Chief Information Security, Business Continuity, and Privacy Officer

Position Purpose

The Chief Information Security Officer ("CISO"), Business Continuity ("BCP"), and Privacy Officer leads the Bank's second line of defense ("2LoD") Business Continuity, Corporate Information Security, Cybersecurity/Information Security Risk, GLBA Compliance, Incident Response, Privacy, and all related information security monitoring Programs. While the CISO has ultimate accountability and authority for protecting the Bank's information assets, the CISO will work with our first line of defense ("1LoD") information technology and information security partners to ensure the Bank executes in accordance with the Board approved cybersecurity and information security risk appetites, tolerances, and governance. The CISO will provide innovative leadership and guidance to Executive Management and the Board of Directors for planning, developing, directing, and operating a safe and sound information security and privacy program that supports the confidentiality, integrity, availability, and recovery of all of the Bank's information assets in accordance with all applicable laws, rules, and regulations. The CISO will also lead the "credible challenge" to the 1LoD Information Technology and Information Security Programs, including by serving as a voting member of management's Information Technology Steering Committee. This is both a hands-on and strategic role that will assist the Bank in effectively managing and mitigating cyber, information security, operational, privacy, resiliency, and related risks.

Position Responsibilities

• In collaboration with the Chief Risk Officer and the Board Risk Committee, develop Board approved risk appetite statements, frameworks, tolerances, and thresholds for all areas of responsibility that is commensurate with the size, complexity, and inherent risk of the Bank.
• Develop and enhance Bank governance, including programs, standards, policies, and procedures, to address and mitigate cyber, information security, operational, privacy, and resiliency risk consistent with the Board approved risk appetite statements, and make appropriate updates/recommendations when necessary.
• Manages and reports on the state of the Bank's Cyber, Information Security, Operational, Privacy, and Resiliency Risk to Executive Management and the Board of Directors.
• Promotes a strong risk culture, characterized by risk awareness and accountability, in which Cyber, Information Security, Operational, Privacy, and Resiliency Risk are managed to achieve an appropriate balance between risk and return to optimize shareholder value.
• Responsible for implementing, managing, and enforcing Information Security directives as promulgated by FFIEC, GLBA, PCI, IT SOX, and other applicable regulatory bodies.
• Responsible for identifying the Cyber, Information Security, Operational Privacy, and Resiliency Risk of the Bank's existing and new Third-Party Vendors, and supports the Third-Party Risk Program by reviewing applicable vendor documents including but not limited to BCP/DR plans, cybersecurity policies, incident response plans, information security policies, SOC reports, etc.
• Ensures all end user controls are designed effectively to appropriately manage the risk of third-party vendors accessing, storing, transmitting, or viewing bank confidential or customer non-public personal information.

• Partner with business stakeholders across the company to ensure business requirements for Cyber, Information Security, Operational, Privacy, and Resiliency risk are addressed through relevant bank governance and strategic plans.

• Serves as both a credible challenge and a collaborative business partner to the 1LoD Information Security and Information Technology teams through open dialogue and participation in 1LoD governance committees and sub-working groups.
• Ensures the consistent application of relevant bank governance, including risk policies and standards, risk appetite, and risk tolerances, across all technology projects, systems and services through 2LoD oversight.
• In collaboration with the Chief Risk Officer, develops and manages the Bank's internal social engineering campaigns, evaluates the results to identify social engineering risks, conducts virtual remedial training in light of the campaign results, and reports the results to Executive Management and the Board of Directors.
• Promotes and reinforces a strong risk management culture by developing, maintaining, and delivering Cyber, Information Security, Privacy, and Resiliency Risk training and materials periodically to all stakeholders across the Bank.
• Develops the annual Cyber, Information Security, Privacy, and Resiliency Risk Management Strategic Plans to support the Bank's Information Technology and Corporate Strategic Plans.
• Subscribes to threat notification, new regulations, and information sharing networks, such as FS-ISAC, to stay current on regulatory changes and new threats and develop risk mitigation plans to address these, including performing periodic update to these strategic plans when necessary.
• Responsible for managing all aspects of the 2LoD corporate information security monitoring program, including all aspects of internal monitoring managed by the Corporate Information Security Manager as well as interfacing with third party security providers.
• Responsible for overseeing the Bank's quarterly user access reviews and ensures that the 1LoD information security team makes appropriate updates based on the completed reviews.
• Oversees quarterly updates to the Bank's Cyber Assessment Tool ("CAT"), ensures the Bank is meeting the Board's risk appetite for each domain, and reports to Executive Management and the Board on the status of the program.
• Has the sole authority to declare a security incident, and activates and leads the Bank's Incident Response Program, when applicable, to contain and investigate all incidents.
• Partners with Chief Risk Officer whenever an incident is declared to assist the Chief Risk Officer in required regulatory notifications, if applicable.
• Partners with the Bank's Chief Risk Officer and Chief Information Officer to provide relevant guidance and counsel regarding all cyber, information security, operational, privacy, and resiliency related matters.
• In collaboration with the 1LoD, identify relevant key risk indicators and key performance indicators that will measure, monitor, and report on the relevant Cyber, Information Security, Operational, Privacy, and Resiliency Risks to the Bank.
• In collaboration with the 2LoD, SVP, Head of Enterprise Risk, leads the Cyber, Information Security, Privacy, and Resiliency Risk Assessment Programs and ensures all assessments are completed no less than annually or whenever material changes warrant.
• In collaboration with the 3LoD, SVP, Head of Internal Audit, ensures the Cyber, Information Security, Privacy, and Resiliency audit scopes are evolving with the bank's growth and that all audit scopes are accurate and complete.
• Delivers timely, accurate, and complete annual reports for BCP, CAT, GLBA, ID Theft/Red Flags, PCI, and other regulatory related annual reporting.
• Directly manages the 2LoD corporate information security team including career development, performance management, and recognition.
• Act as a role model for the Bank's Core Values.

Minimum Education and Experience

• 15+ years of experience in regulated financial institutions, with at least 7+ years in a second line of defense information security or cybersecurity leadership role at a $5 billion+ asset sized bank.
• Prior experience as a CISO required.
• Certified Information Systems Security Professional (CISSP) required.
• Other relevant security industry certifications including but not limited to CISA, CISM, CRISC, CCSP, PCI-QSA, etc. a bonus.
• Bachelor's degree in relevant field or equivalent work experience.
• Regulatory Examination experience required; OCC experience preferred.
• Ability to appropriately scale areas of leadership to the growth trajectory of the bank
• Demonstrated organization, facilitation, written and oral communication, and presentation skills.
• Highly developed relationship management, negotiation and leadership skills and experience working with and presenting to leaders at all levels including Senior Executives, Managers, Auditors, Regulators, Board of Directors and related committees.
• Strong interpersonal skills and excellent oral and written communication skills.

Technical Knowledge and Skills

• Expert knowledge and experience in federal information security laws, rules, and regulations, including but not limited to FDIC, FFIEC, GLBA, IT SOX, NIST, OCC, PCI and all other applicable regulations.
• Expert knowledge and experience in state information security laws, including but not limited to California Privacy Right Acts (CPRA), Virginia Consumer Data Protection Act (VCDPA), and all other applicable state regulations.
• Expert knowledge of cyber, information security, operational, privacy, and resiliency governance, including programs, policies, standards, procedures, and internal controls calibrated to the Board's risk appetite.
• Strong knowledge of application and operating system hardening, vulnerability assessments, security audits, intrusion detection/prevention systems, firewall configurations, etc.
• Strong knowledge of all applicable Bank Regulatory Compliance Regulations and FFIEC requirements.
• Strong knowledge of IT and Security Risk Frameworks and Risk Assessments
• Proficiency in Microsoft Office software suite (Word, Excel, Outlook, SharePoint, etc.)

Capital Bank, N.A. is an Affirmative Action and Equal Opportunity Employer