Director of Information Security

At Stearns Bank, we're helping people, entrepreneurs, small businesses, and local communities nationwide reach their full financial potential. Sound like something you want to be a part of? If so, we're currently looking for a Director of Information Security. This is a connected mobile role.


Come see how we're doing business unusual and charting our own path to reimagine a more inclusive financial services and banking ecosystem for all.

BENEFITS

Stearns Bank understands and respects that everyone is managing unique career, family, and wellness needs. That's why we offer industry-leading benefits to employees to help them live healthy lives and bring their full selves to work every day. Benefits may vary for part-time positions. Some of those benefits include:

• Employee Stock Ownership Plan & 401k Plan
• Healthcare (Medical, Dental, Vision, Telehealth, Life insurance)
• 12-week Paid Parental Leave and Medical Leave: With a cap of 20 weeks for eligible team members who qualify for both Medical and Parental Leave related to the birth of a child
• $5,000 Family Care Reimbursement: Childcare, Elder Care, Student Loan Debt, Pet expenses, Down Payment Assistance
• PTO from 13 to 23 days depending on tenure. Cashout and Carryover options
• 10 Days Sick Time
• 11 Paid Holidays
• 4 Days Volunteer Time
• 2 Days Self Allowance Time
• Tuition Assistance

For this position, we anticipate an annual salary range between $120,000 - $190,000. Final employment offers will be dependent upon the selected candidate's relevant qualifications and experience.

JOB SUMMARY: The Director of Information Security is the Bank's designated Information Security Officer, and is responsible for leading and evolving Stearns Bank's enterprise information security, technology risk and infrastructure security strategy.


Operating within the Risk organization, this role provides second-line governance, challenge, and advisory oversight across the Bank's technology ecosystem, including infrastructure, cloud platforms, core systems, digital initiatives, and fintech partnerships.


The role ensures the confidentiality, integrity, availability and resilience of the Bank's information systems while advancing modernization of infrastructure, data protection capabilities and emerging technology governance.


The Director serves as the Bank's senior security authority, aligning cybersecurity, infrastructure architecture, cloud strategy, vendor risk oversight, and regulatory compliance into a unified enterprise program consistent with OCC, FDIC, FFIEC, GLBA, and other regulatory expectations.

This role balances strategic leadership, regulatory accountability, and technical depth.


PRIMARY RESPONSIBILITIES

Enterprise Security Strategy & Governance

• Lead and continuously evolve the Bank's Information Security Program aligned with 12 CFR Part 30, Appendix B, the FFIEC Information Security Booklet, the OCC Cybersecurity Supervision Work Program, NIST CSF, and regulatory guidance.
• Conduct or direct the annual enterprise-wide IT risk assessment using NIST CSF 2.0, the CRI Profile, or equivalent framework, identifying threats, vulnerabilities, and risk levels for all information assets.
• Develop and execute a multi-year enterprise security roadmap aligned with business strategy and modernization initiatives.
• Manage the cybersecurity self-assessment process using the Bank's selected framework, the Cyber Risk Institute Framework, ensuring findings are documented, tracked, and reported to the Board.
• Serve as the primary security advisor to executive leadership and Board committees.
• Provide regulator reporting on cyber risk posture, threat landscape and remediation status.

Infrastructure & Architecture Security Alignment

• Partner with IT Infrastructure and Transformation leaders to ensure security-by-design across:
• Network architecture
• Cloud platforms
• Endpoint management
• API security architecture
• Identity & access management
• Core banking and fintech integrations
• Artificial Intelligence (AI) integrations

• Establish secure architecture standards for hardware, networking, segmentation, encryption and endpoint detection.
• Drive adoption of modern security principles including Zero Trust architecture and secure cloud governance.
• Oversee the vulnerability management and patch management lifecycle, monitoring remediation timelines against risk-based SLAs and escalating deficiencies to senior management.

Cybersecurity Operations & Emerging Threat Management

• Oversee: Threat detection and response, Incident response program, Penetration testing and vulnerability management, SOC oversight
• Monitor evolving cyber threats, AI-driven risks and geopolitical threat activity.
• Lead incident response coordination and regulatory notification processes when required.

Third-Party & Technology Risk Oversight

• Lead and Chair the Vendor Management and Third-Party Risk program.
• Conduct information security due diligence on all prospective fintech partnerships during the planning and selection stages of the third-party risk management lifecycle
• Review and evaluate SOC 2 Type 2 reports, penetration test results, vulnerability assessments, and BCP/DR documentation for all third-parties (including fintech partners) at least annually, or more frequently for critical relationships.
• Participate in the Bank's Fintech Committee providing independent risk opinions on information security dimensions of new and existing partnerships.
• Assess security architecture of API integrations, data flows, and credential management between the Bank and third-parties, ensuring encryption in transit and at rest, access controls, and monitoring are commensurate with risk.
• Monitor fintech partner compliance with the Bank's information security requirements on an ongoing basis, including incident notification obligations under contractual SLAs.
• Evaluate fourth-party (subcontractor) risk for critical fintech partners, ensuring contractual provisions address subcontractor security standards, approval requirements, and audit rights.
• Evaluate emerging technologies and associated risk profiles prior to deployment.
• Ensure bank service provider contracts include notification obligations that meet regulatory requirements, and that designated points of contact are current.
• Coordinate with critical third-party service providers to assess their BCP/DR capabilities and resilience, including review of TSP continuity testing results.

Regulatory & Audit Leadership

• Serves as primary security liaison for all IT Audits.
• Serve as primary security liaison for OCC, FDIC, and external examiners.
• Maintain compliance with GLBA, FFIEC IT Handbook, NIST, PCI and SOC reporting standards.
• Oversee timely remediation of any audit or regulatory findings.
• Ensure compliance with notification requirements of all relevant regulatory agencies and documented decision criteria for determining when a "notification incident" has occurred.
• Maintain the Bank's state breach notification matrix and coordinate customer notification processes in compliance with applicable state laws for each jurisdiction where affected customers reside.

Data Protection & Modern Governance

• Oversee: Data classification standards, Data Loss Prevention (DLP), Encryption standards, Secure data lifecycle management
• Align information security with enterprise data governance initiatives.
• Monitor the CFPB's evolving data security enforcement posture and ensure the Bank maintains multi-factor authentication, adequate password management, and timely patching to mitigate UDAAP exposure.
• Track developments in the Section 1033 Personal Financial Data Rights rulemaking and assess implications for the Bank's data-sharing security controls, API standards, and authorized third-party oversight.
• Coordinate with Legal and Compliance on data protection requirements arising from state privacy laws, ensuring appropriate controls are in place for each jurisdiction where the Bank operates or serves customers.

Business Continuity & Operational Resilience

• Own the enterprise Business Continuity Management.
• Oversee Business Continuity and Disaster Recovery frameworks in partnership with enterprise risk.
• Ensure cyber resilience testing and tabletop exercises are conducted regularly.
• Integrate operational resilience planning into infrastructure modernization efforts.
• Direct the Business Impact Analysis process, establishing Recovery Time Objectives (RTO), Recovery Point Objectives (RPO), and Maximum Tolerable Downtime (MTD) for all critical business functions
• Ensure BCP/DR plans address ransomware-specific recovery scenarios, including air-gapped and immutable backup validation, and that restoration procedures are tested at least annually

• Lead enterprise security awareness and training programs.
• Foster a culture of security ownership across all business lines.
• Partner with HR and leadership to embed security accountability into performance management, including phishing simulations and role-based training for privileged users.

Emerging Technology & AI Governance

• Establish and maintain the Bank's AI and emerging technology acceptable use policy, define approved use cases, prohibited activities, and approval workflows for all AI tools deployed internally or through third-party and fintech partner relationships in collaboration with Digital Transformation, Information Technology, and Fintech teams.
• Classify each AI tool as a "model" or "non-model" under the OCC's model risk management framework, and apply risk-proportionate governance controls including documentation, validation frequency, and ongoing monitoring commensurate with each tools' materiality and complexity.
• Conduct or coordinate information security risk assessments for all AI deployments, evaluating data ingestion controls, training data integrity, prompt injection and adversarial attack vectors, output monitoring, access controls, and data leakage prevention.
• Implement shadow AI detection and prevention controls to identify unauthorized AI tool usage by employees, contractors, and fintech partners, including monitoring for unapproved cloud-based AI services and browser-based AI plugins accessing Bank data.
• Evaluate the Bank's AI vendor contracts for information security adequacy, including provisions for model documentation and audit rights, restrictions on use of Bank data to train other models, material model change notification requirements, subcontractor disclosure, and regulatory examination access.
• Monitor and report to senior management on the evolving AI regulatory landscape, including OCC guidance, the Treasury Financial Services AI Risk Management Framework, NIST AI Risk Management Framework 1.0, state AI laws, and federal preemption developments affecting the Bank's compliance obligations.
• Evaluate and determine if the Bank should adopt the Treasury Financial Services AI Risk Management Framework's AI Adoption Stage Questionnaire and applicable control objectives as the Bank's primary governance framework, scaled to the Bank's current AI maturity and risk profile.
• Include AI governance status, emerging technology risks, and AI-related incidents or findings in the quarterly Board Risk Committee report and the annual Appendix B report.

Designated Security Officer Responsibilities

• Serve as the Bank's formally designated Security Officer.
• Administer and periodically review the Bank's written Security Program addressing robbery prevention, physical safeguards and employee safety.
• Ensure appropriate security devices and procedures are in place across all banking offices and facilities, including alarm systems, surveillance, access controls and cash handling safeguards.
• Coordinate with Director of Branch leadership and Operations on physical security risk assessments and mitigation strategies; serve as Chair of the Physical Security Committee conducting quarterly meetings.
• Provide periodic reporting to Executive Management and the Board of Directors regarding physical security risks and program effectiveness.

REQUIREMENTS

• Occasionally lift and/or move up to 25 lbs.

• Ability to understand and follow instructions in English.

• Ability to sit for extended periods of time, twist, bend, sit, walk use hands to twist, handle or feel objects, tools or controls, such as computer mouse, computer keyboard, calculator, stapler, telephone, staple puller, etc., reach with hands and arms, balance, stoop, kneel, talk or hear.
• Specific vision abilities required by the job include close vision, distance vision, peripheral vision, depth perception and the ability to adjust focus.

EXPERIENCE

• 10+ years of progressive experience in cybersecurity, infrastructure security, or enterprise technology risk.
• Experience in a regulated financial institution (OCC or FDIC supervised preferred).
• Demonstrated experience leading security strategy in cloud or hybrid environments.
• Experience overseeing third-party and fintech technology risk.
• Demonstrated ability to lead cross-functional initiatives.
• Experience engaging directly with regulators and auditors.
• Strong program management capabilities.
• High integrity, executive presence and clear communication skills.
• Proven working knowledge of requirements for GLBA, SOC, FFIEC and PCI and OCC and FDIC guidance on data security and IT examination requirements.
• Experience with auditing processes, including Network Security, SDLC/Change Management and IT related functions.
• Knowledge of the global IT Risk Regulatory Landscape and Risk Management Model (e.g. Threats, Vulnerabilities, and Controls)
• Strong technical skills (application and operating system hardening, vulnerability assessments, security audits, TCP/IP, intrusion detection systems, firewalls, etc.)
• Experience in developing and maintaining a technology Risk Assessment process.
• Must be well versed in industry accepted IT control frameworks (e.g. SSAE16/18, SAS70, or ISO17799 audit reports).
• Project and program management concepts and controls experience.
• Must possess a high degree of integrity and trust along with strong communication skills and ability to work individually, within a team and with other business groups.
• Experience or understanding of Disaster Recovery, Business Continuity, and Incident Response initiatives.
• Must have ability to develop policies and procedures and communicate effectively.
• Understanding of federal and other regulatory requirements and the ability to keep current.
• Experience working with federal examiners.
• Must be open to working on-call.
• BS/MA degree in related technical and security disciplines.
• Certifications in data security and/or auditing procedures not required but preferred.
• Familiarity with banking related software (Fiserv preferred).

THE COMPANY

Founded in 1912, Stearns Financial Services Inc. (SFSI) is a $3.2 billion, independently owned financial institution with locations in Minnesota, Florida and Arizona, and over 35,000 small business customers nationwide. Specializing in affordable housing financing, USDA and SBA lending, and small business and equipment financing, Stearns Bank is regularly recognized as one of the country's top-performing banks and "Best Banks to Work For" by American Banker.

As a Star Tribune Top Workplaces award recipient and an award recipient of the Minnesota Business Magazine 100 Best Places to Work in Minnesota, Stearns takes pride in their team and holds their employees in extremely high regard. We offer a competitive salary and benefit package including our Employee Stock Ownership Program-one of the best long-term incentive programs in the nation. To learn more about Stearns Bank, visit StearnsBank.com

EQUAL OPPORTUNITY EMPLOYER /AFFIRMATIVE ACTION PLAN

We are an equal opportunity employer and all qualified applicants will receive consideration for employment without regard to race, color, or creed, religion, sex, marital status, familial status, sexual orientation, national origin, age, disability, veteran's status, status with regard to public assistance, or any other class protected by Federal, State, local laws governing nondiscrimination in employment.