SVP, Operational Security & Recovery

SVP, Operational Security & Recovery

The Senior Vice President, Operational Security & Recovery (SVP, OPSEC) provides strategic leadership for the credit union's operational security program. This role is a member of the senior leadership team and is responsible for designing, implementing, and overseeing all aspects of the credit union's operational security program, including framework and strategies designed to effectively manage operational security incidents, ensure operational resiliency, and safeguard the credit union's assets, reputation, and member trust.

Reporting to the Chief Risk Officer (CRO), this role oversees the credit union's information security, disaster recovery, business continuity, incident response, and corporate insurance programs to ensure the organization is prepared to protect member data, respond to disruptive events, and minimize impact to members and partners. This position fosters a culture of risk awareness, member and partner service, and organizational excellence.

1) Serve as the organization's Information Security Officer (ISO) and the executive owner of the credit union's Information Security, Business Continuity, Incident Response, Operational Recovery, and Corporate Insurance functions.

2) Develop and maintain an operational security strategy that is commensurate with the size, complexity, and risk tolerance levels of the organization and effectively prepares the credit union to respond to, recover from, and mitigate the impact of operational security events including, but not limited to, weather events, natural disasters, data incidents, utility outages, technology outages, vendor outages, and other disruptive events.

3) Provide strategic leadership and oversight of processes to embed resiliency planning into strategic initiatives, product development, and technology deployment.

4) Partner with Corporate Communications to develop and maintain an incident communication strategy and effective coordination of incident response activities related to operational security events.

5) Provide strategic leadership and oversight of the credit union's Business Continuity Plan (BCP) and incident response plans, including department-level continuity plans to ensure operational resiliency across the organization.

6) Provide strategic leadership and oversight of the credit union's Business Continuity (BCP) testing strategy and execution, including tabletop exercises, ransomware exercises, simulations, and third-party vendor testing to identify potential weaknesses and improve resiliency.

7) Provide strategic leadership and oversight of the Information Security program to ensure the program meets regulatory expectations, is commensurate with the credit union's cybersecurity risk profile, and serves as an effective and independent second line of defense function through policies, data classification, controls testing, oversight, and partner training.

8) Provide strategic leadership and oversight of the credit union's Disaster Recovery (DR) program to ensure the program meets regulatory expectations, is commensurate with credit union's risk profile and technical architecture and effectively prepares the organization to respond to hardware failure, malicious attacks, ransomware, or other potential threats.

9) Develop and maintain a corporate insurance strategy to protect the credit union's assets, operations, members, and board members, including oversight of all insurance policies (property, liability, cyber, and specialized policies), to ensure alignment with risk appetite and enterprise risk management objectives and to provide adequate protection against evolving risk.

10) Provide strategic leadership and oversight of the evaluation, negotiation, and renewal of corporate insurance policies, monitor market trends and emerging risk for impact to coverage, and ensure insurance and transfer of risk is integrated into incident response processes, business impact analyses, and business continuity planning.

11) Establish and maintain Key Performance Indicators (KPI's) to measure and monitor program performance. Ensure risks are managed within approved appetite for operational, reputational, and information security risk, based on established Key Risk Indicators (KRI's).

12) Provide strong leadership and strategic direction to Business Continuity, Information Security, and other Risk Management leaders, and provide subject matter expertise to members of senior leadership, executive leadership, and the board of director's risk committees.

13) Foster a culture of risk awareness, organizational excellence, and member service through partner training, communication, and collaboration with leaders throughout the organization, ensuring risk assessment participants, business impact analysis participants, and business continuity plan owners are aware of their role as risk partners and are supported by the Operational Security and Recovery team.

14) Provide monthly and quarterly risk reports to specialized risk teams, executive management teams, and board-level risk committees. Develop and provide Annual Report and Program Plan to executive management and board-level risk committees.

15) Serve as a member of the Operational Risk Team and / or Information Security Risk Team (ORT and / or ISRT) and other committees / working groups as assigned.

16) Ensure Operational Security and Recovery processes and results are well documented, maintained as current, and available for audit or examination. Participate in monthly audits and annual regulatory examinations and interact with internal auditors, external auditors, and state and federal regulators.

17) Contribute as a member of the senior leadership team, attend leadership meetings, participate in annual strategic planning, budgeting and prioritization processes, and provide periodic updates to the Board, its sub-committees, and other senior executives.

18) Manages vendor relationships, including :

Involvement in sourcing, evaluating, and selecting vendors.

Participation in the negotiating of contracts with potential vendors to ensure optimal pricing and mitigation of third-party risks.

Ongoing monitoring of vendors (of both performance and reputation) to ensure they provide quality products and services in alignment with organizational goals.

Required Skills

The SVP, Operational Security & Recovery (SVP, OPSEC) is a thought leader who has expert knowledge of incident management and operational security, including demonstrated strength in applying business continuity and disaster recovery planning principals at all levels of the enterprise. The SVP, OPSEC also has knowledge of data security, technology infrastructure environments, corporate insurance, and risk management. The following are also required :

1) A bachelor's degree in business, risk management, information systems, or other relevant discipline required. A master's degree is preferred.

2) At least 10+ years' experience in a senior management position, with prior direct experience leading risk management, operational security or related programs. Experience leading validation or assurance functions is also preferred.

3) Demonstrated understanding of operational risk, information security risk, and reputation risk.

4) Demonstrated understanding of laws and regulations that govern financial institutions and data security, including consumer privacy laws.

5) Professional certification in business continuity, disaster recovery, or similar discipline. Certification in risk management or information security is also preferred.

6) Strong analytical, strategic thinking, and crisis management skills.

7) Senior-level written and verbal communication skills, including the ability to disseminate information, inspire confidence and trust, and motivate partner-employees.

8) Demonstrated exceptionally strong leadership skills, having an ability to work collaboratively and influence cross-functional teams, senior leaders, and the board of directors.

9) Demonstrated ability to drive and manage initiatives that increase operational efficiency, enhance quality, and improve / maintain service levels.

10) Proven ability to analyze complex situations, solve problems, and design recommendations to accomplish business and tactical goals.

11) Demonstrated ability to balance risk management efforts with the needs of the business to serve members and partner-employees.