Director of Cybersecurity Governance, Risk & Compliance jobs in United States
cer-icon
Apply on Employer Site
company-logo

Coastal · 3 weeks ago

Director of Cybersecurity Governance, Risk & Compliance

positionUnited States
timeFull-time
remoteRemote
senioritySenior Level, Lead/Staff
money$195K/yr - $230K/yr
date10+ years exp

Coastal is a modern banking company focused on combining strong financial infrastructure with innovative Banking-as-a-Service strategies. The Director of Cybersecurity Governance, Risk & Compliance will lead the Security GRC function, managing a team to oversee Third Party Risk Management, security governance, and compliance with regulatory standards while partnering with various stakeholders to enhance the security posture of the organization.

Financial Services

Responsibilities

Lead the Security GRC team responsible for Third Party Risk Management, control governance and testing, Business Continuity Management, and access governance
Set the vision, roadmap, and priorities for the Security Program in partnership with the CISO, other Security & IT functions, and Enterprise Risk Management
Mentor and develop team members. Define clear goals, performance expectations, and development plans
Act as a key advisor to security and business leadership on cyber and technology risk posture, tradeoffs, and remediation priorities
Own the Security Program and ensure that regulatory, contractual, and internal security requirements are satisfied across the enterprise and BaaS/fintech ecosystem
Define and maintain the enterprise control baseline mapped to the NIST CSF, CRI Profile, and FFIEC IT Examination Handbooks, aligning with GLBA, SOX, and PCI-DSS where applicable
Author and approve control narratives, RACI, evidence requirements, testing procedures, and control objectives. Author and maintain cybersecurity governance documents, such as policies and standards
Work with technical control owners to implement processes and automations aligned to written controls, policies, and standards
Champion 'policy as code' and guardrails (e.g., identity, configuration, network segmentation, logging/monitoring) in partnership with Security Engineering and IT
Oversee targeted cyber/IT risk assessments for technology changes, third parties, products, and fintech programs and ensure clear articulation of inherent and residual risk
Maintain a centralized log of issues, control gaps, and remediation plans; ensure sustainable fixes and prevent recurrences by updating baselines, standards, and automation
Partner with Enterprise Risk Management on risk acceptance, watch lists, and aggregation of security risks into enterprise risk reporting
Own the design and execution of access certification campaigns across key systems and applications (e.g., core banking, identity platforms, cloud, fintech partner integrations)
Own the Third Party Risk Management (TPRM) program for vendors who provide services to the Bank
Define and maintain risk-based onboarding, due diligence, and ongoing monitoring processes for third parties
Lead cybersecurity reviews of fintech partners, including evaluation of controls, data flows, architecture, and shared-responsibility models
Partner with Procurement, Legal, and Business Lines to ensure contracts and SLAs reflect appropriate security, privacy, and resilience requirements
Track remediation of vendor and fintech security issues and report status and residual risk to stakeholders and governance committees
Own the Business Continuity Management Program execution for the Bank in coordination with key stakeholders. Ensure business impact analyses (BIA), recovery strategies, plans, and playbooks are defined, maintained, and tested for critical business processes and supporting technologies
Plan and coordinate BCP/DR exercises, including lessons-learned reviews and remediation tracking
Provide reporting on resilience posture, RTO/RPO alignment, and program maturity to senior management and risk committees
Lead preparation and responses for Internal Audit activities, regulatory examinations, independent audits, and customer/partner due diligence related to security, IT, and BCM
Produce concise, defensible narratives, control maps, and evidence packages. Coordinate requests and brief stakeholders before and during exams
Track and oversee remediation of exam and audit findings and report progress to management and risk committees
Publish program health dashboards, KRIs/KPIs, and control maturity assessments to Enterprise Risk Management, management, and risk committees
Coach control owners on expectations, testing methods, evidence hygiene, and automation opportunities
Promote a culture of control excellence, continuous improvement, and proactive risk management across the Bank

Qualification

Cybersecurity GovernanceRisk ManagementCompliance ProgramsThird Party Risk ManagementBusiness Continuity ManagementNIST CSFFFIEC IT Examination HandbooksControl FrameworksAutomation SkillsGRC PlatformsCommunicationTeam LeadershipProblem SolvingAdaptabilityEmotional IntelligenceAttention to DetailGoal Orientation

Required

Demonstrated ability to operationalize the FFIEC IT Examination Handbooks, NIST CSF, and the CRI Profile into practical, auditable controls and testing procedures
Proven experience owning or leading Third Party Risk Management, control frameworks, and/or Business Continuity Management programs in a regulated environment
Hands-on skill implementing proactive controls and automating control testing/evidence collection using APIs, various languages (Python, TypeScript, Bash, and/or PowerShell), and data pipelines/dashboards
Familiarity with Azure/Microsoft 365/Entra, Okta, Windows/Linux, networks, CI/CD, vulnerability management, EDR, logging/SIEM, and data protection
Experience with GRC platforms and workflow/ticketing systems
Strong understanding of FFIEC IT Examination Handbooks, NIST CSF, NIST SP 800-53, GLBA, SOX, and PCI DSS and ability to map and rationalize overlapping requirements
Excellent written/oral communication with proven ability to influence cross-functional teams and present to management, auditors, regulators, and fintech partners
Bias for automation and measurable outcomes
Comfortable in fast-moving, high-accountability settings
10+ years in Cybersecurity Risk, Governance, Compliance, Security Operations, and/or risk engineering
3+ years managing a Cybersecurity Risk, Governance, and Compliance team
Bachelor's degree in Information Systems, Computer Science, Cybersecurity, or related field; equivalent experience considered

Preferred

Certifications preferred: CRISC, CISA, CISSP, CISM, CCSK/CCSP, AZ-500 (or comparable)
Experience in regulated industries, especially financial services, strongly preferred

Benefits

Medical Coverage
Health Savings Account (HSA)
Flexible Spending Accounts (FSA)
Dental and Vision Insurance
Life Insurance
Long-Term /Short-Term Disability (LTD)
Supplemental Benefits
401(k) Retirement Plan
Paid Time Off
Holidays

Company

Coastal

twitter
company-logo
At Coastal, we are redefining the banking experience through innovative embedded finance solutions tailored for the modern marketplace.
dateFounded in 1997
location
Everett, WA, US
people-size201-500 employees
web-link
http://www.ccbx.com

Funding

Current Stage
Growth Stage

Leadership Team

leader-logo
Danica Hudson
SVP, Head of Enterprise Partnerships & Payments
linkedin
leader-logo
Erika Heer
Executive Vice President, Chief Human Resources Officer
linkedin

Recent News

Bank Think
The comeback of fintech and payment IPOs
2025-09-29
PR Newswire
InComm Benefits HSA User Survey Reveals Account Underutilization Drives Higher Than Expected Out-of-Pocket Costs
2025-09-24
MarketScreener
Coastal Names Seasoned Fintech Leader Brandon Soto as New Chief Financial Officer
2025-09-22
Company data provided by crunchbase