Information Security Officer

Summary / Objective

Shaw Systems is a leading national software provider serving the consumer lending and financial services industry. We are seeking an Information Security Officer with the potential to grow into a CISO to lead the protection of corporate and client information assets and drive a secure, scalable technology environment.

This role owns enterprise security strategy, operations, compliance, and risk management while enabling secure adoption of AI, cloud, and automation platforms. The ISO serves as Shaw's primary authority on information security, partnering across business, technology, and client teams to strengthen security posture and support growth.

Organizational Scope

• Direct Reports: Service Operations Manager, Senior Security Engineers, Security/InfoSec Analysts
• Team Size: ~8 FTEs + contractors + SOC partner
• Enterprise Reach: Full client portfolio (financial services focus)
• Cross-Functional Influence: AI Committee; DevOps, Cloud, Implementation

Responsibilities

1. Security Strategy & Program Leadership

• Define and mature enterprise information security strategy, policies, and standards
• Own and evolve Shaw's Information Security Program and SOC 2 Type II compliance
• Serve as primary security representative for clients, auditors, and executives
• Lead risk identification, mitigation, and enterprise security roadmap
• Oversee access controls, third-party risk, and security readiness exercises (DR, incident tabletop)
• Present security posture, risks, and compliance status to leadership and external stakeholders
• Hold named accountability for security representations in client agreements (including MSAs and processing agreements); present security posture and risk to clients, prospects, auditors, and executive forums as required

2. Security Operations (SecOps)

• Oversee 24/7 SOC operations (via partner) and incident response lifecycle
• Manage threat detection, monitoring, vulnerability management, and remediation
• Lead response to authentication threats, phishing, and unauthorized access events
• Maintain and enhance security tooling across the stack, including Microsoft Defender, FortiClient VPN, Arctic Wolf MDR, Keeper, KnowBe4, PAM solutions, and data protection technologies (e.g., DLP)
• Ensure endpoint, identity, and infrastructure security across cloud and on-prem environments
• Drive network, cloud, and infrastructure hardening initiatives

3. AI Governance & Security Architecture

• Lead enterprise AI security strategy and rollout (Copilot, LLMs, AI tools)
• Design and enforce AI governance framework (usage policies, data protection, access controls)
• Architect secure AI/LLM environments (mitigating data leakage, prompt injection, etc.)
• Own Microsoft Purview strategy (DLP, labeling, information protection)
• Represent AI security posture to clients, auditors, and leadership
• Manage strategic vendor relationships, including Microsoft, Anthropic, Arctic Wolf, Fortinet, Keeper, and other security and AI partners, ensuring enterprise value and risk alignment

4. Service Operations Oversight

• Provide leadership oversight to Service Operations (infrastructure, endpoints, support)
• Ensure reliability, patching, identity governance, and cloud operations (M365/Azure)
• Drive SLA performance, operational efficiency, and automation initiatives
• Ensure operational rigor through established tooling and cadences, including patch management (e.g., WSUS), endpoint monitoring, and environment audits

5. Compliance, Risk & Audit

• Co-own SOC 2 Type II audit lifecycle and evidence management
• Maintain enterprise risk register and mitigation tracking
• Lead client/vendor security assessments and regulatory readiness
• Ensure alignment with frameworks (ISO 27001, NIST, FFIEC, GLBA, SOX)
• Ensure third-party vendor due diligence, security requirements, and contractual obligations are aligned with Shaw's Information Security Program and documented appropriately
• Monitor regulatory developments (including AI and privacy laws)
• Own security representations in client agreements and audit responses
• Provide security review, guidance, and approval on security-related representations in client, regulatory, and third-party engagements, in partnership with executive leadership, Legal, and Compliance

6. Leadership & Culture

• Lead, mentor, and develop InfoSec and Service Ops teams
• Manage vendors, contractors, and partner performance
• Promote enterprise-wide security awareness and training programs
• Partner with HR on hiring, workforce planning, and organizational design

7. Strategic & Cross-Functional Collaboration

• Advise executive leadership on security and AI risk strategy
• Partner with DevOps, Cloud, and Implementation teams on secure design practices
• Support business development (security questionnaires, client discussions)
• Translate technical risk into business impact for diverse stakeholders

Requirements

Education

• Bachelor's or Master's degree in Computer Science, Engineering, or related field

Experience & Expertise

• 10+ years in information security leadership
• 5+ years securing cloud environments (Azure preferred, AWS acceptable)
• Strong experience with SOC 2, ISO 27001, NIST, OWASP, FFIEC, GLBA, SOX
• Deep technical background across DevOps, infrastructure, and security tooling
• Expertise in network security, IAM, DLP, SIEM, and vulnerability management
• Experience with Microsoft security stack (Defender, Purview, Intune, Entra ID, Azure)
• Demonstrated experience with AI platforms and governance (e.g., Copilot, LLMs)
• Financial services or lending industry experience preferred

Certifications

• CISSP (required)
• CCSP (required)
• ISSAP (preferred)

Leadership Competencies

• Strategic security leadership and business alignment
• AI governance and emerging technology risk management
• Operational execution and compliance discipline
• Strong communication, stakeholder influence, and executive presence
• Analytical problem-solving and results orientation
• Vendor and partner management expertise

Performance Expectations (First 12 Months)

• SOC 2 Type II audit completed with no material findings
• Enterprise AI governance framework fully implemented
• Microsoft Purview DLP and labeling deployed enterprise-wide
• Mature security operations cadence with measurable SLAs
• Updated BCP/DR program tested
• Improved phishing awareness and security training outcomes

Supervisory Responsibility

• Leads a team of internal, contractor, and external partners supporting security operations and enterprise infrastructure.

Location

• Hybrid: Within 75 miles of Houston, TX
• Remote (eligible states): TX, VA, FL, GA, ID, LA, MI, MN, NJ, NC, PA, UT
• Travel: 10-25% as needed

Work Environment

• Full-time, Monday-Friday; standard business hours with occasional after-hours support as needed.