Deputy Chief Information Security Officer

    • Rockville, MD

FINRA operates regulatory and market systems â€" such as the Consolidated Audit Trail (CAT), Trade Reporting and Compliance Engine (TRACE), and Central Registration Depository (CRD) â€" that contain sensitive information that must be accurately stored and processed in a secure manner. If confidentiality, integrity, or availability of these systems is impacted by a cyber-attack or other disruptive event, continued stable and fair operation of the US equities markets could be put at risk. Given the important role FINRA performs in the fair and stable operation of US equities markets, FINRA takes cyber threats very seriously and strives to counter all meaningful risks through sound and effective Cyber and Information Security policies, technical and non-technical controls, risk management functions, governance processes, and awareness training.

The primary role of the Deputy CISO is to support and augment the CISO in all aspects of FINRA’s Cyber and Information Security program and provide security strategy thought leadership. Additionally, the Deputy CISO will directly oversee governance, risk, and compliance functions as well as Application Security (AppSec).

  • Develop, support, and advance strategies, policies, programs, and projects designed to continually improve and enhance FINRA’s cyber and information security posture and resiliency.
  • Oversee FINRA’s compliance with applicable laws, rules and regulations related to cyber and information security â€" including SEC Regulation SCI, FISMA (where required by contract), NIST 800-53 and companion NIST special publications.
  • Direct and oversee software security (AppSec) functions including: developer security training, software security engineering, threat modeling, policies/standards/guidelines, penetration testing, system security plans, and other related activities.
  • Work with the Insider Risk Program Director and establish policies/standards/guidelines to ensure FINRA systems record user activities and access to sensitive data in support of the Insider Risk program.
  • Develop and implement software security compliance program that takes a risk-based approach to ensuring appropriate compliance to policies/standards/guidelines.
  • Serve as gatekeeper for issues that would otherwise require the attention or involvement of the CISO. Regularly respond to inquiries and make decisions on behalf of the CISO. Ensure continuity of operations when the CISO is unavailable.
  • Contribute to awareness and outreach efforts both within FINRA and with our member firms, exchanges, associations (e.g., SIFMA), peer organizations (e.g., DTCC, MSRB, and SIPC) and Financial Services industry groups (e.g., FS-ISAC).
  • Work closely with the FINRA CISO and in support of the FINRA CAT CISO in all aspects of the CAT system security.
  • Assist with compliance of the CAT System, in FINRA’s capacity as CAT Plan Processor, including security obligations established by SEC Rule 613, the Plan Processor Functional Requirements (PPFR), the CAT NMS Plan, and the contract under which FINRA operates.
  • Attend all regular, special and emergency meetings of the CAT Security Working Group as a representative of FINRA SRO.
  • Regularly review operation of security controls and recommend changes designed to improve effectiveness and/or counter emerging risks.
  • Maintain threat, attack and risk models and perform regular analysis to ensure FINRA is adequately mitigating risks.
  • Make appropriate recommendations for security enhancements to the CISO â€" including tools, technologies, services, policies, procedures, and other areas as needed.
  • Lead efforts to evaluate and select vendors for security assessments, penetration testing, and other similar security services.
  • Direct and oversee evaluation of security tools and make acquisition recommendations to the CISO.
  • Manage budgets, maintain financial forecasts, develop and present business cases.
  • Establish objectives and milestones and manage activities to deliver high quality results within budget and schedule.
  • Hire and retain adequate staff, team expertise and other resources (e.g., advisors and counsel) as needed to fulfill obligations.
  • Other duties and obligations as assigned by the CISO.

Education/Experience Requirements:
  • Advanced working knowledge of cyber and information security standards, frameworks, technologies, control strategies, compliance practices
  • Knowledge of and experience working with government and industry security standards and frameworks commonly used in the financial services industry, especially NIST SP800 series, FISMA, FedRAMP, ISO 2700x, and the NIST Cybersecurity Framework
  • Broad and deep knowledge of secure software development, networking, firewalls, load balancers, TCP/IP, web servers, REST APIs, and the other technical underpinnings of modern IT systems
  • Broad knowledge of financial service industry security practices
  • Strong verbal and written communication skills
  • Excellent judgment and interpersonal skills
  • Experience presenting to all levels including C-level officers and Board members
  • Demonstrated senior leadership experience

Required Experience
  • 12+ years of cyber and information security experience
  • 8+ years of supervisory experience, at least 2 years at Director level or higher
  • Financial services industry experience is a plus

Required Education / Certifications
  • Bachelor’s degree in a related discipline; Master’s or higher preferred
  • ISC2 Certified Information System Security Professional (CISSP) certification
  • Additional certifications related to software security, penetration testing, or vendor risk management are highly desired

Working Conditions:

Normal office environment located in Rockville, Maryland or Reston, Virginia. Â Work outside of business hours and some travel may be required.

To be considered for this position, please submit a cover letter and resume. A writing sample may be required as part of the submission.

The information provided above has been designed to indicate the general nature and level of work of the position. It is not a comprehensive inventory of all duties, responsibilities and qualifications required.

Please note: If the “Apply Now” button on a job board posting does not take you directly to the FINRA Careers site, enter into your browser to reach our site directly.

FINRA strives to make our career site accessible to all users. If you need a disability-related accommodation for completing the application process, please contact FINRA’s accommodation help line at 240.386.4865. Please note that this number is exclusively for inquiries regarding application accommodations.

In addition to a competitive salary, comprehensive health and welfare benefits, and incentive compensation, FINRA offers immediate participation and vesting in a 401(k) plan with company match. You will also be eligible for participation in an additional FINRA-funded retirement contribution, our tuition reimbursement program and many other benefits. If you would like to contribute to our important mission and work collegially in a professional organization that values intelligence, integrity and initiative, consider a career with FINRA.

Important Information

FINRA’s Code of Conduct imposes restrictions on employees’ investments and requires financial disclosures that are uniquely related to our role as a securities regulator. FINRA employees are required to disclose to FINRA all brokerage accounts that they maintain, and those in which they control trading or have a financial interest (including any trust account of which they are a trustee or beneficiary and all accounts of a spouse, domestic partner or minor child who lives with the employee) and to authorize their broker-dealers to provide FINRA with duplicate statements for all of those accounts. All of those accounts are subject to the Code’s investment and securities account restrictions, and new employees must comply with those investment restrictionsâ€"including disposing of any security issued by a company on FINRA’s Prohibited Company List or obtaining a written waiver from their Executive Vice Presidentâ€"by the date they begin employment with FINRA. Employees may only maintain securities accounts that must be disclosed to FINRA at one or more securities firms that provide an electronic feed (e-feed) of data to FINRA, and must move securities accounts from other securities firms to a firm that provides an e-feed within three months of beginning employment.

You can read more about these restrictions here.

As standard practice, employees must also execute FINRA’s Employee Confidentiality and Invention Assignment Agreement without qualification or modification and comply with the company’s policy on nepotism.

Search Firm Representatives

Please be advised that FINRA is not seeking assistance or accepting unsolicited resumes from search firms for this employment opportunity. Regardless of past practice, a valid written agreement and task order must be in place before any resumes are submitted to FINRA. All resumes submitted by search firms to any employee at FINRA without a valid written agreement and task order in place will be deemed the sole property of FINRA and no fee will be paid in the event that person is hired by FINRA.

FINRA is an Equal Opportunity and Affirmative Action Employer

All qualified applicants will receive consideration for employment without regard to age, citizenship status, color, disability, marital status, national origin, race, religion, sex, sexual orientation, gender identity, veteran status or any other classification protected by federal state or local laws as appropriate, or upon the protected status of the person’s relatives, friends or associates.

FINRA abides by the requirements of 41 CFR 60-741.5(a). This regulation prohibits discrimination against qualified individuals on the basis of disability, and requires affirmative action by covered prime contractors and subcontractors to employ and advance in employment qualified individuals with disabilities.

FINRA abides by the requirements of 41 CFR 60-300.5(a). This regulation prohibits discrimination against qualified protected veterans, and requires affirmative action by covered prime contractors and subcontractors to employ and advance in employment qualified protected veterans.

©2019 FINRA. All rights reserved. FINRA is a registered trademark of the Financial Industry Regulatory Authority, Inc.

FINRA is the first line of defense for investors and works hard to ensure U.S. financial markets remain robust and operate fairly.

FINRA Company Image

Back to top