Director, Information Security & Information Security Officer (Information Technology)

Position Summary:

The Director, Information Security & Information Security Officer (ISO) is a critical role responsible for driving the tactical execution of the organization's cybersecurity and information security strategy. As an information security thought leader at the bank, this individual will oversee essential aspects of information security operations, risk management, compliance, and governance to protect the confidentiality, integrity, and availability of the organization's data and systems.
This role will serve as the right hand to the CISO, leading the implementation of security initiatives, responding to security threats, and ensuring regulatory compliance across the bank and its subsidiaries. The Director will also drive key aspects of security operations, risk assessments, and business continuity planning while fostering a culture of security awareness across the organization.

Job Duties/Responsibilities:

Serve as the primary tactical leader responsible for executing the information security strategy and direction as defined by the CISO.
Act as the Information Security Officer (ISO) for the bank, ensuring regulatory and industry-standard compliance (FFIEC, GLBA, NIST, ISO 27001, PCI-DSS).
Help develop and maintain an information security program that aligns with the company's business objectives and risk appetite.
Collaborate with senior leadership, IT teams, risk management, compliance, and business unit leaders to integrate security into all business processes.
Provide regular updates to the IT Steering Committee and Risk Committee on cybersecurity risks, threats, incidents, and compliance.
Oversee security operations (SecOps), vulnerability management, and incident response to detect, investigate, and mitigate cyber threats.
Establish and enforce security policies, procedures, and controls to minimize security risks.
Conduct regular risk assessments, third-party security reviews, and security gap analyses.
Lead the threat intelligence and monitoring program, ensuring timely detection and response to security incidents.
Manage and mature the Identity & Access Management (IAM) program, ensuring role-based access controls and least-privilege principles are applied.
Drive compliance with all federal and state regulations, including FFIEC, GLBA, SOC 2, and NIST CSF.
Partner with Compliance, Legal, and Risk teams to prepare for audits, regulatory exams, and risk assessments.
Lead cybersecurity awareness training programs to ensure employees understand their role in protecting sensitive data.
Maintain security documentation, including policies, risk registers, incident response plans, and business continuity plans.
Serve as a key resource for major cybersecurity events, leading investigation, mitigation, and recovery efforts.
Oversee the Disaster Recovery (DR) and Business Continuity Planning (BCP) programs to ensure resilience against cyberattacks and system failures.
Conduct tabletop exercises and penetration tests to evaluate incident response preparedness.
Work closely with IT leadership to evaluate and implement security technologies, including SIEM, EDR, MFA, and next-gen firewalls.
Ensure secure cloud adoption and best practices in hybrid cloud environments.

Lead data protection initiatives, including encryption, DLP (Data Loss Prevention), and secure software development practices
Confidently embody the values of CBT.
Represent Community Bankshares Inc and/or its subsidiaries in the community and at community events as appropriate.
Perform all other duties as assigned.

Required Skills/Abilities:

Strong understanding of FFIEC guidelines, GLBA, NIST CSF, ISO 27001, and SOC 2 requirements.
Hands-on experience with security technologies such as SIEM, EDR, firewalls, IAM solutions, and vulnerability management tools.
Proven ability to manage security incidents and conduct root cause analysis.
Strong project management and leadership skills to execute security initiatives across multiple business units.
Excellent communication skills, with the ability to present security risks and strategies to executives as well as bank wide staff.

Education and Experience:

Bachelor's degree in related field preferred

7 years of experience in cybersecurity, information security, or IT risk management within a financial services or banking environment.

Five (5) years' experience in information security operations

CISSP, CISM, CRISC, or CISA certification strongly preferred.
Experience leading cybersecurity programs in a financial institution.
Hands-on experience with cloud security in Azure, AWS, or Google Cloud.
Knowledge of zero trust security models and identity governance frameworks.

Physical Demands and Work Environment:
The physical demands described here are representative of those that must be met by an employee to successfully perform the essential functions of this position. Reasonable accommodations may be made to enable individuals with disabilities to perform the functions.
While performing the duties of this position, the employee is regularly required to talk or hear. The noise level in the work environment is usually moderate. Specific vision abilities required by this position include close vision, distance vision, color vision, peripheral vision, and the ability to adjust focus. The employee frequently is required to use hands or finger, handle, or feel objects, tools, or controls. The employee is occasionally required to stand; walk; sit; reach with hands and arms; climb or balance; and stoop, kneel, crouch, or crawl. The employee must occasionally lift and/or move up to 25 pounds. Onsite work environments are climate controlled. ____________________________________________________________________________
Note:
We are an equal opportunity employer and all qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity or expression, pregnancy, age, national origin, disability status, genetic information, protected veteran status, or any other characteristic protected by law.
This job description is not designed to cover or contain a comprehensive list of activities, duties, or responsibilities that are required of the employee. They may change, or new ones may be assigned at any time with or without notice. Employees will be required to follow any other job-related instructions and to perform any other job-related duties requested by any person authorized to give instructions or assignments. All duties and responsibilities are essential functions and requirements and are subject to possible modification to reasonably accommodate individuals with disabilities. To perform this job successfully, the incumbents will possess the skills, aptitudes, and abilities to perform each duty proficiently. Some requirements may exclude individuals who pose a direct threat or significant risk to the health or safety of themselves or others. The requirements listed in this document are the minimum levels of knowledge, skills, or abilities. This document does not create an employment contract, implied or otherwise, other than an "at-will" relationship.