IT Information Security Manager

General Job Summary Accountable for defining, executing, and maturing the institution’s enterprise cybersecurity program, protecting the confidentiality, integrity, and availability of information and critical services. Essential Functions People, Strategy, Governance, and Risk (GRC) Manage the Information Security Unit, defining strategy, team roles, responsibilities, development, performance objectives, and metrics. Define cybersecurity strategy and roadmap based on NIST CSF, ISO 27001, and COBIT, establishing KPIs/OKRs, budget, and executive metrics. Establish and maintain policies, standards, and procedures covering access, encryption, data classification/retention, secure SDLC, third parties, and disaster recovery/bus. continuity. Drive integrated risk management: risk register, periodic assessments, risk appetite, treatment plans, and reporting to Risk Committee and executive leadership. Ensure compliance with GLBA, FFIEC, PCI DSS, SOX‑ITGC, ISO 27001, OCIF/FDIC guidelines, and privacy frameworks such as GDPR and CCPA. Coordinate internal/external audits, regulatory exams, remediate findings, and maintain documentation and metrics. Govern third‑party relationships and critical vendors, including due diligence, security/SLA clauses, SOC 1/2 reviews, and continuity. Design and implement Zero‑Trust architectures, segmentation, SASE/CASB, WAF, encryption in transit and at rest, KMS/HSM, and centralized telemetry. Govern the security stack (SIEM, EDR, DLP, EPP, Microsoft Defender, Fortinet, email security, MDM) and automate through SOAR to reduce MTTR. Lead vulnerability and patch management, continuous scanning, risk‑based prioritization, and remediation SLAs. Coordinate penetration tests, Red Team exercises, and hardening aligned to CIS/NIST benchmarks. Design and operate security in OCI and AWS, covering CSPM, IAM, VPC/VNet, container security, secrets/keys, logging, alerting, VPN/SD‑WAN connectivity, and edge controls. Govern SSO, MFA, RBAC/ABAC, joiner‑mover‑leaver lifecycle, access reviews, and privileged access management using AD/Azure AD and cloud directories. Maintain incident response plans with playbooks and SOC runbooks, coordinate with legal/communications, lead digital forensics, root‑cause analysis, and post‑incident lessons learned. Co‑lead BCP/DR with Technology and Operations, including business impact analysis, RTO/RPO, and multi‑site/multi‑region exercises. Requirements Bachelor’s degree in engineering (Computer/Telecommunications/Electrical) or Computer Science, or equivalent experience. 7–10+ years in cybersecurity, GRC, or architecture, with 3+ years leading security or SOC teams. Experience in financial services and regulated environments, including direct interaction with auditors and regulators. Hands‑on implementation of NIST CSF, ISO 27001, PCI DSS, and cloud‑security practices in OCI/AWS. Comprehensive knowledge of SIEM, EDR, DLP, SOAR, IAM/PAM, data governance, encryption, WAF, CSPM, SASE/CASB, DevSecOps, and secure SDLC. Knowledge of Zero Trust, segmentation, VPN/SD‑WAN, incident handling and forensics, and vulnerability platforms such as Qualys. Certifications: Fortinet NSE 4/7 or higher, Cisco CCNA/CCNP, CompTIA Network+/Security+, ITIL v4 Foundation, AWS Advanced Networking/SAA, OCI Networking/Architecture. Preferred: CISSP, CISM/CRISC, ISO 27001 Lead Implementer/Auditor, CCSP, PCI‑ISA/PCIP, GIAC (GCIH/GCIA/GPEN), AWS Security Specialty, OCI Architect/Professional, ITIL v4. Strong verbal, written, and negotiation skills; bilingual in Spanish and English. Conditions Availability for on‑call duties and off‑hours incident handling; travel to branches as needed. Successful background check per internal and regulatory policies. Equal Opportunity Employer Island Finance is an Equal Opportunity Employer. #J-18808-Ljbffr