Information Security Manager

Job Summary

The Information Security Manager is responsible for developing, implementing, and maintaining the organization's information security program aligned to FISMA and the NIST Cyber Security Framework to ensure the confidentiality, integrity, and availability of our information and information system assets. This includes the development of policies, procedures and processes, creation of Security Authorization packages, and oversight of monthly Continuous Monitoring reports which include vulnerability scanning, interviews and system testing. The Information Security Manager supports security engineering architecture reviews of CSBS information systems ensuring they are designed and built around their respective protection needs with proven security architectures, and that required protection mechanisms are addressed and implemented early and maintained throughout the life cycle of information systems to minimize risk to CSBS. The Information Security Manager is expected to work with a variety of stakeholders, including system owners, implementation engineers, third-party auditors, and the CSBS Information Security Department to develop deliverables, recommend security solutions, and maintain the existing Authority to Operate (ATO) status for CSBS systems and implement new ATOs for other emerging systems and platforms.

Essential Functions

To perform this job successfully, an individual must be able to perform each essential duty and responsibility satisfactorily. Reasonable accommodations may be made to enable an individual with disabilities to perform the essential functions. Other duties may be assigned to meet business needs.

This position will perform hands-on tasks to monitor and manage the security posture of CSBS's information technology services. In this role, the Information Security Manager will be responsible for participating in and leading the analysis and evaluation of information technology services design, engineering practices, and architecture.

Security Program Management

• Work with the CISO to develop a security program and security projects that address identified risks and business security requirements.

• Manage the process of gathering, analyzing and assessing the current and future threat landscape, as well as providing the CISO with a realistic overview of risks and threats in the enterprise environment.

• Partner with the CISO to develop budget projections based on short and long-term goals and objectives.
• Monitor and report on compliance with security policies, as well as the enforcement of policies within the IT department.
• Propose changes to existing policies and procedures to ensure operating efficiency and regulatory compliance.
• Work as a liaison with vendors and the legal and purchasing departments to establish mutually acceptable contracts and service-level agreements.
• Manage production issues and incidents and participate in problem and change management forums.
• Work with the CISO, IT and business stakeholders to define metrics and reporting strategies that effectively communicate successes and progress of the security program.
• Provide support and guidance for legal and regulatory compliance efforts, including audit support.
• Develop and implement controls and configurations aligned with security policies and legal, regulatory, and audit requirements.
• Work with the CISO to develop a security program and security projects that address identified risks and business security requirements.
• Advise senior leadership on risk mitigation strategies based on established risk tolerance and industry best practices.
• Align organizational requirements with security risk management goals, ensuring a cohesive approach to risk mitigation.
• Develop, review, and monitor compliance with organizational security policies.

Security Engineering Architecture Reviews

• Work with the enterprise architecture team to ensure that there is a convergence of business, technical, and security requirements; liaise with IT management to align existing technical installed base and skills with future architectural requirements.
• Consult with IT and security staff to ensure that security is factored into the evaluation, selection, installation and configuration of hardware, applications, and software.
• Recommend and coordinate the implementation of technical controls to support and enforce defined security policies.
• Research, evaluate, design, test, recommend or plan the implementation of new or updated information security hardware or software, and analyze its impact on the existing environment; provide technical and managerial expertise for the administration of security tools.
• Coordinate, measure, and report on the technical aspects of security management.
• Manage security projects and provide expert guidance on security matters for other IT projects.
• Ensure rigorous execution and maintenance of security policies, procedures, and protocols related to security risk management.
• Lead the deployment of cutting-edge security technologies and program enhancements, ensuring CSBS remains at the forefront of the industry's best practices.

CSF and RMF ATO Support

• Develop a variety of Security Authorization deliverables including System Security Plans (SSP), Security Assessment Reports (SAR), Risk Assessment Reports, Privacy Impact Assessments (PAI), Annual Assessments, Contingency Plans, FIPS 199 Security Categorizations, Plan of Action and Milestones (POA&M), etc.
• Serve as an active and consistent participant in the information security governance process.
• Assist resource owners and IT staff in understanding and responding to security audit failures reported by auditors.
• Manage outsourced vendors that provide information security functions for compliance with contracted service-level agreements.
• Manage the day-to-day activities of threat and vulnerability management, identify risk tolerances, recommend treatment plans, and communicate information about residual risk.
• Design, coordinate, and oversee security testing procedures to verify the security of systems, networks, and applications, and manage the remediation of identified risks.
• Analyze and review existing processes and procedures to determine areas of possible improvement that will lead to gains in efficiency and security.
• Identify and propose solutions to potential security threats while assessing the risk levels.
• Manage risks and systematically resolve or escalate issues in a proactive and timely manner.

Additional Responsibilities:

• Monitor industry trends for changes in cyber security challenges and implement planning, policy and procedure changes in response.
• Contribute to industry and government forums that develop industry guidance and regulations regarding security practices.

Minimum Qualifications

To perform this job successfully, an individual should possess the knowledge, skills, and abilities listed and meet the amount of education, training and/or work experience required.

Education and Experience

• Bachelor's degree in Information Technology, Information Security, or a related field; equivalent experience may be considered.
• Professional certifications such as CISSP, GIAC, or CCSP required; additional cloud-related certifications are a plus.
• Minimum of 12 years of relevant experience in business and technology, including at least 10 years in Information Security or Information Assurance.
• Extensive experience conducting risk assessments aligned with NIST standards, including at least 7 years focused on cloud and mobile environments. Strong knowledge of System Security Plans (SSPs) using NIST 800-53 Rev. 5 is essential.
• Demonstrated expertise with the NIST Cybersecurity Framework and FISMA Information Security Continuous Monitoring (NIST SP 800-137).
• Industry experience in Financial Services, Regulatory, or Consulting sectors is highly desirable.
• Experience preparing Security Authorization documentation in support of Authority to Operate (ATO) processes.
• Technical proficiency in database security, content filtering, vulnerability scanning, and anti-malware solutions.
• Hands-on experience with security in cloud environments, including IaaS, PaaS, and SaaS models.
• Proficiency in at least one scripting language such as Python, PowerShell, or Perl.
• Experience supporting enterprise incident response plans and participating in incident resolution activities.

Knowledge, Skills and Abilities

• Demonstrated ability to develop, implement, and communicate security policies, standards, and procedures across diverse user groups.
• Deep understanding of network security principles, including VPNs, firewalls, intrusion detection systems, network monitoring, web server security, and wireless protection.
• Strong working knowledge of the NIST Risk Management Framework (SP 800-30, SP 800-37) and related industry standards.
• Expert-level understanding of system and network security engineering practices, operating systems, and application auditing.
• Familiarity with SASE16 SOC 1 reports and their role in information security compliance.
• Proven knowledge of application vulnerabilities, threat vectors, and effective mitigation strategies.
• Knowledge of security technologies such as Cloud Access Security Brokers (CASB), Data Loss Prevention (DLP), Multi-Factor Authentication (MFA), and Data Rights Management (DRM).
• Strong understanding of security considerations for public cloud platforms (e.g., Azure, AWS, Office 365).
• Ability to collaborate across functions and build consensus among diverse stakeholders.
• Skilled in influencing others to drive security adoption and behavioral change.
• Exceptional written and verbal communication skills, including the ability to explain complex technical concepts to non-technical audiences.
• Commitment to delivering high-quality, responsive service that aligns with business needs.
• Effective at managing multiple high-priority projects in a fast-paced, deadline-driven environment.
• Strong planning, organizational, and task management skills.
• Solid foundational knowledge of cybersecurity principles and technologies.

Requirements

• Due to the nature of CSBS's business in support of state financial services supervision, all CSBS employees have the potential of interacting with confidential information related to the supervision of financial services companies ("Confidential Supervisory Information"). As a result, in addition to general business conflicts of interest, all CSBS employees are expected to disclose conflicts of interest in financial services companies on at least an annual basis and to proactively avoid such conflicts.
• Protect the confidentiality, integrity, and availability of CSBS information and information systems in accordance with CSBS policies and procedures.
• Must be eligible to obtain or currently possess a U.S. Government clearance at the Public Trust (NACI) moderate level or higher.
• Must be an authorized United States citizen.

Values Instilled Behaviors for Excellence (VIBE)

At CSBS, work-life balance isn't just a policy; it's our VIBE! We recognize that our team members have lives that deserve attention and care. That's why we create strong, supportive relationships that help everyone grow both professionally and personally. We honor each other's expertise and speak the truth, even when it's a bit awkward. And guess what? This honesty creates a vibe of respect and trust that powers our efficiency and our excellence. It lets us chase those career goals while also nurturing our personal pursuits. At CSBS, you can thrive at work and at home-it's the best of both worlds!

Just like a healthy work-life, collaboration is an essential part of CSBS's mission. In fact, it is the heartbeat of everything we do! We're all about pitching in, giving props to our colleagues, and having each other's backs. This allows us to push ourselves to our maximum potential and embrace those bold risks and innovative solutions. No matter what comes our way, our commitment to communication and teamwork strengthens us. We at CSBS are on mission and on the move, tackling all challenges together!

Leadership Competency Model

At CSBS, we believe in leadership at every level, empowering all employees, regardless of role, to take initiative, inspire others, and drive progress. Our five core competencies are Leading Change and Transformation, Leading Others, Results Focused, Business Intelligence, and Collaborative Partnering to provide a framework for professional growth while ensuring accountability in our performance.

Leading Change and Transformation means embracing innovation and adaptability to drive continuous improvement. Leading Others is about guiding, mentoring, and influencing colleagues to move our mission forward. A Results-Focused mindset ensures we meet our goals with efficiency and impact. Business Intelligence allows employees to make informed, strategic decisions based on data and industry insights. Finally, Collaborative Partnering fosters teamwork and strong relationships to achieve shared success.

This competency model not only supports individual growth and development but also strengthens CSBS as we evolve into a more agile and innovative organization. Here, leadership isn't just a title, it's a mindset that moves us forward together.

Working Conditions

• General office.
• Some travel required.

This job description should not be construed to imply that these requirements are the only standards for the position. Incumbents will follow any other instructions and perform any other related duties as may be required. CSBS has the right to revise this job description at any time. CSBS is an "at will" employer and as such, neither this job description nor your signature constitutes any form of contractual arrangement between you and CSBS.