Portfolio Information Security Officer
Asurion · Nashville, TN · Yesterday
On-siteInformation TechnologyFull-time
Key Responsibilities
- Business Unit Security Leadership: Own the security relationship for assigned portfolios; participate in business planning and governance; ensure leaders understand current and emerging risks, control gaps, remediation obligations, and risk acceptance decisions; connect enterprise security functions with business and technology teams to align priorities to outcomes.
- Cyber Risk Advisory and Prioritization: Advise on remediation prioritization, compensating controls, exceptions, and formal risk acceptance; assess findings based on likelihood, impact, exploitability, regulatory exposure, operational criticality, and customer impact; develop practical risk treatment plans; present time-bound risk acceptance recommendations with accountable ownership; escalate material risks to appropriate governance forums.
- Application Architecture and Engineering Reviews: Provide technical security advisory for application architecture, cloud deployments, integrations, APIs, identity patterns, and third-party connectivity; partner with enterprise architecture, engineering, DevOps, cloud, and infrastructure teams to identify risk early; evaluate authentication, authorization, data protection, encryption, logging, segmentation, resilience, secrets management, secure configuration, and vulnerability exposure; ensure alignment to enterprise standards, secure SDLC, and regulatory requirements.
- Risk Reporting and Governance: Produce business-unit-specific cyber risk reporting covering key risks, control gaps, remediation progress, exceptions, vulnerabilities, audit/regulatory issues, and emerging threats; deliver regular updates to business leaders and contribute to consolidated executive reporting; translate technical issues into clear business impact statements and decision materials; track commitments, risk acceptances, and issue closure.
- Security Program Alignment: Drive adoption of enterprise capabilities and standards (e.g., vulnerability management, third-party risk, IAM, data protection, cloud security, incident response, threat management, awareness, secure development); identify gaps between policy and implementation; provide feedback to central security teams; support regulatory, audit, and compliance activities; partner with security architecture, GRC, risk, privacy, legal, compliance, and technology teams.
- Incident, Threat, and Emerging Risk Support: Provide business context during incidents and investigations; advise leaders on exposure, remediation urgency, operational impact, and communications; lead post-incident risk reviews and ensure lessons learned inform sustainable control improvements.
Education and Experience
- Bachelor’s degree in Information Security, Computer Science, Information Technology, Engineering, Risk Management, or related field, or equivalent practical experience.
- 10+ years across information security, technology risk, application security, infrastructure, cloud security, security architecture, engineering, or related disciplines.
- 5+ years influencing senior technology, engineering, risk, or business stakeholders.
- Demonstrated experience advising on cyber risk, control gaps, risk acceptance, remediation prioritization, and executive-level risk reporting.
- Experience reviewing application, system, or platform designs for security risk and translating technical issues into business risk language for executives.
Preferred
- Experience as a PISO/BISO or in security architecture, technology risk, or senior security advisory roles;
- Regulated industry experience (e.g., financial services, healthcare, insurance, technology, critical infrastructure);
- Familiarity with frameworks such as NIST CSF, NIST 800-53, ISO 27001, CIS Controls, COBIT, FAIR;
- Relevant certifications (e.g., CISSP, CISM, CRISC, CCSP, CISA, SABSA, AWS/Azure security credentials).
Knowledge, Skills, And Abilities
- Broad technical fluency across application security and secure SDLC, cloud security architecture, IAM, infrastructure and network security, data protection and encryption, API and integration security, vulnerability management, DevSecOps and CI/CD, logging/monitoring/detection controls, third-party risk, resilience and continuity.
- Strong risk judgment; ability to distinguish theoretical risk from material business risk and compliance exposure, and to recommend pragmatic treatments aligned to risk appetite.
- Executive communication skills with the ability to prepare concise, decision-oriented materials and influence without direct authority.
- Business acumen to connect security posture to strategy, revenue, operations, and customer impact.
- Relationship management and prioritization skills to focus teams on the most impactful risks under resource constraints.
- Ownership mindset to drive issues to closure, maintain accountability, and ensure transparent, time-bound risk decisions.