Chief Information Security Officer


Position Summary

 This is a senior-level position for the Information Security Department and establishes and maintains the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected.


The Information Security Officer (“ISO”) is responsible for overseeing and reporting on the management and mitigation of information security risks across the institution. He/she is responsible for implementing an information security program satisfying the Interagency Guidelines Establishing Information Security Standards (Information Security Standards), which were issued pursuant to the Gramm-Leach-Bliley Act (GLBA). The ISO is an enterprise-wide risk manager and a not a production resource devoted to IT operations, networking, or programming functions. The ISO reports to the Vice President of Audit and ERM; however, provides periodic reporting to the bank’s IT Steering Committee and works closely with the Chief Information Officer.


The ISO is accountable to plan, implement, coordinate, and maintain the bank’s overall information security and cybersecurity programs. The ISO is the “champion” of information security for FGB and works closely with management. He/she weighs business needs against security concerns, finds the right solution to support the business, and articulates any issues to management.


Essential Duties and Responsibilities


Governance, Strategy, and Oversight

1.        Implement the information security program and objectives, as approved by the Board of Directors, including strategies to monitor and address current and emerging risks.

2.        Oversee development, accuracy, and compliance with corporate security policies, standards and procedures.

3.        Work with senior management and the Board of Directors to ensure information security protection policies are being updated, implemented, reviewed, maintained, and governed effectively.

4.        Report significant security events to the Board, IT Steering Committee, government agencies, and law enforcement, as appropriate.

5.        Provide periodic reporting to the Board of Directors regarding the status of the information security program including those items required by the FFIEC guidelines.

6.        Develop quarterly metrics for the IT Steering Committee and the Board of Directors.

7.        Lead incident response efforts to contain, investigate, and prevent security breaches.

8.        Develop timely responses and action plans to address findings from internal and external audits.

9.        Provide updates to senior management and the Board on cyber risk trends.

10.     Assist in collecting documentation from IT and business departments in preparation for regulatory exams and annual external audits.

11.     Review new programs, systems, and processes for security exposure.

12.     On a regular basis tests systems for Security preparation and readiness.

13.     Other duties and responsibilities as assigned.


Risk Identification & Monitoring

14.     Perform comprehensive IT risk identification which includes identification of cybersecurity risks as well as gathering of details during information security risk assessments required under GLBA guidelines.

15.     Identify cybersecurity risks and evaluate the bank’s cybersecurity preparedness.

16.     Maintain and update a repository of cybersecurity threat and vulnerability information that may be used in conducting risk assessments.

17.     Review existing systems and develop and maintain ongoing comprehensive written information security risk assessments.

18.     Monitor for emerging risks and implement mitigations.

19.     Ensure proper design and implementation of the corporate SIEM, IDS/IPS, and other monitoring systems.

20.     Review monthly network vulnerability assessments, interpret the results, validate potential exposures, and provide a periodic written assessment.

21.     Perform analysis of logs from several systems to identify unexpected or malicious activity.

22.     Monitor security audit and intrusion detection system logs for system and network anomalies.

23.     Track the status of known information security exposures, and work with IT and business departments to facilitate remediation of those exposures.


Education & Awareness

24.     Inform the Board and management of information security and cybersecurity risks and the role of staff members in protecting information.

25.     Lead information security awareness and training initiatives to educate staff members about information risks.

26.     Participate in industry collaborative efforts to monitor, share, and discuss emerging security threats.



27.     Provide input and guidance for the planning, research, and design of IT security architectures and data classifications.

28.     Partner with IT management to develop and maintain security requirements for local area networks (LANs), wide area networks (WANs), virtual private networks (VPNs), routers, firewalls, and related network devices.

29.     Work with management in the lines of business to understand the flows of information, the risks to that information, and the best ways to protect the information.

30.     Engage with management in the lines of business to understand new initiatives, provide information on inherent information security risk, and ensure appropriate consideration of risks involved with new products, emerging technologies, and information systems.

31.     Provide guidance on security protocols, data encryption standards, firewall configurations, daily maintenance of security tools, updating of antivirus/malware monitoring tools, detection and response to security alerts and other various information security measures.

32.     Ensure patch management is completed accurately and timely.

33.     Ensure that the access control, disaster recovery & business continuity controls, incident response, and risk management needs of the organization are properly addressed.

34.     Assist on all audit and examination initiatives and track IT remediation activities related to independent vulnerability testing, risk analyses, security assessments and exam mitigation/controls in conjunction with Internal Audit and Risk Management.



35.     Certify deployments as compliant with procedure and policy.

36.     Adhere to the BSA policy and all other bank policies.

37.     Other duties and responsibilities may be assigned by supervisors.


Minimum Qualifications (Education, Experience, Skills)


·         The incumbent is required to maintain the integrity of bank customer information and protect Information Technology assets.

·         Requires experience working with IP networking, networking protocols including DNS, electronic mail, and a thorough understanding of security related technologies including encryption, VPNs, firewalls, proxy services, and access-lists.

·         Bachelor’s degree in Computer Science, Cybersecurity, or related technical field. Other degrees with requisite information technology and/or information security experience will be considered.

·         A Master’s degree with a concentration in IT security is preferred.

·         7 – 12 years working in IT and security, preferably in the banking or financial services industries.

·         5+ years managing security operations/teams.

·         Certifications preferred:

o     CISM (Certified Information Security Manager)

o     CISSP (Certified Information Systems Security Professional)


Physical Demands and Work Environment


The physical demands described here are representative of those that must be met by an employee to successfully perform the essential functions of this position. Reasonable accommodations may be made to enable individuals with disabilities to perform the functions.


While performing the duties of this position, the employee is regularly required to talk and hear. The employee frequently is required to use hands or fingers, handle, or feel objects, tools or controls. The employee is occasionally required to stand; walk; sit; reach with hands and arms; climb or balance; and stoop, kneel, crouch, or crawl.


The employee must occasionally lift and/or move up to 25 pounds. Specific vision abilities required by this position include close vision, distance vision, color vision, peripheral vision, and the ability to adjust focus.


The noise level in the work environment is usually moderate.


This job description in no way states or implies that these are the only duties to be performed by the employee(s) incumbent in this position.  Employees will be required to follow any other job-related instructions and to perform any other job-related duties requested by any person authorized to give instructions or assignments.


All duties and responsibilities are essential functions and requirements and are subject to possible modification to reasonably accommodate individuals with disabilities.  To perform this job successfully, the incumbents will possess the skills aptitudes and abilities to perform each duty proficiently.  Some requirements may exclude individuals who pose a direct threat or significant risk to the health or safety of themselves or others.  The requirements listed in this document are the minimum levels of knowledge, skills or abilities.


This document does not create an employment contract, implied or otherwise, other than an “at will” relationship.


FIRST GUARANTY BANK is an EEO employer - M/F/Vets/Disabled
By clicking the button, I agree to the GetHired Terms of Service member? Login to Apply