Director, Integrated Security
Job Overview
The Director, Integrated Security role is within Cornerstone Capital Bancorp, Inc., a Texas-based financial services company. This position oversees the development and maintenance of a comprehensive information security program to protect the bank's data and systems, ensuring compliance with regulations and industry standards.
Responsibilities
Establish and maintain the enterprise security risk management framework, including risk appetite statements, policies, minimum control standards, and risk taxonomies that the first line is required to implement.
Review and challenge first-line policies, standards, and procedures to confirm alignment with regulatory expectations, the Bank’s risk appetite, and industry frameworks (e.g., NIST CSF, FFIEC CAT, ISO 27001).
Perform independent assessments of the first line’s identification, measurement, and management of security risks, including review of risk and control self-assessments (RCSAs), issue management, and key risk indicators.
Provide credible challenge to first-line risk treatment decisions, exception requests, and risk acceptances; escalate unresolved concerns through governance committees to executive management and the Board.
Monitor and independently assess first-line compliance with applicable laws, regulations, and supervisory expectations (e.g., GLBA, FFIEC IT Handbook, NYDFS Part 500, SEC cybersecurity disclosure rules, state privacy laws); track remediation of regulatory findings and matters requiring attention (MRAs).
Partner with the Chief Privacy Officer to provide oversight and challenge of the first line’s implementation of GLBA’s privacy provisions and other consumer data protection requirements.
Establish enterprise expectations for the first line’s security awareness and role-based training programs, and independently assess their effectiveness through metrics, phishing test results, and behavioral indicators.
Monitor and report on the enterprise security risk culture; identify gaps and recommend improvements to executive management and the Board.
Set control objectives and minimum technical standards for security architecture and tooling; review and challenge first-line technology selection, design, and deployment decisions for alignment with risk appetite.
Independently test and validate the design and operating effectiveness of key security controls operated by the first line; document findings and track remediation through closure.
Coordinate with first-line technology and business owners, Enterprise Risk Management, Compliance, Legal, and Internal Audit (3LOD) to ensure clear roles, avoid duplication, and maintain the independence of the second-line challenge function.
Engage with business and technology leaders to understand strategic initiatives, provide advisory input on emerging security risks, and assess whether first-line risk management is commensurate with the risks taken.
Produce independent reporting on the Bank’s security risk posture, control effectiveness, key risk indicators, and emerging threats for executive management, the Risk Committee, and the Board, with an unfiltered reporting line that does not require first-line approval.
Review first-line security metrics, key risk indicators (KRIs), and breach/event trends to form an independent view of risk position relative to appetite.
Develop and maintain business continuity and resiliency plans, conduct business impact analyses and continuity risk assessments, coordinate continuity testing, exercises, and corrective actions, maintain business continuity governance, reporting, and documentation, lead crisis response and recovery coordination during disruptions, partner with business units and vendors to strengthen operational resilience, monitor compliance with continuity policies and regulatory expectations, deliver business continuity training and awareness programs, report continuity risks and program performance to management, align business continuity, disaster recovery, and incident management activities.
Qualifications
Minimum of 10 years of experience in information security, technology risk, or operational risk management within the Financial Services sector, with at least 5 years in a second line of defense, risk oversight, or audit capacity.
Minimum of 5 years Mid to Large Bank experience, including direct interaction with regulators (OCC, FRB, FDIC, NYDFS, or state banking departments) and the Board or its Risk Committee.
Bachelor’s Degree preferred.
Expert knowledge of three-lines-of-defense risk governance, enterprise risk management frameworks, regulatory expectations (FFIEC IT Handbook, NIST CSF, NYDFS Part 500, GLBA, SR Letters), and the principles of independent challenge and effective challenge.
Strong analytical reasoning, problem solving and critical thinking skills.
Strong computer and organizational skills.
Strong oral and written presentation skills.
Ability to work independently with a multi-level team.
Ability to multi-task and meet deadlines.
Strong proficiency with Microsoft Office (Word, Excel, Outlook, etc.).
PREFERRED CERTIFICATIONS:
Current Certified Information Systems Security Professional (CISSP)
Current Certified in Risk and Information Systems Control (CRISC)
Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), or equivalent risk/audit certification preferred
What We Offer
A competitive salary
A full benefits package
The potential for a performance-based bonus
Next Steps
If Cornerstone sounds like the place for you (and if you have the qualifications, drive, and passion to match), we invite you to become a member of our winning team! And remember, once you're part of our Cornerstone family, we'll continue to invest in you as a valuable asset in our company. As many of our team members can tell you, there's something special about working at Cornerstone.