Information / Cyber Security Risk Officer

Heritage Bank has an exciting opportunity to join our organization! We are seeking a Information / Cyber Security Risk Officer to join our Compliance team. The information / cyber security risk officer is responsible for executing the tactical and operational elements of the bank's information and cyber risk management program. This position leads day-to-day risk oversight activities across cybersecurity, information security, third-party / vendor risk, data governance, and business continuity planning (BCP). Geographical location for this position is Tacoma, Washington at the Southern Operations Center. Depending on experience and qualifications, other locations within Heritage Bank’s footprint (WA, OR, ID) may be considered. Base Salary Range : $112,991.00 - $141,236.00 - $169,491.00 annual The Role at a Glance : Leads governance activities to ensure security, vendor, data, and business continuity risks are effectively mitigated, while maintaining and aligning control frameworks with industry best practices and regulatory requirements. Builds and maintains strong working relationships across all lines of business, to include IT, operations, and compliance, to actively foster a risk-aware culture. Assists with the identification, assessment, mitigation, and monitoring of cybersecurity and information security risks across the enterprise and contributes to risk registers and incident trend analyses. Oversees IT control assessments, gap analyses, and control testing, ensuring appropriate documentation and remediation planning. Collaborates with procurement and vendor management partners to ensure all third-party and outsourced service providers undergo risk assessments in alignment with third-party risk guidance and requirements. Partners with data governance and compliance programs to ensure security classification, handling, retention, and access controls over sensitive and regulated data are enforced and operating (e.g., customer PII, NPI, financial records). Acts as the primary liaison with internal and external audit teams and regulatory examiners, for all cybersecurity and third-party risk-related reviews. Ensures effective coordination, clear communication, and timely resolution of audit findings, regulatory inquiries, and identified issues. Supports ongoing vendor risk monitoring activities to include risk rating, annual reassessments, and reporting of vendor performance. Supports the development, testing, and maintenance of business continuity and disaster recovery plans for critical systems and operations. Coordinates and supports tabletop and full-scale exercises, tracks remediation actions, and contributes to program maturity assessments. Core Skills and Qualifications : Bachelor’s degree in Cybersecurity, Information Systems, Risk Management, or related field required. 5+ years of recent and progressive knowledge and experience in an information security and / or risk management role within a financial services or community bank environment required. Ability to quickly grasp and understand the Bank's business and strategic goals and objectives required. Professional certifications as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), or equivalent preferred. Equivalent combination of education, training, certifications, and / or relevant work experience in a senior or lead capacity may be considered. Provide an exceptional level of service for internal and external customers, with the ability to build and maintain positive, professional relationships, to successfully interact with and influence all levels of management and functional and cross-functional areas across the organization. Highly effective listening, verbal, written, and telephone etiquette business communication skills, including effective questioning strategies, negotiation and presentation skills to communicate security-related concepts in a variety of settings, to a broad range of technical and non-technical staff, with the ability to act as a bridge between IT and business process owners. Ability to read, write, speak, and understand English well. Strategic in approach to problem solving and decision-making, with demonstrated ability to quickly focus on key issues and make decisions under pressure of time constraints. Strong knowledge of regulatory frameworks (e.g. FFIEC, GLBA, PCI-DSS, SOX, FFIEC, HIPAA etc.) and in depth understanding of NIST CSF, ISO 27001, COBIT, COSO and vendor risk management frameworks. Strong understanding of information and cyber security concepts including encryption, access controls, network security, security operations, security architect, threat modeling and design. Thorough knowledge and understanding of related statutory banking compliance regulations issued by the FDIC, FinCEN, and Federal Reserve Board, with strong knowledge of privacy laws, such as GLBA and SOX. Strong planning, organizational, time management, and follow-up skills, demonstrating a strong sense of urgency and ability to execute quickly, timely and efficiently; independently ensuring that priorities are set and commitments and deadlines are met with minimal direction and oversight. Advanced working knowledge and experience in information security assessment and auditing procedures both technical and business perspectives using formal methodologies such as NSA IAM, vulnerability scanning and auditing tools, enterprise-scale network and host-based IDS architectures, firewall architectures, computer investigation and forensics methods and technologies, and secure messaging architectures – required. Unquestionable integrity in handling sensitive and confidential information required. Proficient and advanced use and understanding of MS Office products (Word, Excel, Outlook), with the ability to adapt to and learn new technologies quickly. Work Environment / Conditions : Climate controlled office environment. Work involves being able to concentrate on the matter at hand, under sometimes distracting work conditions, and frequent employee and customer contacts and interruptions during the day. Physical Demands / Effort : Work may involve the constant use of computer screens, reading of reports, and sitting throughout the day. Ability to operate a computer keyboard, multi-line telephone, photocopier, scanner and facsimile which often requires dexterity of hands and fingers with repetitive wrist and hand motion. Typically sitting at a desk or table; intermittently standing, stooping, bending at the waist, walking, climbing, kneeling or crouching to file materials Occasional lifting up to 20 lbs. (files, boxes, etc.). At Heritage Bank, we work hard, but we also know how important it is to take time off to stay healthy, relax, and spend time doing what makes your heart happy! As part of our team, you’ll enjoy a total rewards package, which includes base salary based on the role, experience, and skill set, along with an exceptional benefits package (medical, dental, vision, life insurance, 401(k), community volunteer time), and generous time off policy. Full-time team members receive a minimum of 10 paid vacation days annually

• and eight hours of paid sick leave per month
• , while also enjoying 11 paid holidays each calendar year, and an annual float day. Heritage Bank is an Equal Opportunity EmployerSalary Range Disclaimer The base salary range represents Heritage Bank’s current salary range for the position. Actual salaries will vary depending on factors including, but not limited to, qualifications, experience, and job performance. The range listed is just one component of Heritage Bank’s total compensation package for full time and part time employees. Depending on position, other total compensation rewards may include, monthly, quarterly or annual incentive, and / or bonuses.
• mon