Director, Information Security Risk

Hilltop Holdings is looking for an Information Security Risk Director. The Information Security Risk Director reports to the CISO and is responsible for day-to-day operations to support and augment the CISO’s overall responsibilities. This position is an advanced role supporting the entire cybersecurity program. The director is responsible for establishing and maintaining the company’s overall IT and security GRC program, as well as for developing and managing an enterprise-wide information GRC program. The role includes implementation and maintenance of policies, as well as a comprehensive controls framework. Responsibilities include the development of the HTH Cyber Risk Program, leveraging their strong technical background to thoroughly evaluate threats, risk mitigation strategies and technical controls to evaluate, assess impact and prioritize cyber risk related remediation. Furthermore, the director is responsible for identifying, evaluating and reporting on information security risks that are important for the business to be aware of and act accordingly. The director works in tandem with the security leadership team to mature the company’s security posture.

This individual provides leadership, executive support, strategic and tactical guidance, and supports the execution for a world-class cybersecurity program supporting enterprise security initiatives.

The Information Security Risk Director is expected to be skilled at effective communication and possess business acumen to align and work closely with business leaders. In addition to direct reports, this role must be capable of working closely with C-level leadership, third parties, audit committees and occasionally boards. Recruiting, career development and retention are top priorities, falling under the purview of this position. The candidate will require a technical background with the ability to comprehend technologies, their purpose, and their security requirements, and clearly articulate risks to the organization. The candidate’s technical background should encompass understanding of threats, risk mitigation and technical controls.

The Information Security Risk Director functions as a key member of the Information Security Governance Committee (ISGC), is a member of various committee workgroups and prepares and presents relevant information security program updates to subsidiary executives and staff. This position directly interacts with external regulatory agencies, internal audit, and supports various information technology and information security annual examinations and certifications.

• In tandem with HTH risk management and Information Security leadership, direct and conduct ongoing risk analysis organization-wide to uphold the GRC program.
• Lead a team dedicated to an ongoing cyber security maturation program, where areas of strength are amplified and areas needing improvement are documented.
• Provides input into the Information Security strategy to influence investment and resource allocation.
• Establish and maintain a strategy for managing security-related audits, compliance checks and external assessment processes for auditors, including but not limited to, Health Information Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX), Gramm-Leach-Bliley Act (GLBA), Service Organization Controls (SOC) 2, California Consumer Privacy Act (CCPA), annual firm attestations/certifications and, Regulatory exams/assessments.
• Oversee and ensure adequate protection of key information is maintained through data classification, data loss prevention (DLP) and enforcement of records retention requirements.
• Provide GRC team leadership to create strong oversight with third parties, vendors and business partners.
• Require GRC team to confirm safeguards against risk identified with external entities. 
• Facilitate IT compliance of identified controls – for example, IT general controls (ITGCs), application, cloud and cybersecurity.
• Act as a key point of contact when GRC team members identify risk to raise awareness with security management and business unit leads on a risk reduction plan.
• Play a key role in the vendor risk assessment process and ensure all business units follow process requirements.
• Partner with business units when onboarding solutions to ensure adequate controls are available and enabled in production.
• Oversee findings brought forward through team analysis, requiring thorough documentation and recommendations to report to security leadership where gaps exist.
• Engage in continuous professional development with team management, honing direction as well as strategic plans.
• Maintain a high degree of knowledge with current and proposed security changes impacting regulatory, privacy and security industry best practice guidance. 
• Effectively communicate knowledge of GRC controls across business units with a focus on, but not limited to, company practices, procedures, third-party integrations, product development and financials.
• Influence and validate metrics used in assessment of security program success and report them regularly to security and business leadership. 
• Focus on principles aligning with enterprise risk management fundamentals within security and technology teams to maintain up-to-date configuration documentation for systems and processes. 
• Lead a team to provide rigorous oversight of security systems and security configuration administration that reduces risk to enterprise systems and accounts.
• Guide team members to align with security, audit and risk management leadership for ongoing security program assessments, as well as annual strategic technology and budgetary directives.
• Liaison with auditors, both internal and external, to maintain and implement controls for compliance and privacy laws.
• Provide leadership for disaster recovery and business continuity as they relate to security frameworks, compliance and privacy laws.
• Coordinate with business units to adopt cybersecurity security controls security best practices to reduce the attack surface.

• Bachelor's degree in computer science, information assurance, MIS or related field, or equivalent. Advanced degrees are not required, but an MBA or master’s degree in information assurance/technology is preferred.
• At least 10+ years’ experience in cybersecurity in one or more roles, including security analyst, compliance and regulations, risk management or audit.
• 10+ years of cybersecurity or information technology practitioner and management experience.
• CISSP, CISM, or CISA certification required
• Demonstrated leadership experience and thorough understanding of various regulatory requirements and laws such as, but not limited to PCI, SOX, HIPAA, and GLBA.
• Proven project leadership with both legacy and emerging technologies to assess and manage business risk and enforce security controls. 
• Preferably with at least two years’ experience in Amazon Web Services (AWS) and/or Microsoft Azure cloud computing security configuration and management.
• Proven understanding of business focus and processes, and ability to inject cybersecurity into the business through teamwork and influence.
• Strong team and organizational management skills, and a track record of delivering IT Risk projects under tight deadlines.
• High level of integrity and trustworthiness, as well as confidence to represent the company and security leadership with the highest level of professionalism.
• Capable of working with diverse teams and promoting a positive enterprise-wide security culture.
• Demonstrated project management, multitasking and organizational skills.
• Ability to obtain and preserve credibility with the team and external constituents through sustained industry knowledge.
• Ability to motivate teammates to achieve excellence and willingly share knowledge.

The above statements are intended to describe the general nature and level of work being performed by individuals in, or assigned to, the above position and are not intended to be construed as an exhaustive list of all responsibilities, duties and skills required and may be changed at the discretion of the Company.

Founded in 1998 and headquartered in Dallas, Texas, Hilltop Holdings offers a diverse range of financial services through its three primary subsidiaries, PlainsCapital Bank, PrimeLending, and HilltopSecurities. PlainsCapital Bank is a leading commercial bank with locations throughout Texas. PrimeLending is a national mortgage provider focused on purchase mortgage originations. HilltopSecurities provides financial advisory, clearing, retail brokerage, and other investment banking services. Hilltop Holdings seeks to build the premier Texas-based diversified financial services holding company through acquisitions and organic growth. To learn more, please visit www.hilltop-holdings.com.