Threat Oversight Officer

If you are unable to complete this application due to a disability, contact this employer to ask for an accommodation or an alternative application process.

Regular Full-Time Information Security Eugene, OR, US

30+ days ago Requisition

Heritage Bank has an exciting opportunity to join our organization!

We are seeking a Threat Oversight Officer to join our Compliance team. The threat oversight officer critically reinforces the organization's second line of defense (2

LoD) framework, and is responsible for providing independent oversight, rigorous challenge, and governance of cybersecurity risk across the bank, while ensuring cybersecurity risks are identified, assessed, monitored, and reported, in alignment with the bank's risk appetite, regulatory obligations (GLBA, FFIEC, OCC/FDIC), and industry best practices.

The geographical location for this position is Tacoma, WA, Seattle, WA, Spokane, WA, Portland, OR, or Eugene, OR.

Base Salary Range:

$ - $ - $ annual

• Oversees and maintains the Cybersecurity Risk Management Framework, aligning to FFIEC, NIST CSF, and the bank’s Information and Cyber Security Program.
• Maintains and continuously updates cyber risk taxonomies, classification models, and impact assessment criteria.
• Independently reviews and challenges 1
  
  LoD cybersecurity risk assessments, control self‑assessments (CSAs), and remediation plans.
• Provides formal risk opinions on major technology initiatives, digital transformation efforts, and cloud or third‑party onboarding.
• Leads and/or supports thematic reviews of cybersecurity initiatives and emerging risk areas (e.g., zero trust architecture, multi‑factor authentication (MFA) implementation, and AI usage) to evaluate risk exposure, control effectiveness, and alignment with security standards.
• Develops and maintains cybersecurity risk metrics and key risk indicators (KRIs) to ensure alignment with the organization’s risk appetite.
• Prepares and delivers executive and board‑level risk reporting, highlighting trends, emerging threats, and control gaps.
• Leads and oversees the annual planning of security testing activities to ensure appropriate coverage of key systems and risks.
• Reviews and monitors risk acceptances, control exceptions, audit/regulatory findings, and enforces timely remediation of items. Ensures risk acceptance processes include clear compensating controls, expiration timelines, and documented approvals.
• Provides independent cyber risk oversight for third‑party vendors, especially those handling sensitive data or key infrastructure.
• Supports cybersecurity components of internal audits and regulatory examinations (e.g., FDIC, OCC, FFIEC).
• Leads and manages the Bank’s Threat Intelligence program and Information and Cyber Security Council.
• Maintains up‑to‑date understanding of evolving cybersecurity regulatory expectations.

• Bachelor’s degree in Information Security, Risk Management, Information Technology or related field required.
• 5+ years of recent and progressive knowledge and experience in a cybersecurity, IT risk management, or audit role within a financial services environment.
• Professional certifications as Global Information Assurance Certification (GIAC), Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), Microsoft Azure or equivalent preferred.
• Equivalent combination of education, training, certifications, and/or relevant work experience may be considered.
• Provide an exceptional level of service for internal and external customers, with the ability to build and maintain positive, professional relationships, to successfully interact with all levels of management and functional and cross‑functional areas across the organization.
• Excellent listening, verbal, written, and visual communication skills, with the ability to translate complex risk information into clear, actionable reporting and presentations for technical and non‑technical audiences. Ability to read, write, speak, and understand English well.
• Strategic…