SVP, Chief Information Security Officer

About UsCapital Bank N.A. is headquartered in Maryland, and has been serving our communities since 1999. We stand as a publicly traded company (NASDAQ: CBNK) with over $2 billion in assets. We offer commercial and consumer banking services to clients in Maryland, DC, and Northern Virginia, alongside two nation-wide lending brands; Capital Bank Home Loans and OpenSky, a credit card division that offers and services credit cards across all states. Our personalized approach to banking, paired with cutting-edge technology solutions and a comprehensive suite of products and services, fuels our growth, and enables us to support our customers at every stage in their financial journey.Come join a bank where our employees thrive and are engaged in meaningful work. For the last 4 out of 5 years, Capital Bank was named one of the "Best Banks to Work For" in the U.S. by American Banker.Position PurposeThe Chief Information Security Officer ("CISO") leads the Bank's Corporate Information Security, Cybersecurity/Information Security Risk, GLBA Compliance, Business Continuity, Incident Response, and all related information security monitoring Programs. The CISO, reporting to the Chief Information Officer (CIO), has ultimate accountability and authority for protecting the Bank's information assets and will provide innovative leadership and guidance to Executive Management and the Board of Directors for planning, developing, directing, and operating a safe and sound information security and privacy program that supports the confidentiality, integrity, availability, and recovery of all of the Bank's information assets in accordance with all applicable laws, rules, and regulations. The CISO will serve as a voting member of management's Information Technology Steering Committee. This is both a hands-on and strategic role that will assist the Bank in effectively managing and mitigating cyber, information security, operational, privacy, resiliency, and related risks. While directly reporting to the CIO, the role will have a dotted line to the CRO.Position ResponsibilitiesIn collaboration with the CIO and the Board Risk Committee, develops Board approved risk appetite statements, frameworks, tolerances, and thresholds for all areas of responsibility that is commensurate with the size, complexity, and inherent risk of the Bank.Develop and enhance Bank governance, including programs, standards, policies, and procedures, to address and mitigate cyber, information security, operational, and resiliency risk consistent with the Board approved risk appetite statements, and make appropriate updates/recommendations when necessary.Manages and reports on the state of the Bank's Cyber, Information Security, Operational, and Resiliency Risk to Executive Management and the Board of Directors.Promotes a strong risk culture, characterized by risk awareness and accountability, in which Cyber, Information Security, Operational, and Resiliency Risk are managed to achieve an appropriate balance between risk and return to optimize shareholder value.Responsible for implementing, managing, and enforcing Information Security directives as promulgated by FFIEC, GLBA, PCI, IT SOX, and other applicable regulatory bodies.Responsible for identifying the Cyber, Information Security, Operational, and Resiliency Risk of the Bank's existing and new Third-Party Vendors, and supports the Third-Party Risk Program by reviewing applicable vendor documents including but not limited to BCP/DR plans, cybersecurity policies, incident response plans, information security policies, SOC reports, etc.Ensures all end user controls are designed effectively to appropriately manage the risk of third-party vendors accessing, storing, transmitting, or viewing bank confidential or customer non-public personal information.Partner with business stakeholders across the company to ensure business requirements for Cyber, Information Security, Operational, and Resiliency risk are addressed through relevant bank governance and strategic plans.Ensures the consistent application of relevant bank governance, including risk policies and standards, risk appetite, and risk tolerances, across all technology projects, systems and services through oversight processes.Develops and manages the Bank's internal social engineering campaigns, evaluates the results to identify social engineering risks, conducts virtual remedial training in light of the campaign results, and reports the results to Executive Management and the Board of Directors.Promotes and reinforces a strong risk management culture by developing, maintaining, and delivering Cyber, Information Security, and Resiliency Risk training and materials periodically to all stakeholders across the Bank.Develops the annual Cyber, Information Security, and Resiliency Risk Management Strategic Plans to support the Bank's Information Technology and Corporate Strategic Plans.Subscribes to threat notification, new regulations, and information sharing networks, such as FS-ISAC, to stay current on regulatory changes and new threats and develop risk mitigation plans to address these, including performing periodic updates to these strategic plans when necessary.Responsible for managing all aspects of the information security monitoring program, including all aspects of internal monitoring as well as interfacing with third party security providers.Responsible for overseeing the Bank's quarterly user access reviews and ensuring that appropriate updates are made based on the completed reviews.Oversees updates to the Bank's Cyber Assessment Tool ("CAT") not less than annually, ensures the Bank is meeting the Board's risk appetite for each domain, and reports to Executive Management and the Board on the status of the program.Has the authority to declare a security incident in accordance with the Bank's Incident Response Plan, and leads the Bank's incident response activities, when applicable, to contain and investigate all incidents.Partners with CRO whenever an incident is declared to assist the Chief Risk Officer in required regulatory notifications, if applicable. Ensures the CIO is kept informed of any potential and/or declared incidents.Partners with the Bank's CIO and CRO to provide relevant guidance and counsel regarding all cyber, information security, operational, and resiliency related matters.Identify relevant key risk indicators and key performance indicators that will measure, monitor, and report on the relevant Cyber, Information Security, Operational, and Resiliency Risks to the Bank.In collaboration with the SVP, Head of Enterprise Risk, leads the Cyber, Information Security, and Resiliency Risk Assessment Programs and ensures all assessments are completed no less than annually or whenever material changes warrant.In collaboration with the 3LoD, SVP, Head of Internal Audit, ensures the Cyber, Information Security, and Resiliency audit scopes are evolving with the bank's growth and that all audit scopes are accurate and complete.Delivers timely, accurate, and complete annual reports for BCP, CAT, GLBA, PCI, and other regulatory related annual reporting.Hire, develop and retain a strong information security team ensuring career development, performance management, and recognition as appropriate.Act as a role model for the Bank's Core Values.Minimum Education and Experience15+ years of experience in regulated financial institutions, with at least 7+ years of in an information security or cybersecurity leadership role at a $5 billion+ asset sized bank.Prior experience as a CISO required.Certified Information Systems Security Professional (CISSP) required.Other relevant security industry certifications including but not limited to CISA, CISM, CRISC, CCSP, PCI-QSA, etc. a bonus.Bachelor's degree in relevant field or equivalent work experience.Regulatory Examination experience required; OCC experience preferred.Ability to appropriately scale areas of leadership to the growth trajectory of the bank.Demonstrated organization, facilitation, written and oral communication, and presentation skills.Highly developed relationship management, negotiation and leadership skills and experience working with and presenting to leaders at all levels including Senior Executives, Managers, Auditors, Regulators, Board of Directors and related committees.Strong interpersonal skills and excellent oral and written communication skills.Technical Knowledge and SkillsExpert knowledge and experience in federal information security laws, rules, and regulations, including but not limited to FDIC, FFIEC, GLBA, IT SOX, NIST, OCC, PCI and all other applicable regulations.Expert knowledge and experience in state information security laws, including but not limited to California Privacy Right Acts (CPRA), Virginia Consumer Data Protection Act (VCDPA), and all other applicable state regulations.Expert knowledge of cyber, information security, operational, and resiliency governance, including programs, policies, standards, procedures, and internal controls calibrated to the Board's risk appetite.Strong knowledge of application and operating system hardening, vulnerability assessments, security audits, intrusion detection/prevention systems, firewall configurations, etc.Strong knowledge of all applicable Bank Regulatory Compliance Regulations and FFIEC requirements.Strong knowledge of IT and Security Risk Frameworks and Risk Assessments.Proficiency in Microsoft Office software suite (Word, Excel, Outlook, SharePoint, etc.).Supporting Businesses. Helping People. Strengthening Communities.Capital Bank, N.A. is an Affirmative Action, E-Verify, and Equal Opportunity Employer.

#J-18808-Ljbffr