Vice President, IT Risk Management

The VP, IT Risk Management will build an IT Risk Management capability to help manage towards a formal risk appetite, satisfy our Internal and external audit requirements, and meet regulatory requirements such as SOX, PCI, etc. The selected candidate will be responsible for the development and implementation of an IT Risk Framework that aids IT Architecture, software engineering, IT Operations, Data & Analytics, Product Development, and Information Security in managing IT risk, This includes the monitoring, and continuous improvement of the company’s IT systems that provide support for our lending, merchant, servicing businesses, ensuring they protect the Bank’s and customer data,, and computer systems from business disruption, data/identity compromise, cyber fraud, and regulatory criticism.

This is a key leadership role requiring excellent working relationships across IT development and infrastructure teams, partnering with business unit leaders to enable secure facilitation of supporting technologies, and helping the overall organization meet its business goals and regulatory obligations. This role will also assist with our governance around maintaining an effective IT Enterprise Architecture.

Essential Functions:

Key responsibilities include:

• Develops and implements the CardWorks IT Risk Framework with plans to enable cost effective and resilient business services architecture, technology infrastructure, and applications through appropriate controls.
• Leads, supervises, and works with staff to support risk goals while developing leadership skills and mentoring management staff.
• Partners with IT teams, audit, business operations, ERM, and product teams to educate, align, and/or risk adverse controls with internal (on-prem), vendor-based, and public cloud-based infrastructures to reduce threat vectors, ensure data privacy protection controls, minimize incident response times, and enhance security detection parameters.
• Partners with sales, account management and information security teams to facilitate risk and audit transparency with partners and customers, ensuring the market is equipped to trust the company as their service provider and partner.
• Incorporates experienced audit and compliance control knowledge across multiple regulatory frameworks and industry practices.
• Achieves and sustains compliance success in coordination with information security teams, IT operations, and business units across multiple regulatory, external, internal, and client information security and data privacy audits.
• Stays current on industry developments to identify emerging technologies, risks, and trends to ensure our systems keep pace with security technology, techniques for improving system resiliency and overall risk landscape evolution.
• Demonstrates technical knowledge and skills to administer an overall risk strategy and achieve transparency with business units, executive management, and the Board.
• Performs other duties as assigned.

The VP, IT Risk is also responsible to council with, support, and assist leaders within information security and IT functions as needed:

• Security Monitoring & Response
• Security Risk & Program Management
• General IT Infrastructure and Operations teams

Compliance with Laws & Regulations:

• Responsible for complying with all of the Bank’s internal control policies and procedures.
• Responsible for understanding and complying with all laws and regulations to which the Bank is subject.
• Responsible for communicating problems in operations, noncompliance with the code of conduct, noncompliance with laws and regulations, policy violations, or illegal acts.

Education and Experience:

• Bachelor’s degree in computer science or cybersecurity-related studies is required.
• Ten (10) years’ experience Developing robust IT solutions that meet data and code execution protection standards as specified by NIST standards.
• Seven (7) years’ experience leading technical teams building robust IT solutions.
• Five (5) years’ experience working in an executive or strategic leader/managerial role over technical teams is required.
• Familiar with ITIL, NIST, CMMI, COSO and COBIT frameworks
• CISSP certification; other GIAC, ISC2, or other recognized certifications is preferred.

Summary of Qualifications:

• Familiarity with highly regulated industries, and specifically the banking industry (including FDIC regulations) is preferred.
• Understanding of vulnerability management, security risk management, penetration testing, malware analysis and digital forensics, security engineering and toolset orchestration, web application security principles, code static and dynamic scanning applications
• Experience with, and knowledge of, modern security technologies (e.g. SIEM, EDR/EPP, AV, DLP, SaaS security architecture)
• Experience and technical familiarity with the following data privacy and information security global compliance frameworks: GLBA, PCI-DSS, ISO 27001
• Experience managing a team of direct and indirect reports in multiple geographic locations.
• Positive, inquisitive, can-do attitude.
• Outstanding troubleshooting and problem-solving skills.
• A strong bias towards automation and innovative thinking
• Demonstrated leadership skills, including strategic planning, and guiding a team to successful execution.
• Demonstrated skills building cross-functional partnerships with teams to accomplish objectives, improve awareness and gain stakeholder buy-in
• Demonstrated skills with security concepts, defense-in-depth strategies, security tools, and protocols.
• “White hat” mentality, with a healthy sense of paranoia (security awareness and risk).
• Excellent communication skills, both written and oral.
• Comfortably perform well under pressure, willingness to own results, and deliver on commitments and deadlines.
• Passion for learning, effective control environments, building fault-resilient software, teaching others how to design for continuous processing.