Chief Information Security Officer (CISO)

Chief Information Security Officer (CISO) Organization: Nymbus Location: Fully remote; occasional travel may be required for client meetings and team gatherings. Description: About the job ABOUT NYMBUS: Nymbus is a modern fintech company delivering technology solutions to banks and credit unions. We operate in a highly regulated environment and partner closely with financial institutions to power modern core transformations and broader outsourced digital banking brand solutions. As we continue to scale, we are seeking a strong, decisive Chief Information Security Officer (CISO) to lead and evolve our enterprise security program with confidence and an ability to articulate strong positioning. A strong candidate for this role would avoid passive decisioning and would lead with knowledge and expertise when articulating decisions surrounding our overall security posture. WORK ENVIRONMENT: Nymbus is a remote‑first organization. This position is fully remote; however, occasional travel may be required for client meetings or designated team gatherings. POSITION SUMMARY: This is a strategic and operational executive leadership role. We are looking for a CISO who brings deep banking regulatory expertise (NIST, FFIEC, PCI, SOC) and can proactively assess and continue to enhance a security program in a fast‑moving fintech environment supporting banking services for regulated financial institutions. This role requires someone who: Understands regulated financial services environments. Has a strong skillset for pivoting to address any security gaps identified, influencing and leading any remediation needed. Forms independent, informed perspectives on risk. Moves initiatives forward without heavy executive oversight. Partners effectively with technology, product, and operations leaders. Balances innovation velocity with sound risk management. Is comfortable operating in a company leaning into AI in banking. Drives timely remediation of identified risks through disciplined follow‑through and executive accountability. This is not a policy‑only oversight role. We need a strategic builder, operator, and leader. ESSENTIAL JOB FUNCTIONS/RESPONSIBILITIES Security Strategy & Program Maturity Own and continuously mature the enterprise Information Security Program. Align controls and architecture with NIST CSF, NIST 800‑53, FFIEC guidance, PCI DSS, and SOC requirements. Conduct proactive program assessments and identify security gaps before they become issues, working cross‑functionally to execute upon risk mitigation objectives. Develop and execute a multi‑year security roadmap aligned to business growth and regulatory expectations. Present clear, risk‑based recommendations to executive leadership and the Board. Operational Execution Translate strategy into measurable execution plans with defined milestones. Drive remediation of audit, regulatory, and penetration testing findings. Ensure strong incident response, vulnerability management, and change management and development programs. Implement metrics that demonstrate real risk reduction and program effectiveness. Deliver results. Security Team Leadership & Operational Oversight Lead and develop a high‑performing Information Security team. Provide clear direction, prioritization, and performance accountability across detection engineering, vulnerability management, application security, and security architecture functions. Oversee operation and optimization of core security tooling, budget, and contract renewal management, including SIEM/XDR platforms (e.g., Wazuh), vulnerability management (e.g., Tenable), application security testing (e.g., Veracode), and related monitoring and detection systems. Ensure security diagrams, architecture artifacts, and workflow documentation accurately reflect implemented controls and are audit‑ready. Establish measurable performance objectives and operational KPIs for the security team in collaboration with teams responsible for execution (MTTR, vulnerability remediation SLAs, detection coverage, control validation, etc.). Drive automation and continuous improvement across monitoring, alert triage, vulnerability remediation, and DevSecOps integration. Build a culture of ownership, urgency, and technical depth cross‑functionally associated with the program. Maintain sufficient hands‑on familiarity with security tooling and architecture to effectively challenge assumptions, validate control effectiveness, and provide technical direction when needed. Assist in the management of Nymbus' risk log with the ability to identify, manage, and make security risk recommendations. Technology & Product Partnership Develop a deep understanding of our platform, cloud architecture (AWS/GCP), integrations, and AI initiatives. Partner with the CTO, engineering, product, NOC, and operations leaders. Ensure strong embedded security controls into SDLC, DevOps, and cloud‑native development practices. Enable secure innovation rather than slow it down. Regulatory & Client Engagement Serve as the subject matter expert in banking security and regulatory expectations. Lead SOC/PCI audit readiness and regulatory exam preparedness. Engage confidently with regulators, auditors, and bank and credit union clients and prospects. AI Governance & Emerging Risk Establish governance frameworks for secure and responsible AI usage. Assess model risk, data protection, and security implications of AI‑driven products. Stay ahead of evolving regulatory expectations in AI and fintech. Qualifications: QUALIFICATIONS: 10+ years of progressive experience in information security leadership. Significant experience in banking, financial services, or regulated fintech. Deep knowledge of: NIST CSF & NIST 800‑53, FFIEC guidance, PCI DSS, SOC audits. Experience leading cloud‑first security programs (AWS and/or GCP). Demonstrated ability to independently assess risk and make defensible decisions. Strong executive communication and cross‑functional leadership skills. Experience operating in high‑growth or fast‑changing environments. Preferred certifications: CISSP, CISM, CRISC or equivalent. WHAT SUCCESS LOOKS LIKE Within the first ninety days, the CISO will: Deliver a clear assessment of current security maturity and risk posture. Execute against agreed remediation priorities on time. Establish strong partnerships across engineering, product, and operations. Build executive confidence through decisive, informed risk leadership. Position security as a strategic enabler of innovation. Compensation: SALARY & BENEFITS: Annual Cash Bonus and Equity Options commensurate with the role level and experience. Fully Remote. 401(k) plan. Insurance – Health, Dental and Vision. Time Off. We know how to fine‑tune corporate security because we've led effective and efficient Fortune 500‑level security programs. The SEC helps businesses find the best balance of risk mitigation, cost and innovation. #J-18808-Ljbffr