The AVP of Information Security is part of the organization's Enterprise Risk Management team and contributes to the enterprise-wide information security program to ensure that information assets are adequately protected. This role will help lead our organization's security initiatives and protect sensitive information assets by overseeing the development, implementation, and management of our information security program, ensuring compliance with industry regulations and best practices. You will collaborate with all levels of leadership and cross-functional teams to assess risks, enhance security measures, and respond to incidents effectively. This position is responsible for identifying, evaluating, and reporting on information security risks in a manner that meets compliance and regulatory requirements, and aligns with and supports the risk posture of the organization. Position requires sound knowledge of business management and a working knowledge of information security practices, technologies, and control frameworks. Serves a vital role in assurance activities related to the availability, integrity and confidentiality of member, business partner, employee and business information in compliance with information security policies and standards. The AVP of Information Security must be highly knowledgeable about the business environment, possess the ability to successfully work with stakeholders to identify safe ways to empower business objectives, and ensure that information systems are maintained in a functional and secure manner.

Essential Responsibilities

• Monitors essential processes to ensure compliance with policies, standards, practices and guidelines. Assists with information security compliance with applicable laws and regulations, regulatory requirements and policies and procedures, including but not limited to NCUA-748, GLBA, FACTA, Anti-Money Laundering laws and regulations, Bank Secrecy Act and USA PATRIOT Act (I.e., general banking industry regulatory requirements).

• Capitalizes upon technical knowledge and executive presence in owning business relationships with executive and other leadership stakeholders in order to drive enhancements to the organizations security posture in line with broader strategic objectives. 

• Manage and execute the information security risk assessment process, including the reporting and oversight of treatment efforts to address findings.

• Supports the IS program and other stakeholders in the management and oversight of Payment Cardholder Information Data Security Standards (PCI-DSS) compliance program, including identification of controls and validation and oversight of gap remediation. Supports successful audits of PCI program.

• Support, in collaboration with IT department, the program for penetration testing, vulnerability assessments, social engineering testing, and other testing on applications, systems, and infrastructure to ensure appropriate protection of sensitive member and company information; performs risk analysis and recommends remediation for deficiencies. Supports testing outputs and evolves reporting processes with the intent of improving the organizations view of information security risks.

• Supports and/or manages Information Security risk management activities within the Risk Management division, including information security risk assessment, vendor reviews, life cycle management reviews, verification of asset inventories, third-party risk, and manages the remediation of identified gaps and issues.

• Actively supports, in collaboration with IT and Training departments, the bank-wide/departmental information security training program. Maintains current knowledge of evolving information security risks, particularly cyber security, new and evolving trends with mitigation tools and changes to security regulations affecting financial institutions.

• Develop and support information and access management initiatives (Data classification, segmentation, access schemes, enforcement of policy, etc.) 

• Builds and matures a culture focused on the proactive awareness and improvement of the security and risk environment. Supports information security and risk management awareness training programs for all employees, contractors and approved system users.

• May support and/or perform the evaluation of internal control maturity against best practices and frameworks like NIST-CSF, PCI-DSS, ISO-27000 series, and other applicable information security frameworks.

• Support the development, implementation, monitoring, and maintenance of information security policies, procedures, standards, and guidelines by reviewing for adequacy. This role will actively maintain and produce policies, procedures, and standards documents. 

• Provides reporting and measurements of program effectiveness and provides analysis to senior management. Will seek to evolve reporting and assessment practices and standards to effectively communicate information security posture and risk factors.

• Support the management of and response to security incidents and events to protect corporate assets, including intellectual property, regulated data and reputation. May serve as an active participant and subject matter expert in regard to testing and live incidents.

• Monitor the external and internal threat environment for emerging threats, and advise relevant stakeholders on the appropriate courses of action. This task may also involve opening tickets, writing summaries, and working with internal stakeholders to mitigate risks.

• Coordinate the use of external resources involved in the information security program, including, but not limited to, interviewing, negotiating contracts and fees, and managing external resources.

• Conducts user access reviews and other monitoring aspects of identity and access management.

• Manage miscellaneous documentation, requests processing, training (new hire, employee awareness), and other projects as assigned.

• Participates in regular team meetings, one-on-one meetings, as well as other department-level meetings with vendors and key stakeholders as needed.

• Supports, produces, and maintains tracking metrics and reporting on information security risks, topics, and other related activity in conjunction with operational needs.   

• Prepares, communicates, and or delivers metrics-based information and presentations to both leadership and other areas of the organization as needed. 

• Maintains knowledge of industry trends, best practices, contemporary industry methodologies, and other related information.  Serves as an SME to the organization at large.

• Supports the strategic growth and operational evolution of the Department. May conduct formal/informal operational analysis, works with the broader security/risk team and leadership, and seeks continuous improvement in alignment with strategic plans.

• Ensures and promotes the highest level of integrity within the scope of department operations, to include adherence to company policy, established laws, and regulatory guidelines.

• Consciously creates a workplace culture that is consistent with the overall organizations and that emphasizes the identified mission, vision, guiding principles, and values of the organization.

• Supports and drives information security initiatives and projects throughout the organization. Requires basic project management skills, the ability to prioritize tasks, and work closely with stakeholders.  

• Supports other Risk Management department programs and initiatives as needed. May serve on project teams, committees, and provide SME and advice to key stakeholders.

• Manages and supports creation of new processes that help the organization facilitate information security related tasks sets, review processes, and operational efficiency.

• Will be inquisitive, use effective interviewing skills and discovery techniques, in order to identify information security risks, determine mitigating efforts, and support business stakeholders in executing work efforts in a safe and secure manner. 

• Will train/cross-train with other information security team members to eliminate single points of operational failure and to promote a holistic information security program. 

General Departmental and Administrative Duties (10% of time)

• Supports the strategic agenda of Enterprise Risk management initiatives as well as the overall mission within the organization.

• Assists with the implementation and administration of risk management programs. 

• Prepares reporting, dashboards, and scorecards as necessary to communicate key performance indicators related to Enterprise Risk.

• Tracks corrective action related to Enterprise Risk and other matters as assigned.

• Assists with completion of a variety of risk assessments, including managing and tracking requested information, distributing reports, and obtaining responses from management.

• Assists with completion of a variety of third-party reviews, including audits, examinations, and independent testing including managing and tracking requested information, distributing reports, and obtaining responses from management.

• Completes general administrative tasks such as time tracking and SAP entry, processing vendor invoices, general employee related tasks and functions, participation in company sponsored events and initiatives, etc.

• Gives presentations regarding managed verticals or other relative information.

Education Level:  Bachelor's Degree (required)   AND    Post-Graduate Degree (preferred)

Years of Relevant Work Experience:   5 to 10 years

Certifications, Licenses, Registrations 

•   Certified Information Systems Security Professional (CISSP) - Preferred

•   Certified Information Security Manger (CISM) - Preferred            

•   Certified Information Systems Auditor (CISA) - Preferred

•   Similar Credential is desired (CompTia, CEH, etc.)  - Preferred     

Other Training, Technical Skills, or Knowledge

•   Financial Services – Strongly preferred                 

•   Information Security/Cyber Security  (5 – 10 years) - Required    

•   Degree in Computer Sciences, Business Administration or a technology-related field, and/or equivalent work or education related experience - Required

•   Information Security program management experience (Holistic view) - Required  

•   Moderate to Advanced Skills with MS-Excel, MS-Word, and MS-PowerPoint - Required

•   Leadership experience and executive presence - Preferred

•   Must show evidence of strong communication skills, ability lead and drive work efforts, and self-starter - Required

•   Strong propensity for action and ownership of role (Lead from your seat / Must demonstrate accomplishments)          - Required

•   Prior experience supporting an active and effective control environment (I.e., audit, risk assessments, program maturity frameworks, etc.) - Required

•   Must be proficient at writing, maintaining, and creating program documentation, such as policies, procedures, and standards. (Role requires technical writing skills) - Required

•   Working knowledge of Enterprise Risk Management principles/frameworks (I.e., COSO, 3-Lines, Layered Security, etc.)  - Preferred

Abilities and Behaviors:

• In depth knowledge of information security frameworks, standards and guidelines, including NIST, FFIEC, and NCUA regulations and guidelines.

• Must be able to manage multiple priorities effectively

• Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate security and risk-related concepts to technical and nontechnical audiences.

• Proven track record and experience in assessing information security policies and procedures, as well as successfully executing programs that meet the objectives of excellence in a dynamic environment.

• Poise and ability to act calmly and competently in high-pressure, high-stress situations.

• Exhibit excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives.

• Ability to lead and motivate cross-functional, interdisciplinary teams to achieve tactical and strategic goals.

• High level of personal integrity, as well as the ability to professionally handle confidential matters, and show an appropriate level of judgment and maturity.

• High degree of initiative, dependability and ability to work with little supervision.

• Must not be a “box checker,” but must thrive in taking an active role in ownership.

• Critical thinking skills, sound judgement, and ability to build trust with stakeholders.

• Must possess effective writing skills and the ability to deliver presentations.

• Excellent organizational skills, business acumen, and report/business writing skills

• Mature demeanor with the ability to effectively self-manage.

• Must possess appropriate level of technical skills, executive presence, ability to assess the control environment, while driving towards tangible results. 

• Ability to focus on delivery and achievement of strategic priorities.

Performance Standards: 

• Meet SLA’s relating to production standards & deadlines

• Ability to support Risk Management projects & initiatives

• Meet and abide by PFCU & Disney leadership standards and overall standards & conduct requirements

• Knowledge and understanding of relevant legal and regulatory requirements (NCUA 748, GLBA, Guidelines for Safeguarding Member Information, Payment Card Industry/Data Security Standard, etc.).

• Support and abide by related regulations and guidelines

Discretion / Latitude:   

Requires critical thinking skills, sound judgement.  There is a broader responsibility to the Risk Management department and overall Enterprise Risk initiatives. 

Business / Work Environment:  

Hybrid role requiring ability to effectively work-from-home with regular/occasional in-person meetings and work related obligation within a typical office environment with use of standard office equipment and tools. 

The hiring range for this position is $140,000 to $160,000 per year. The base pay actually offered will take into account internal equity and also may vary depending on the candidate’s geographic region, job-related knowledge, skills, and experience among other factors. Select benefits may be provided as part of the compensation package, such as medical, financial, and/or other benefits. To learn more about our benefits visit: https://jobs.disneycareers.com/benefits