Chief Information Security Officer (CISO)

Chief Information Security Officer (CISO)

We're hiring a Chief Information Security Officer (CISO) to own and elevate our security program at FloatMe. We are looking for someone who can help us as we scale through bank partnerships, pursue SOC2 compliance, and maintain the highest security for our users. As our CISO, you'll be both a strategic leader and a hands-on practitioner. This role isn't a purely executive seat — we need someone who can sit in a compliance review one hour and be configuring security tooling the next. You'll own our security roadmap, our compliance certifications, our partner security reviews, and the day-to-day technical operations that keep our members' data safe. We're a small, nimble team, which means this role requires the flexibility to switch gears between tactical execution and strategic planning. This role reports to our SVP, Engineering. If you're excited to join a fast-moving fintech where you can build something meaningful, we'd love to hear from you!

What You'll Do

• Serve as the primary security point of contact for our bank and fintech partners, completing security questionnaires, third-party risk assessments, and due diligence requests.
• Steer the architecture of our Cloud, Device, and Network infrastructure with a mind for security-first designs and plans.
• Set the direction for a small number of our staff regarding our infrastructure design, security, integrations and partnerships, and more (IT, Data, and Security).
• Own our SOC 2 Type II program end-to-end, including scoping, control design, evidence collection, and auditor management.
• Maintain and strengthen our compliance posture across GLBA, PCI DSS, and other applicable financial services regulatory frameworks.
• Manage and improve our core security infrastructure: SIEM, EDR, WAF, IAM, secrets management, and vulnerability scanning tools.
• Conduct or manage regular penetration testing and vulnerability assessments, and drive remediation to closure.
• Lead incident response efforts — including hands-on triage, containment, forensics, post-incident review, and breach notification processes.
• Build and run security awareness training and phishing simulations across the company.
• Review and negotiate security requirements in partner and vendor contracts.
• Partner cross-functionally with Product, Engineering, Finance, and Legal to embed security into everything we build.
• Develop and maintain our multi-year security roadmap and report security posture and risk to executive leadership.

Who You Are

• A driver and an "owner", not a passenger - You make the plans for your area of ownership, you seek the buy-in you need, you propose the alternatives, you drive projects to completion, even if it means you do a big percentage of the work yourself. You will have support, but you will be getting "in the mud" with the rest of us.
• A hands-on and self-driven security leader — You're as comfortable writing a detection rule in your SIEM as you are presenting risk to the board. You don't plan to delegate everything, hands-on as much as you can, and you don't wait to be asked to own this space, you actually and truly must "own it" completely.
• A compliance expert — You have deep, practical experience leading SOC 2 audits and navigating financial services frameworks like GLBA and PCI DSS. You know what auditors actually look for.
• A skilled communicator — You can translate complex technical risk into plain language for bank partners, executives, and non-technical teammates. You're a trusted voice in the room.
• A builder and operator — You're energized by building and improving things, not just inheriting them. You're comfortable owning both strategy and execution simultaneously.
• A collaborative team player — You work closely with engineering, product, and compliance without becoming a blocker. You protect the business without slowing it down.
• Passionate about fintech — You understand the unique security and compliance landscape of consumer financial products and are excited about what we're building.

Who You Are Not

• An auditor or "paper pusher" — We need you to not only help us decide what security posture we need, but you will need to help implement that posture yourself. We're a smaller but very effective team and really need this player to be very hands-on.
• A recreational player - We are looking for someone hungry, competitive, and an impact player who can truly "cover" this area of our company, making us all sleep easier at night knowing that you have our security and infrastructure posture well-covered.

Requirements

• 10+ years' of progressive experience in information security, with at least 2 years in a senior IC or leadership role. Prior CISO title preferable but proximity to CISO activities is sufficient. The key here is that you can both be the thinker and leader we need, but also still feel very comfortable being hands-on.
• Demonstrated hands-on experience leading SOC 2 Type I/II audits from scoping through certification.
• Practical knowledge of GLBA, PCI DSS, and other financial services compliance requirements.
• Direct experience managing bank partner or enterprise security reviews (e.g., SIG, CAIQ, VSA questionnaires).
• Proficiency with cloud security (AWS and Cloudflare preferred), including IAM, VPCs, CloudTrail, GuardDuty, or equivalents.
• Hands-on experience with penetration testing methodologies or managing third-party pen test engagements.
• Strong working knowledge of SIEM, EDR, vulnerability management, and secrets management tooling.
• Experience building and running an incident response program, including playbooks and tabletop exercises.
• Excellent written and verbal communication skills — you can explain technical risk to non-technical stakeholders.
• Experience in fintech, neobank, lending, or another consumer financial services environment strongly preferred.
• CISSP, CISM, CISA, or equivalent certification are a plus.