The SVP, Chief Security Officer is accountable for the COMPANY’s entire security posture, both physical and digital. The executive leads a team of executives across multiple areas including information security, privacy, physical security, internal investigations, and business continuation. This executive provides leadership, vision, and strategic direction for the effective identification, development, management, and assessment of security initiatives and standards which are aligned with COMPANY’s strategic priorities and business objectives. This executive directs the coordination of security efforts across the Enterprise partnering with Information Technology, Human Resources, Corporate Communications, Legal, Facilities management and other groups.
- Leads the design and implementation of COMPANY’s security strategy, taking into account COMPANY’s business strategy and complex regulations and supervisory expectations, including how they apply in a matrixed commercial environment.
- Role models COMPANY’s mission, core values, culture and desired behaviors – including a sound risk culture.
- Develops talent in the security team to deliver performance and results – including the identification, development and retention of talent with requisite physical and digital security capabilities.
- Drives operations of the security team– including core business processes and technologies.
- Holds self and others accountable for meeting commitments by setting and clearly communicating expectations and roles and responsibilities relative to the security function.
Technical and Risk Responsibilities
- Identifies and manages existing and emerging risks that stem from business activities and the job role.
- Ensures risks associated with business activities are effectively identified, measured, monitored, and controlled.
- Follows written risk and compliance policies and procedures for business activities.
- Owns strategy development by driving processes to understand both nature and probability of catastrophic and significant security risk events and ensures continuity of business operations during any security-related attack or catastrophic event.
- Accountable for operating within established policies and guidelines related to security for the enterprise, and acting in accordance with applicable laws, regulations, and supervisory guidance, including those related to consumer protection, including ensuring policy exceptions are promptly and effectively assessed and escalated.
- Responsible for protecting the information, system, financial and physical assets of the enterprise (cash, facilities, and equipment) along with mitigating potential risks involved in the loss of intangibles (reputation), intellectual property, and trade secrets.
- Accountable for oversight of cyber security operations.
- Clearly communicates security strategy, risks, costs, and related impact to the highest levels of the organization and the Board of Directors and its operating committees.
- Drives information gathering and risk assessment at COMPANY including development of a wide range of security-related events that can adversely affect the security and safety of personnel and the profitability or reputation of the organization.
- Owns incident prevention and coordinates both inside and outside the organization to forestall and prevent attacks and catastrophic events.
- Monitors the probability of any security-related incidents and develops appropriate preventive strategies consistent with sound business judgment and internal controls.
- Drives organizational ability to prevent and prepare for adverse events (e.g. attack, catastrophic event, or related significant security incident) through awareness and development and administration of training plans, methodologies, and exercises and by infusing contemporary security programs and processes throughout the organization, as well as defining and supporting the development and maintenance of enterprise security architecture.
- Leads regular periodic review and evaluation of organizational readiness in the event of attack or event.
- Assesses, on an ongoing basis, material risks and uses such risk assessments as the basis for fulfilling operational and regulatory responsibilities.
- Identifies, assesses, measures, monitors, and controls material risks consistent with the risk appetite and risk tolerance, including the development, adherence, monitoring, reporting on risk limits and risk limit utilization in the security department.
- Develops, maintains, tests and monitors the internal control environment, including information systems and preventative and detective controls, to effectively manage material risks while serving as the first line of defense.
- Identifies and understands the nature of security risks in the business environment and the application of appropriate financial and managerial controls to mitigate those risks.
- Drives coordination efforts within the organization to restore critical systems and provide facilities needed by the organization to function in case of an incident of attack or catastrophe.
- Ensures adequate medical, financial, and emotional support assistance is provided to employees, customers, and others involved in a catastrophic event or an attack on the organization.
- Coordinates with local, state, federal, and international government agencies as required.
Interacts with or participates in enterprise governance committees, such as:
- Enterprise Business Continuation Committee
- Enterprise Compliance and Operational Risk Committee
- Information Technology and Information Security Committee
- Shared Services New Activities Approval Committee
- Bank Specific Third-Party Governance Committee
- Enterprise Third-Party Risk Committee
- Risk Council
- Bachelor’s degree (e.g. information security, cyber security, MIS, business administration) is required.
- Advanced degree such as MBA or MS is preferred.
- A minimum of 15 years of experience in technical discipline (e.g. cyber security operations, business operations) with a proven track record leading comparable operations and programs (e.g. information security and privacy, physical security, loss prevention, and business continuation) and engaging executive level stakeholders is required.
- A minimum of 10 years of people leadership experience in building, managing and/or developing high-performing teams is required.
- A minimum of 10 years of relevant experience in a large financial institution ($100 billion +), including 5+ years post-Dodd Frank, in a senior staff role within an operations / IT function or in a security function leading cyber security, cybercrime, and physical security is preferred.
Demonstrated understanding of the full spectrum of regulatory actions, including examinations and other supervisory engagement and processes, such as:
- Regulatory requirements impacting the organization’s risk management framework, governance, standards, capabilities and risk strategy across all lines of business
- OCC, Federal Reserve, and FFIEC expectations
*Regulatory understanding is for illustrative purposes. Roles would need an understanding of all federal and state laws and regulatory guidance applicable to the organization and responsibilities of the role.
Note: The above statements are intended to describe the general nature and level of work being performed by employees in this position. They are not intended to be an exhaustive list of all duties, responsibilities and qualifications of employees assigned this job.
Industry certifications such as Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM) are preferred.