Information Security Manager

The Information Security Manager is responsible for protecting the organization’s information assets, managing cybersecurity risk, and ensuring compliance with regulatory and internal security requirements. This role leads the design, implementation, and operation of the information security program, working closely with IT, Compliance, Risk, and Business teams to balance security, usability, and business enablement.

JOB RESPONSIBILITIES/MAIN FUNCTIONS

Information Security Program Leadership

• Own and maintain the enterprise information security program, including policies, standards, procedures, and security controls.
• Define and enforce security governance aligned with regulatory, legal, and business requirements.
• Translate cybersecurity risks into clear business impact and remediation priorities for senior leadership.
• Maintain security documentation and evidence required for audits and regulatory examinations.

Cybersecurity Risk Management

• Identify, assess, and manage information security risks across infrastructure, applications, data, users, and third‑party vendors.
• Oversee vulnerability management, security monitoring, and threat detection activities.
• Lead incident response efforts, including investigation, containment, remediation, and post‑incident reviews.
• Track and report on risk trends, security metrics, and remediation progress.

Infrastructure & Platform Security Oversight

• Define and maintain security requirements for networks, servers, cloud platforms, endpoints, and identity systems.
• Partner with infrastructure and application teams to ensure secure architecture, configuration, and change management.
• Ensure appropriate segregation of duties between security, operations, and development functions.
• Review and approve security‑related changes that could impact confidentiality, integrity, or availability.

Identity, Access & Data Protection

• Oversee identity and access management controls, including user provisioning, privileged access, and periodic access reviews.
• Ensure data protection controls are implemented for sensitive and regulated information.
• Enforce security requirements for authentication, authorization, encryption, and logging.

Compliance, Audit & Regulatory Support

• Act as the primary security contact for internal audits, external audits, and regulatory inquiries.
• Coordinate security assessments, penetration testing, and control reviews.
• Support compliance initiatives across cybersecurity, data privacy, and technology risk.
• Ensure findings are tracked, remediated, and closed in a timely and sustainable manner.

Awareness, Training & Advisory

• Lead security awareness and training initiatives for employees and contractors.
• Advise business and technology teams on secure design, emerging threats, and control expectations.
• Participate in governance forums and provide security input into new initiatives and technology changes.

JOB REQUIREMENTS (EDUCATION, EXPERIENCE, SKILLS, AND CAPABILITIES)

• Bachelor’s degree in Information Security, Computer Science, Information Technology, or equivalent experience.
• Demonstrated experience managing an information security program in a regulated or enterprise environment.
• Strong understanding of cybersecurity controls, identity and access management, incident response, and risk management.
• Experience supporting audits and regulatory reviews.
• Ability to communicate security risk clearly to both technical and non‑technical audiences.
• Risk‑based decision making.
• Strong governance and documentation discipline.
• Clear, executive‑level communication.
• Calm, decisive leadership during security incidents.
• Collaborative, advisory mindset.

Preferred Qualifications

• Industry certifications such as CISSP, CISM, CISA, or similar.
• Experience in financial services or other highly regulated industries.
• Familiarity with security frameworks (e.g., NIST, ISO, SOC‑aligned controls).

Reporting & Collaboration

• Reports to: Chief Technology Officer
• Works closely with: IT Operations, Infrastructure, Application Teams, Compliance, Risk, Legal, and External Vendors.