Chief Information Security Officer

Job Summary

The Chief Information Security Officer (CISO) is responsible for developing, implementing, and governing the Bank’s enterprise-wide Information Security Program consistent with Interagency Guidelines Establishing Information Security Standards (GLBA §501(b)), FFIEC IT Examination Handbooks, and the NIST Cybersecurity Framework 2.0 to protect sensitive financial data, customer information, and technological infrastructure. This leader ensures cybersecurity risk is identified, measured, mitigated, monitored, and reported in a manner consistent with safety and soundness expectations.

This role focuses on risk management, regulatory compliance (e.g., GLBA, FFIEC, CSF), and maintaining client trust. The CISO manages the Bank Security team, is responsible for the oversight of security operations and monitors the use of the Bank’s network/hardware/software/security systems to ensure compliance with Bank Policy and federal regulations. The CISO also manages the Bank’s physical security for all locations.

The CISO also chairs the Computer Security Incident Response Team (CSIRT) and is responsible for managing incident responses in case of security breach at the Bank.

This role requires a strong, effective, collaborative and hands‑on leader with deep expertise in banking technology to support a growing and rapidly modernizing bank; a proven track record with information security across on‑prem, cloud and third‑party infrastructure; a strong understanding of risk management and regulatory compliance, and a passion for leveraging technology to secure a resilient technology to enable best‑in‑class banking service.

This role will partner closely with technology, operational and business leadership to realize strategic ambitions in line with F&M’s culture.

• Support the Chief Risk Officer in ensuring a strong, resilient, and adaptable second line of defense (2
  
  LOD), as it relates to information security, to meet the changing requirements in banking.
• Embrace the role of a technology risk officer.
• Ensure the Bank complies with federal and state regulations including but not limited to GLBA, HIPAA, PCI‑DSS, CCPA, NIST, and FFIEC guidelines.
• Evolve, maintain, and communicate a clear information security vision and program to minimize risk, ensuring integrity, confidentiality, and availability of data.
• Ensure annual Board reporting, policy review/approval, and governance consistent with GLBA.
• Evolve, maintain, and enforce the Information Security Program, policies, procedures, and standards.
• Evolve, maintain, and enforce the Physical Security Program, policies, and procedures.
• Maintain measurable security metrics/KRIs and present high quality, decision‑making useful dashboards to executives and the Board.
• Align program maturity and reporting to NIST CSF 2.0 outcomes.
• Manage and be responsible for control testing in accordance with ERM standards and ensure compliance with network, hardware, and software security standards.
• Manage and be responsible for the GLBA and other information security risk assessments in accordance with ERM standards.
• Identify, evaluate, and prioritize security risks across the Bank, implementing, and managing a framework to mitigate these risks.

• Lead security operations, threat detection, continuous monitoring, digital forensics, and incident response.
• Conduct periodic simulations and tabletop exercises; maintain regulator‑ready playbooks.
• Govern vulnerability management and penetration testing, ensuring timely risk‑based remediation.
• Lead the CSIRT to detect, contain, investigate, and recover from cyberattacks.

• Define enterprise security architecture incorporating zero trust, cloud security models, network segmentation, encryption baselines, identity governance, and telemetry.
• Oversee design and integration of security requirements into technology development, acquisition, and maintenance (DA&M).
• Partner with Technology leadership to shape resilient, scalable architectures that meet regulatory expectations while…