Chief Information Security Officer

Job Summary

The Chief Information Security Officer (CISO) is responsible for developing, implementing, and governing the Bank’s enterprise-wide Information Security Program consistent with Interagency Guidelines Establishing Information Security Standards (GLBA §501(b)), FFIEC IT Examination Handbooks, and the NIST Cybersecurity Framework 2.0 to protect sensitive financial data, customer information, and technological infrastructure. This leader ensures cybersecurity risk is identified, measured, mitigated, monitored, and reported in a manner consistent with safety and soundness expectations. This role focuses on risk management, regulatory compliance (e.g., GLBA, FFIEC, CSF), and maintaining client trust. The CISO manages the Bank Security team, is responsible for the oversight of security operations and monitors the use of the Bank’s network/hardware/software/security systems to ensure compliance with Bank Policy and federal regulations. The CISO also manages the Bank’s physical security for all locations. The CISO also chairs the Computer Security Incident Response Team (CSIRT) and is responsible for managing incident responses in case of security breach at the Bank.

This role requires and strong, effective, collaborative and hands-on leader with deep expertise in banking technology to support a growing and rapidly modernizing bank; a proven track record with information security across on-prem, cloud and third-party infrastructure; a strong understanding of risk management and regulatory compliance, and a passion for leveraging technology to secure and resilient technology to enable best-in-class banking service. This role will partner closely with technology, operational and business leadership to realize strategic ambitions in line with F&M’s culture.

Essential Duties

Governance, Risk Management & Regulatory Alignment

• Support the Chief Risk Officer in ensuring a strong, resilient, and adaptable second line of defense (2LOD), as it relates to information security, to meet the changing requirements in banking.
• Embrace the role of a technology risk officer.
• Ensure the Bank complies with federal and state regulations including but not limited to GLBA, HIPPA, PCI-DSS, CCPA, NIST, and FFIEC guidelines.
• Evolve, maintain, and communicate a clear information security vision and program to minimize risk, ensuring integrity, confidentiality, and availability of data.
• Ensure annual Board reporting, policy review/approval, and governance consistent with GLBA.
• Evolve, maintain, and enforce the Information Security Program, policies, procedures, and standards.
• Evolve, maintain, and enforce the Physical Security Program, policies, and procedures.
• Maintain measurable security metrics/KRIs and present high quality, decision-making useful dashboards to executives and the Board.
• Align program maturity and reporting to NIST CSF 2.0 outcomes.
• Manage and be responsible for control testing in accordance with ERM standards and ensure compliance with network, hardware, and software security standards.
• Manage and be responsible for the GLBA and other information security risk assessments in accordance with ERM standards.
• Identify, evaluate, and prioritize security risks across the Bank, implementing, and managing a framework to mitigate these risks.

Security Operations, Threat Management & Incident Response

• Lead security operations, threat detection, continuous monitoring, digital forensics, and incident response.
• Conduct periodic simulations and tabletop exercises; maintain regulator ready playbooks.
• Govern vulnerability management and penetration testing, ensuring timely risk-based remediation.
• Lead the Computer Security Incident Response Team (CSIRT) to detect, contain, investigate, and recover from cyberattacks.

Security Architecture, Engineering & Technology Governance

• Define enterprise security architecture incorporating zero trust, cloud security models, network segmentation, encryption baselines, identity governance, and telemetry.
• Oversee design and integration of security requirements into technology development, acquisition, and maintenance (DA&M).
• Partner with Technology leadership to shape resilient, scalable architectures that meet regulatory expectations while enabling innovation.
• Communicates technology risk tradeoffs and investment needs in business terms.
• Monitor security trends, new regulations and innovative technologies, identify strategies and techniques to address new challenges.
• Partner with Information Technology teams to evolve the Bank’s technology architecture and posture while ensuring the safety of the Bank’s data and network.

Identity, Authentication & Access Management (“IAM”)

• Govern enterprise IAM, including provisioning, de provisioning, privileged access, and continuous monitoring.
• Enforce MFA or equivalent-strength controls across workforce, third parties, and high-risk system access, consistent with FFIEC Authentication & Access guidance.
• Drive culture changes around least privilege, access hygiene, and secure user behaviors across the enterprise.

Third-Party/ Vendor Cyber Risk Management

• Oversee cyber due diligence, contract control requirements, and continuous monitoring of critical vendors and service providers, aligned with FFIEC Outsourcing guidance.
• Influence procurement, legal, risk, and business owners to adopt a secure by design approach to third party engagements.
• Oversee the security practices of vendors and third-party service providers. Coordinate with Third-Party Risk management and Information Technology teams.

Assurance, Testing, Audit & Regulatory Interface

• Ensure independent testing, internal audit reviews, and third-party assessments of the security program, consistent with FFIEC expectations.
• Track and close findings; provide examiners and auditors with complete, timely, and accurate evidence.
• Serve as primary executive interface with regulators on cyber matters; demonstrate transparency, discipline, and command of program details.
• Manage and be responsible for the GLBA and other information security risk assessments in accordance with ERM standards.
• Organize and lead efforts to progress towards, secure and maintain SOC and ISO certification.

Culture, Talent, Training & Organizational Leadership

• Manage and develop the Bank Security team.
• Develop and deliver training programs to educate staff on security best practices.
• Oversee enterprise security awareness and phishing simulations.
• Prepare annual budgets and manage them.

Perform other duties as assigned by management.

Essential Duty – On Call Support

The CISO is responsible for providing the on-call schedule to their team on a monthly cadence and will ensure that there is sufficient coverage for after-hours support. The CISO will function as an escalation point for Deputy Chief Information Security Officer (DCISO), the information security architects and analysts and may provide end-user support after hours in the event additional resources are required. CISO and DCISO must ensure that cell phones are on and available in the event of end-user support call or outage alert via text message. Management is expected to be available to respond to critical situations, even on a non-scheduled workday.

Complies with all State and Federal Banking regulatory requirements, including but not limited to: BSA, Anti-Money Laundering OFAC, CIP, Financial Elder Abuse Reporting, Sexual Harassment, Information Security, and privacy requirements. Acts as the control point for the office to ensure that all CIP, BSA, OFAC requirements, procedures and time frames are met.

Basic Knowledge, Skills, and Abilities

• Strong English language communication skills (spoken and written) with the ability to communicate complex security risks and technologies to non-technical stakeholders.
• Deep understanding of applicable regulatory frameworks and guidance.
• Deep understanding of cybersecurity architecture: zero-trust, cloud workload security, network segmentation, IAM/PAM, encryption, logging/ telemetry
• Deep understanding of cyber operations: threat hunting, incident response, digital forensics, SOC operations, vulnerability management, secure SDLC
• Deep understanding of supply chain cyber risk: due diligence, contractual controls, continuous monitoring, and resilience expectations.
• Able to think strategically, exercise good judgement and effectively improve critical thinking skills.
• Strong leadership skills, able to motivate and drive behaviors and success.
• Excellent People Skills including active listening.
• Customer Service Skills
• Time Management Skills
• Detail Oriented
• Ability to work both independently and with others at all levels.
• Ability to mentor junior team members.

Officer Title Eligibility – For qualified positions, the Bank may designate an Officer Title to an employee who seeks and/or meets defined competencies for an eligible position. This position qualifies for the officer title(s) Senior Vice President.

Education and Experience

• Bachelor’s degree in cybersecurity, information systems, computer science, engineering, or related field.
• Master’s degree preferred (cybersecurity, information assurance, business, or technology management).
• Professional Certifications (Preferred): CISSP, CISM, CRISC, CISA, CCSP, or GIAC level technical certifications.
• 10–15+ years in cybersecurity, information security, or technology risk; 5+ years must be in a regional bank (or comparable regulated financial institution).
• Must have the proven ability to serve as an effective member of a senior management team, be an effective leader to a team of highly trained personnel and consultants; form, manage and lead committees and interact effectively with law enforcement agencies, risk and data managers, auditors, consultants, vendors, and stakeholders.
• Demonstrated success presenting to Boards and regulators; direct experience with FFIEC exams.
• Experience leading SOC/IR, IAM modernization, resilience programs, and third-party risk assurance.
• Experience governing cyber programs aligned to NIST CSF 2.0 and FFIEC expectations.

Equipment Operated

• Lap Top Computers
• Standard Office Equipment (copiers, fax machines)

Physical Requirements & Work Environment

• Onsite four (4) days per week.
• Requires repetitive movement.
• Requires standing and/or sitting for prolong periods of time.
• Requires lifting to 50 lbs.
• Requires using hands to handle, control or feel objects.
• Office setting w/controlled temperature

As a part of the Bank’s internal control systems, employees holding sensitive positions are required to be absent from their duties for a minimum of two consecutive weeks each year. This position has been deemed to meet the test for a sensitive position, and therefore you will be required to meet the minimum absence requirement every year.

This job description is not intended to be all-inclusive, and employees will be required to perform additional related work duties as assigned by their immediate supervisor and/or management.

Farmers and Merchants Bank of Long Beach reserves the right to revise or change job duties and responsibilities as the need arises. This job description does not constitute a written or implied contract of employment.

February 02, 2026