Information Security Leader (Durham)

Description

The Information Security Leader is responsible for the strategic leadership, development, and execution of the credit union's Information Security and Cybersecurity programs. This role ensures compliance with regulatory requirements, including NCUA Part 748, and establishes robust security measures to protect the organization's assets, members' information, and overall cybersecurity posture. The Information Security Leader will oversee both protective and reactive security measures, manage a team of security professionals, and drive the implementation of best practices in risk management, compliance, and incident response.

Essential Duties and Responsibilities:

• Maintain and execute the credit union’s information security strategy, ensuring alignment with business objectives and regulatory requirements.
• Oversee compliance with NCUA Part 748 and other applicable regulations, ensuring proper governance, risk management, and audit readiness.
• Establish and maintain security policies, procedures, and standards in accordance with the industry’s best practices (e.g., NIST, CIS Controls, FFIEC, GLBS, PCI).
• Lead security governance initiatives, including security awareness programs, training, and executive-level reporting.
• Oversee the implementation and continuous improvement of CIS Controls to strengthen the organization's cybersecurity framework.
• Implement and oversee a comprehensive cybersecurity risk management framework to assess, mitigate, and monitor risks.
• Manage security architecture, ensuring effective implementation of firewalls, intrusion detection/prevention systems, endpoint security, and access controls.
• Conduct regular security assessments, penetration testing, and vulnerability management programs to identify and remediate risks proactively.
• Lead efforts to identify emerging threats, assess their impact, and develop mitigation strategies.
• Manage and oversee both internal and third-party vulnerability assessments and penetration testing to evaluate security resilience.
• Maintain credit union incident response program to ensure rapid and effective handling of security breaches, data leaks, and cyberattacks.
• Lead the Information Security Team and Committee to coordinate and ensure responses to security incidents, including forensic investigations and root cause analysis.
• Collaborate with IT and other departments to integrate security into the credit union's Business Continuity and Disaster Recovery Plans.
• Oversee and mentor a team of information security professionals, ensuring ongoing development and performance management.
• Develop and manage the information security budget, optimizing investments in security tools, resources, and initiatives.
• Provide executive leadership with regular reports on security posture, threats, compliance status, and key risk indicators.
• Collaborate with third-party vendors, auditors, and regulators to ensure security controls meet industry standards and compliance expectations.
• Manage vendor relationships related to security assessments, vulnerability management, and penetration testing services.

Requirements

• Bachelor’s degree in information security, Cybersecurity, Computer Science, or a related field.
• 12-15 years of professional experience, with 8-10 years of direct Information Security and cybersecurity experience.
• 5-7 years of experience managing teams and complex security environments, preferably in a financial institution.
• Certified Information Systems Security Professional (CISSP) or another Information Security certification is a plus.
• Deep understanding of information security frameworks, regulations, and compliance requirements specific to financial institutions.
• Expertise in cybersecurity technologies, including SIEM, endpoint security, identity management, and cloud security.
• Strong risk management and incident response skills with hands-on experience handling security breaches.
• Experience in vulnerability management, penetration testing coordination, and CIS Controls oversight.
• Ability to communicate effectively with executives, regulators, auditors, and technical teams.
• Strategic thinker with the ability to balance security with business objectives.
• Knowledge of defensive cybersecurity network architecture and tools to ensure a safe and secure environment in a large enterprise financial institution.
• Ability to lift at least 25 lbs. (file boxes, computer printer).
• Travel is required sometimes.
• In-depth knowledge of industry frameworks such as NIST and ITIL and regulatory areas such as NCUA, FDIC, and PCI.

Physical requirements: Must be able to sit for extended periods of time, use the computer and telephone to complete work, and lift up to 30 pounds at times.

The above statements are intended to describe the general nature of work being performed by individuals assigned to this position. They are not intended to be an exhaustive list of all responsibilities, duties, knowledge, skills, and abilities required of individuals so classified.