Apply on Employer Site

USAA · 1 day ago

AVP, Head of Information Security Protection Executive

Plano, TX

Full-time

Hybrid

Senior Level, Lead/Staff

$224K/yr - $404K/yr

10+ years exp

USAA is dedicated to empowering its members to achieve financial security through exceptional service and trusted advice. The AVP, Head of Information Security Protection is responsible for developing and executing strategies in information security, overseeing compliance and risk management, and leading teams to protect the organization's data and reputation.

BankingFinancial ServicesInsuranceVenture Capital

No H1B

Responsibilities

Envisions and develops short and long-term strategies within assigned Information Security functional areas including but not limited to Identity and Access Management (IAM), Cyber Threat Operations, or Risk Management based on sound enterprise architecture practices

Accountable for the teams that identify, measure, track and manage information security programs and strategies in a manner that meets compliance and regulatory requirements

Influences and executes the development, implementation, and execution of security access controls across USAA environments

Responsible for oversight of the investigation, analysis and response associated with suspicious behavior, attacks, and security breaches within USAA’s environments using a variety of cyber defense tools to identify and mitigate threats

Oversees the identification of security trends and evolving technologies to promote the utilization of industry policies, standards, and best practices to protect USAA’s brand and reputation

Provides executive level oversight in the development of functional policies, procedures, and guidelines

Responsible for effective written risk and compliance policies, procedures and controls are in place supporting all business activities, processes, systems, strategies, and implementations

Promotes, facilitates, and sponsors information security opportunities in support of major improvements to processes and systems

Accountable for communication and collaboration and influencing of senior leaders on matters pertaining to information security threats, risks and mitigation initiatives

Reports information security risks to executive leadership to assist USAA in meeting compliance and regulatory requirements

Manages complex business requirements/relationships in accordance with USAA’s adopted information security framework

Collaborates with leaders from the USAA control partner community including risk management, enterprise compliance, and internal audit

Provides executive level oversight of the development, implementation, and execution of enterprise information security training programs

Builds and oversees a team of employees for assigned functional area through ongoing execution of recruiting, development, retention, coaching and support, performance management, and managerial activities

Ensures risks associated with business activities are effectively identified, measured, monitored, and controlled in accordance with risk and compliance policies and procedures

Qualification

Information SecurityRisk ManagementCompliance KnowledgeCybersecurity LeadershipVulnerability ManagementSecure Configuration ManagementApplication SecurityIncident ResponseTeam LeadershipStrategic PlanningBudget ManagementCommunication Skills

Required

Bachelor's degree in any of the following majors: Information Security, Information Technology, Computer Science, Business Administration, Information Systems/Management, or related field; OR 4+ years of related experience (in addition to the minimum years of experience required) may be substituted in lieu of degree

10+ years of experience in a progressive technical discipline (e.g., Information Security Assurance and Governance, IAM, etc.) with a proven track record of managing major initiatives (e.g., information governance / security, electronic information) and delivering results in a complex matrix environment

6+ years of relevant experience in a large financial institution in a supervisory role in IT, cybersecurity, or operational risk management

6+ years of people leadership experience in building, managing and/or developing high-performing teams

Well-versed in regulations and standards related to risk management and information security (FFIEC, HIPAA, Gramm-Leach-Bliley, FFIEC Cybersecurity Assessment Tool, NIST Cybersecurity Framework and the Payment Card Industry Data Security Standard)

Experience collaborating with key resources and stakeholders, influencing decisions, and managing work to achieve strategic goals

Executive-level business acumen in the areas of business operations, industry practices and emerging trends

Demonstrated ability to communicate technical information to a non-technical audience

Advanced knowledge in the field of information systems security, including such areas as identity and access management, cybersecurity engineering, security program policies, processes, and procedures

Demonstrated experience in vendor contract management and management of distributed development teams and resources

Demonstrated financial acumen involving budgets, forecasting, and executing on the budgets for applicable information security, cybersecurity, or technology support function

Extensive knowledge of policy formulation, information security management, and business risk management

Experience driving the programs necessary to achieve compliance with relevant information security and cybersecurity regulations at an enterprise level

Preferred

Proven experience in establishing and managing comprehensive vulnerability scanning, assessment, and remediation programs. This includes understanding risk-based prioritization, utilizing various scanning tools, and ensuring timely patching and mitigation of identified weaknesses. Experience with CISA advisories and frameworks like NIST CSF is crucial

Deep understanding of establishing and enforcing secure configuration baselines across diverse IT environments (operating systems, applications, network devices, cloud assets). This involves automated monitoring for deviations, managing configuration drift, and ensuring compliance with regulatory standards such as FFIEC, NIST, and CIS controls

Extensive experience in securing applications throughout the software development lifecycle (SDLC), including implementing DevSecOps practices, secure coding standards, SAST, DAST, and API security. A strong understanding of OWASP Top 10 and OWASP MASVS is beneficial

Expertise in implementing and managing secure email and web solutions, including advanced encryption, and implementing safe/block lists. Experience with data sensitivity labeling for PII and financial data, along with associated warning alerts and training, is also important

A solid understanding of cryptographic principles and their application in securing data at rest and in transit. This includes knowledge of symmetric and asymmetric encryption, key management best practices (including HSMs), and the use of cryptography in securing financial transactions, digital signatures, and payment systems. Awareness and strategic planning for the transition to post-quantum cryptography (PQC) that involves understanding the threat landscape, identifying cryptography that could be broken by quantum computers, and developing roadmaps for migration to quantum-resistant algorithms, aligning with NIST standards and regulatory mandates

Demonstrated experience in leading and managing information security teams, developing and executing comprehensive security strategies and roadmaps, and fostering a strong security-aware culture

Proven ability to identify, assess, prioritize, and mitigate security risks. This includes developing and implementing risk management frameworks and strategies aligned with business objectives

Deep understanding of the regulatory landscape governing financial institutions, such as FFIEC, GLBA, PCI DSS, GDPR, SOX, and emerging regulations related to AI and data privacy. Experience in preparing for and managing audits is critical

Experience in developing, testing, and executing incident response plans and business continuity strategies to minimize the impact of security breaches

Excellent communication, interpersonal, and reporting skills to effectively convey complex security concepts to technical and non-technical stakeholders, including executive leadership and the board of directors

Ability to develop a long-term vision for information security, anticipating future threats and technological advancements, and aligning security initiatives with the institution's overall business goals

Experience in managing security budgets, allocating resources effectively, and justifying security investments to senior leadership

Ability to lead, mentor, and develop a high-performing information security team

Direct experience working within a financial services organization is highly advantageous, given the industry's specific risks, regulatory environment, and the sensitive nature of its data

Understanding the unique threat vectors targeting financial institutions is crucial