East West Bank is one of the largest independent banks headquartered in California serving consumers and businesses throughout the U.S. and Greater China. With over 130 locations worldwide including California, Texas, New York, Georgia, Massachusetts, Nevada, Washington, and Greater China – East West Bank is committed to helping their customers’ enterprises succeed. At East West Bank, we build bridges that provide an important financial link, turning opportunities into growth and prosperity. As an East West Bank employee, you will be part of a growing and stable organization that provides career path development opportunities while serving a growing and profitable market.
East West Bank is currently seeking a Business Information Security Officer (BISO) for its Consumer Digital Bank line of business. Reporting directly to the Head of Enterprise IT Risk Management (EITRM) / Chief Information Security Officer (CISO) with a day-to-day reporting to the Head of the Digital Bank, this critical role will be responsible for information security and IT risk control enforcement, cybersecurity awareness, and enablement across the Digital Bank and other lines of business, enterprise functions, technology, and operations teams.
More specifically, the BISO position acts as a front line role within EITRM but is embedded in the Consumer Digital Bank line of business. The BISO is directly responsible to perform hands on Information Security solution builds for the Consumer Digital Bank. EITRM is the center of competence for Information Security and IT Risk and the BISO will be the spoke that protects the Consumer Digital Bank. The BISO plays an active role to ensure cybersecurity awareness and alignment of the business strategy with information security strategy, acting as an enabler for the business. The BISO has the accountability to ensure that Information Security and IT Risks within the line of business are identified, assessed and reported; appropriate controls are in place or put in place; and local procedures and activities comply with EWB’s Enterprise Information Security policies, standard operating procedures, industry best practices, and regulatory requirements.
The individual in the role of BISO for the Digital Bank will need to:
- Embed as part of the business to ensure information risks are identified, assessed, mitigated and controlled through the deployment of a sustainable information security risk management program.
- Develop and maintain a deep understanding of the business in order to have specialized information security risk-based discussions.
- Work with the business and enterprise security and IT risk teams to recommend changes, enhancements or additions to the security controls of business applications that will enhance the Information Security profile of the organization's processes.
- Work with IT Operations, Information Security and Application Development teams to assist in the development of strategies and plans for improving infrastructure, architecture and application security.
- Ensure the technology and practices used by the business are both in compliance with Enterprise Information Security policies and standards and meet the specific business goals.
- Assist in the review, development, testing and implementation of security plans, products and control techniques, including enhancement of existing processes and service offerings.
- Provide technical hands on leadership and ownership to business management and staff in risk assessments and implementation of appropriate data security procedures and products.
- Meet demands associated with managing multiple projects in an enterprise environment.
- Provide the business and senior management with strategic security guidance to ensure consistency in development/deployment enterprise wide.
- Identify key risks to applications and understand company and business risk appetite and tolerance in order to identify solutions and provide guidance.
- Report security issues/risks to the line of business and Information Security as applicable with appropriate documentation and support the response to security events.
- Implement security solutions according to EWB enterprise security policies and practices.
- Determine the appropriate levels of controls to safeguard sensitive data and validate those controls are being implemented.
- Manage the IT/IS risk assessment process including determining inherent risks, controls in place, control gaps, action plans, and residual risks. Participate in business specific risk management and business continuity procedures and routines.
- Provide guidance in preparing for audits, lead the resolution of audit findings, and work to ensure closure.
- Keep line of business management apprised of risk issues related to information security and recommend as well as implement actions in support of the bank's wider risk management and compliance programs.
- Monitor information security trends internal and external to the bank and keep business leadership informed.
- Implement information security risk governance and control framework for the consumer and digital organization that incorporates a consistent, sustainable methodology for identifying, assessing, and documenting information security risk that provides early warning of potential failure to meet information security requirements.
- Escalate potential or unresolved security issues to management for resolution as appropriate.
- Establish communication with line of business management, EITRM and IT organization to communicate security posture, opportunities and to drive action. Consolidate, interpret and report key information security risk, trends for the portfolio and understand effectiveness of controls in managing the key risks. Contribute to centralized reporting efforts, and initiation of ad hoc analyses and reporting for a variety of stakeholders within the portfolio to ensure that appropriate parties are aware of security issues.
- Liaison between Business Team, EITRM and IT organization. Meet regularly with business and technology executives to ensure consistent communication, build relationship with functional and technology teams, and integrate Information Security controls into Business practices.
- Provide ongoing awareness and knowledge to line of business of good Information Security practices locally and enterprise wide. Assist line of business in developing and implementing their own unit or role specific Information Security training and awareness programs as appropriate based on risk.
Required Skills & Qualifications:
- 7+ years of Cybersecurity, Information Technology, and/or Information Security experience in an increasing complex environment. Banking industry and global experience a plus.
- 5+ years of IT Risk Management and/or IT Audit experience with proven ability to effectively apply risk principles to challenging business situations. Big 4 or equivalent experience a plus.
- Bachelor’s Degree in Information Technology, Computer Science, Information Security, or other related area. Advanced degree a plus.
- One or more relevant security and risk certifications: CISSP, CISA, CISM, CSX, CGEIT, CRISC, G-SEC and/or other similar certifications.
- Experience evaluating as well as a deep understanding of concepts, technologies and controls related to IT operations, information security, incident response, cloud environments and security, general IT controls, vulnerability management, application security and other technology related risks.
- Knowledge of IT governance, risk and compliance frameworks such as FFIEC, NIST, ISO, SOX, GLBA, CSA, and/or COBIT is a plus.
- Experience evaluating threats/risks posed by new technologies spanning networks, hardware, software, etc.
- Experience in analyzing and responding to advanced cyber threats, technology risk and the motivation/attack vectors of each threat.
- Experience in implementation of and enterprise wide information security and cybersecurity strategy, including compliance with industry best practices and regulatory requirements.
- Proficiency with Cloud Types and Configurations (SaaS, IaaS, PaaS, public, private, hybrid, etc.).
- Excellent verbal and written communication skills. Ability to communicate with business leaders, users and tech-savvy stakeholders. Create reports and analyze reports for a diverse group of stakeholders.
- Thorough attention to detail, excellent organizational, time management, project management and multi-tasking skills.
Additional Desired Skills & Qualifications
- Self-starter and quick-learner, capable of learning new IT, information security, IT compliance and IT risk management subjects and can adapt to a high-paced team.
- Proficiency with Microsoft Office Suite (MS PowerPoint, Word, Excel, Visio, etc.).
- Ability to take ownership of an initiative/issue through completion.
- Ability to work in a collaborative environment.
- Strong analytical skills/problem solving/conceptual thinking.
- Ability to work with technical and non-technical business owners.