×
Apply for Jobs Apply for Jobs Post a Job Post a Job Local Jobs Home
Register Here to Apply for Jobs or Post Jobs. X
More jobs:
Cybersecurity Information Security

Deputy Chief Information Security Officer - Bank

Job in San Francisco, San Francisco County, California, 94199, USA
Listing for: Mercury
Full Time position
Listed on 2026-06-07
Job specializations:
  • IT/Tech
    Cybersecurity, Information Security
Salary/Wage Range or Industry Benchmark: 150000 - 200000 USD Yearly USD 150000.00 200000.00 YEAR
Job Description & How to Apply Below

Deputy Chief Information Security Officer - Bank

San Francisco, CA, New York, NY, Portland, OR, or Remote within United States

The role

You will be the operating second to the CISO and own the bank-entity scope of Mercury's 2

LOD Information Security program. You'll be the person who keeps the program examiner-ready by default: coherent policy architecture, evidenced controls, a credible gap-remediation track record, and a tested incident response program with documented exercise history. This is not a research or strategy role. It is a build-and-defend role. You will sit across the table from OCC examiners, FFIEC IT audit teams, our Chief Risk Officer, and the board's risk committee, and you will be expected to answer for every line in our policies and every status in our control inventory.

Mercury is a fintech company, not an FDIC-insured bank. Banking services provided through Choice Financial Group and Column N.A., Members FDIC.

What you'll own
  • Bank-entity 2

    LOD Info Sec program.     Governance, policy, risk, and oversight scoped to the chartered bank.
  • Examiner posture. OCC, FFIEC, FDIC and FRB examiner inquiries; ownership of the examiner-ready narrative; coordination of the evidence.
  • FFIEC control remediation. Lead remediation of identified FFIEC IT control deficiencies to charter readiness ahead of the OCC pre-opening examination.
  • Policy architecture. Carry the bank-scoped policy stack (Policy / Standard / Procedure), including ratification cycles, MRCC memos, and board approvals.
  • BC/DR. Partner with the Chief Risk Officer on bank continuity, resilience, and recovery, including tabletop exercises and full-scale drills.
  • Audit and assurance. Manage relationships with internal audit (3

    LOD) and external assessors (SOC 2, FFIEC CAT, regulator-led IT examinations).
  • Third-party risk. Ensure TPRM evidence holds up to bank-grade scrutiny for critical service providers and material outsourcing arrangements.
  • Team development. Coach and grow the GRC sub-team; run a recurring training cadence; build the bench depth a national bank requires.
What we need
  • 8+ years in Information Security
    , with 3+ years inside a regulated bank, trust bank, or de novo bank charter effort. Mercury is a startup chartering a national bank — this experience is non-negotiable.
  • Deep FFIEC and OCC fluency. You have deep working knowledge of the FFIEC CAT, the FFIEC IT Examination Handbook, BSA/AML IT supervisory expectations, and the OCC Heightened Standards.
  • Direct examiner-facing experience. You have defended a control to an OCC, FDIC, or Federal Reserve examiner. You know what good evidence looks like before it gets challenged.
  • Policy and standards craft. You can draft a board-ratifiable policy and the supporting standards stack that operationalizes intent, not just satisfies a checklist.
  • Operating discipline. You run cadences, write status that survives executive review, and maintain currency of controls, evidence, and risk registers.
  • 2

    LOD instinct.     You understand the three-lines-of-defense model and have served in the oversight role.
What we'd love
  • Prior Deputy CISO or equivalent senior 2

    LOD role at a national bank, trust bank, or large credit union.
  • Charter or de novo bank experience — if you've stood one up before, that is a meaningful advantage here.
  • Strong technical baseline, you don't need to be an engineer, but you should be able to challenge an architecture review and read an incident timeline credibly.
  • CISSP, CISM, or CRISC
What success looks like
  • At 30 days - You have developed working knowledge of Mercury’s FFIEC IT control inventory and roadmap, every in-flight policy draft, and met one-on-one with the GRC team. You can speak to the top ten risks in the bank-entity program by name.
  • At 90 days - You are running the weekly bank charter status cadence, leading examiner-readiness reviews, and personally accountable for at least three priority program tracks. The CISO is briefing the board and the MRCC with material you authored.
  • At one year - The charter timeline is on track. The bank-entity Information Security program sustains supervisory-grade standards as a standing posture. You are the executive other functions consult to determine whether…
To View & Apply for jobs on this site that accept applications from your location or country, tap the button below to make a Search.
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).
 
 
 
Search for further Jobs Here:
(Try combinations for better Results! Or enter less keywords for broader Results)
Location
Increase/decrease your Search Radius (miles)
0
200
Filters
Education Level
Experience Level (years)
Posted in last:
Salary
Advanced Search