customer and Personal Service – Knowledge of principles and processes for providing customer and personal services.
• English Language – Knowledge of the structure and content of the English language including the meaning and spelling of words, rules of composition, and grammar.
• Communication – Excellent interpersonal communication skills, both oral and written.

• Computers/Technical – Must have a thorough technical knowledge of computer systems, networks, database management, personal computers and applications.
• Banking – Knowledge of financial industry and bank dynamics, and a thorough knowledge of bank’s products and services, and bank security and transaction policies.
• Bank Secrecy Act – In the performance of all the respective tasks and duties, employee will maintain knowledge of Bank Secrecy Act regulations and all other regulatory, security and bank policies and procedures.

EDUCATION AND EXPERIENCE:

• Bachelor’s degree in Cybersecurity, Information Technology, or a related field (Master’s preferred).
• 5 years of experience in information security, cybersecurity, or IT risk management within the financial sector.
• Certifications preferred: CISM, CISSP, CRISC, or GIAC.
• Strong knowledge of banking regulations, cybersecurity frameworks, and risk management principles.
• Experience with SIEM solutions, network security tools, penetration testing, and incident response.

PHYSICAL/WORK CONDITIONS: In the performance of respective tasks and duties, the employee is expected to successfully perform the essential functions of the position. Reasonable employee accommodations for physical or mental disabilities will be considered on a case-by-case basis. While performing duties the employee is required to sit, talk and hear frequently, lift up to 20 lbs. occasionally; may be required to work evenings and/or weekends, attend remote meetings and/or to travel.