The Chief Information Security Officer is responsible for managing Bank-wide information security programs and policies, compliance and governance that protect the security, privacy, confidentiality and integrity of corporate data and functions as well as that of the Bank’s employees and external customers, vendors, agencies, etc. This position develops long term strategies and ensures the Bank stays current with best practices and standards, recommendations from regulators, and customer needs.
ESSENTIAL DUTIES AND RESPONSIBILITIES
These are the most significant job duties performed. The size, scope and complexity of assigned duties and responsibilities are dependent on the level and experience of the incumbent. To perform this job successfully, an individual must be able to perform each assigned essential duty satisfactorily. Other responsibilities or special projects not specifically mentioned may also be assigned.
- Facilitates an information security governance structure through the implementation of a hierarchical governance program, including the formation of an information security steering committee or advisory board.
- Provides regular reporting on the current status of the information security program to enterprise risk teams, senior business leaders and the board of directors as part of a strategic enterprise risk management program, thus supporting business outcomes.
- Leads the information security function across the company to ensure consistent and high-quality information security management in support of business goals.
- Develops an information security vision and strategy that is aligned to organizational priorities and enables and facilitates the organization's business objectives, and ensures senior stakeholder buy-in and mandate.
- Develops, implements and monitors a strategic, comprehensive information security program, policies, standards and guidelines to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy and recovery of information assets owned, controlled or/and processed by the organization.
- Work effectively with business units to facilitate information security risk assessment and risk management processes, and empower them to own and accept the level of risk they deem appropriate for their specific risk appetite.
- Creates the necessary internal networks among the information security team and line-of-business executives, corporate compliance, audit, physical security, legal and HR management teams to ensure alignment as required.
- Builds and nurtures external networks consisting of industry peers, ecosystem partners, vendors and other relevant parties to address common trends, findings, incidents and cybersecurity risks.
- Liaises with external agencies, such as law enforcement and other advisory bodies, as necessary, to ensure that the organization maintains a strong security posture and is kept well-abreast of the relevant threats identified by these agencies.
- Oversees technology dependencies outside of direct organizational control. This includes reviewing contracts and the creation of alternatives for managing risk.
- Monitors the external threat environment for emerging threats, and advises relevant stakeholders on the appropriate courses of action.
- Develops and oversee effective disaster recovery policies and standards to align with the enterprise business continuity management (BCM) program goals, with the realization that components supporting primary business processes may be outside the corporate perimeter.
- Coordinates the development and implementation of incident response plans and procedures to ensure that business-critical services are recovered in the event of a security event; provides direction, support and in-house consulting in these areas.
- Facilitates and support the development of asset inventories, including information assets in cloud services and in other parties in the organization's ecosystem.
- Continuously assesses overall security programs against industry best practices, identifying and implementing corrective actions as needed.
- Monitors compliance with all security programs, policies, standards and guidelines.
- Creates and manages a targeted information security awareness training program for all employees, contractors and approved system users, and establishes metrics to measure the effectiveness of this security training program for the different audiences.
- Understands and interacts with related disciplines through committees to ensure the consistent application of policies and standards across all technology projects, systems and services, including privacy, risk management, compliance and business continuity management.
- Provides clear risk mitigating directives for projects with components in IT, including the mandatory application of controls.
- Leads the security champion program to mobilize employees in all locations.
- Understands and complies with all Bank policies and procedures, and federal and state laws and regulations pertinent to this position; stays informed and shares updates on changes with management. Required to successfully complete all required Compliance training.
- Continuously supports the Bank’s Mission Statement and Core Values.
This position has direct supervisory responsibilities and carries out these responsibilities in accordance with the organization's policies and applicable laws. Responsibilities include interviewing, hiring, and training employees; planning, assigning, and directing work; appraising performance; rewarding and disciplining employees; addressing complaints, coaching for performance and resolving problems.
The requirements listed below are representative of the knowledge, skill, and/or ability required to perform this job successfully. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.
Education and Work Experience
Bachelor’s Degree in Computer Science, Information Management or related field and 12+ years’ progressive experience in all aspects of information technology and information security including development and implementation of information security policies, processes and procedures and management of an information security team, preferably in financial services; or equivalent combination of education and experience.
Certificates and Licenses
A CISSP, CISM, CISA or equivalent is required. Additional infrastructure certifications are a plus.
Job –Specific Knowledge
• Business Analysis – demonstrated experience with identifying trends and tracking key deliverables and risks such as: costs associated with proposed changes to programs and systems; and effectiveness of programs year-over-year in improving overall performance and achieving desired business results.
• Information Technology – In addition to above, strong understanding of security threats and the design, processes, and operation of a comprehensive security control environment.
• Operational/Regulations Processes - Knowledge on budget administration, resources allocation, organization’s policies, regulations, objectives, and initiatives according to the job’s responsibilities. Ability to establish, conduct and track (audit) operational processes properly, and implement changes. Specific knowledge of Sarbanes-Oxley and Data Privacy laws and regulations. Experience driving and executing compliance assessments for regulatory requirements such as FFIEC, GLBA, and SOX.
To perform the job successfully, an individual should demonstrate the following competencies.
• Proficient in industry accepted Information Security frameworks, especially those related to financial services. (E.g. NIST, CIS, PCI-DSS).
• Understands and is familiar with the most widely known and emerging tools, technologies and social applications.
- Thorough knowledge of software applications applicable to position/business unit.
• Strong fluency with Windows applications and Microsoft Office programs such as MS Project, Word, Excel and PowerPoint.
- Identifies opportunities to increase accuracy and optimize resources and develops / recommends / implements solutions.
• Develops insightful, value-added and actionable analyses with detailed explanations regarding drivers of those results.
• Excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives.
Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate information security and risk-related concepts to technical and nontechnical audiences at various hierarchical levels, ranging from board members to technical specialists.
Time Management Skills
• Focuses on getting things done and with a high on-time project delivery record.
• Prioritizes regular workload, special tasks and concurrent projects, allocating time and resources to ensure that work is completed accurately and efficiently within established time frame.
- Strategic leader and builder of both vision and bridges; able to energize the appropriate teams in the organization.
- A master of influencing entities and decisions in situations where no formal reporting structures exist, but achieving the desirable outcome is vital.
- Effective organizational, leadership and presentation skills utilizing a variety of interpersonal styles and communication methods.
- Strong business focus with demonstrated ability to act in partnership with management teams.
- Establishes and maintains effective, collaborative work relationships both internally and externally.
- Performs with high level of initiative exhibiting persistence and willingness to stimulate new ideas within the organization; known for working as an organizational change agent.
- Acts as both a visionary and strategist and is skilled in practical implementation of solutions. Takes calculated risks, makes strategic, results-oriented decisions, and accepts responsibility for the results (positive or negative).
- Poise and ability to act calmly and competently in high-pressure, high-stress situations.
- Must be a critical thinker, with strong problem-solving skills.
- Proven leadership and collaboration skills with the ability to effectively supervise, coach and influence employees.
PHYSICAL DEMANDS & WORK ENVIRONMENT
- The physical demands and work environment characteristics described here are representative of those an employee encounters while performing the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.
- While performing the duties of this Job, the employee is regularly required to use hands to finger, handle, or feel; and to talk or hear.
- The employee is frequently required to sit.
- Office / cubicle work space with moderate noise level.
- Stress levels are usually high due to job scope & demands.
Hours of Work
- Normal business hours with overtime as needed.
- Extended hours which may include nights and weekends.
- Local travel between offices required occasionally with some out of town travel required on occasion to other major offices (Michigan, Ohio, Washington DC and Maryland.
MB Financial is an Equal Opportunity Employer and does not discriminate against any employee or applicant for employment because of race, color, sex, age, national origin, religion, sexual orientation, gender identity, status as a veteran, and basis of disability or any other federal, state or local protected class.
As a part of the MB Financial hiring process all applicants will be required to submit to and pass a pre-employment urine drug screening.