- Establish and execute a strategic, comprehensive information security program, with supporting directives, plans, programs
- Develop and maintain information security standards, policies, and guidelines and oversee their distribution in the company
- Identify, assess, mitigate and monitor risks, vulnerabilities, and gaps to improve the overall effectiveness of the security program and improve awareness of best information security practices
- Work directly with strategic partners who have information security questions, concerns, and assessments
- Review legal contracts as needed to help ensure information security requirements are reasonable and in-line with industry-best security practices and the security program
- Achieve and maintain security compliance certifications relevant to the organization (e.g., SOC2, PCI, ISO 27001, GLBA)
- Lead and build out the information security team
- Provide leadership and guidance on information security topics--advising and collaborating on security processes, business continuity, and disaster recovery plans
- Keep an eye on security vulnerabilities and threats and ensure that system and application security design follows best security practices
- Work closely with DevOps, IT, Engineering and third party partner organizations to ensure security is factored into the evaluation, selection, installation, and configuration, and deployment of applications and software
- Be involved in security investigations and recommended courses of action
- Assist with related legal matters associated with such events as needed and suggest actions to prevent future incidents
- Monitor external threat environments for emerging threats and advise relevant stakeholders on appropriate courses of action
- Provide regular reporting on the current state of information security program to executive management
- Establish metrics and reporting framework to measure the efficiency, effectiveness, and maturity level of the program
- Collaborate with the CTO and CPO to connect organizational requirements with security goals
- Provide oversight to the architecture and engineering of new security systems--including evaluating technical designs
- Prepare financial forecasts and budgets to execute effective security programs and operations
- Provide leadership, training and guidance to team members by building and maintaining a top performing team
- Produce security white papers and marketing content, as needed, to help customers understand the security program and practices in place
- 10+ years of related security experience
- Prior experience as CSO, VP of Security, or Director of Security.
- **Domain expertise in finance and lendingExtensive knowledge of various security standards (e.g., ISO 27001, Trust Services Principles, NIST SP 800-53r4, OWASP Top 10, SANS Top 20, and associated laws, rules and regulations.)
- Experience instantiating, managing, and creating information security programs--including creating security policies, processes, controls, and programs
- Ability to identify, assess, mitigate, and monitor threats and risks
- Extensive knowledge of the various security requirements at the federal, state and local level in the privacy and security areas within the United States - note, down the road we will be establishing a more global footprint
- Extensive knowledge of all layers of the technology stack--network, systems, database, application, code, infrastructure-as-a-service providers--and how to secure each of these layers
- Experience using log-based alerting, vulnerability scanning, and other key security technologies
- Knowledge of various encryption techniques and their proper utilization
- Interpersonal communication skills for training and working with others
- Past experience hiring, training, developing, and leading members of the security team
- Experience interacting directly with customers or partners to help instill and maintain customer trust in the security program
- Experience managing ongoing security assessments and programs such as SOC2, PCI, and ISO 27001
- Demonstrates excellent oral and written communication skills with the ability to communicate to a technical and non-technical audience including senior management
- Experience with building and leading highly motivated and engaged teams
- Demonstrates ability to establish relationships and build rapport to influence colleagues at all levels, uncover issues, and identify needs
- Bachelor's degree in related technology field (Information Technology, Information Systems, Computer Science, or another technical field)
- Certification(s) in the information security areas such as the CISSP (Certified Information Systems Security Specialist) preferred by not required.