At Stearns Bank, we're helping people, entrepreneurs, small businesses, and local communities nationwide reach their full financial potential. Sound like something you want to be a part of? If so, we're currently looking for a Director of Information Security. This is a connected mobile role. Come see how we're doing business unusual and charting our own path to reimagine a more inclusive financial services and banking ecosystem for all.
BENEFITS
Stearns Bank understands and respects that everyone is managing unique career, family, and wellness needs. That's why we offer industry-leading benefits to employees to help them live healthy lives and bring their full selves to work every day. Benefits may vary for part-time positions. Some of those benefits include:
• Employee Stock Ownership Plan & 401k Plan • Healthcare (Medical, Dental, Vision, Telehealth, Life insurance) • 12-week Paid Parental Leave and Medical Leave: With a cap of 20 weeks for eligible team members who qualify for both Medical and Parental Leave related to the birth of a child • $5,000 Family Care Reimbursement: Childcare, Elder Care, Student Loan Debt, Pet expenses, Down Payment Assistance • PTO from 13 to 23 days depending on tenure. Cashout and Carryover options • 10 Days Sick Time • 11 Paid Holidays • 4 Days Volunteer Time • 2 Days Self Allowance Time • Tuition Assistance
JOB SUMMARY
The Director of Information Security is the Bank's designated Information Security Officer, and is responsible for leading and evolving Stearns Bank's enterprise information security, technology risk and infrastructure security strategy. Operating within the Risk organization, this role provides second-line governance, challenge, and advisory oversight across the Bank's technology ecosystem, including infrastructure, cloud platforms, core systems, digital initiatives, and fintech partnerships.
PRIMARY RESPONSIBILITIES
• Enterprise Security Strategy & Governance • Lead and continuously evolve the Bank's Information Security Program aligned with 12 CFR Part 30, Appendix B, the FFIEC Information Security Booklet, the OCC Cybersecurity Supervision Work Program, NIST CSF, and regulatory guidance. • Conduct or direct the annual enterprise-wide IT risk assessment using NIST CSF 2.0, the CRI Profile, or equivalent framework, identifying threats, vulnerabilities, and risk levels for all information assets. • Develop and execute a multi-year enterprise security roadmap aligned with business strategy and modernization initiatives. • Manage the cybersecurity self-assessment process using the Bank's selected framework, the Cyber Risk Institute Framework, ensuring findings are documented, tracked, and reported to the Board. • Serve as the primary security advisor to executive leadership and Board committees. • Provide regulator reporting on cyber risk posture, threat landscape and remediation status.
INFRASTRUCTURE & ARCHITECTURE SECURITY ALIGNMENT
• Partner with IT Infrastructure and Transformation leaders to ensure security-by-design across: • Network architecture • Cloud platforms • Endpoint management • API security architecture • Identity & access management • Core banking and fintech integrations • Artificial Intelligence (AI) integrations • Establish secure architecture standards for hardware, networking, segmentation, encryption and endpoint detection. • Drive adoption of modern security principles including Zero Trust architecture and secure cloud governance. • Oversee the vulnerability management and patch management lifecycle, monitoring remediation timelines against risk-based SLAs and escalating deficiencies to senior management.
CYBERSECURITY OPERATIONS & EMERGING THREAT MANAGEMENT
• Oversee: Threat detection and response, Incident response program, Penetration testing and vulnerability management, SOC oversight • Monitor evolving cyber threats, AI-driven risks and geopolitical threat activity. • Lead incident response coordination and regulatory notification processes when required. • Third-Party & Technology Risk Oversight • Lead and Chair the Vendor Management and Third-Party Risk program. • Conduct information security due diligence on all prospective fintech partnerships during the planning and selection stages of the third-party risk management lifecycle.
REGULATORY & AUDIT LEADERSHIP
• Serves as primary security liaison for all IT Audits. • Serves as primary security liaison for OCC, FDIC, and external examiners. • Maintain compliance with GLBA, FFIEC IT Handbook, NIST, PCI and SOC reporting standards. • Oversee timely remediation of any audit or regulatory findings. • Ensure compliance with notification requirements of all relevant regulatory agencies and documented decision criteria for determining when a "notification incident" has occurred.
DATA PROTECTION & MODERN GOVERNANCE
• Oversee: Data classification standards, Data Loss Prevention (DLP), Encryption standards, Secure data lifecycle management • Align information security with enterprise data governance initiatives. • Monitor the CFPB's evolving data security enforcement posture and ensure the Bank maintains multi-factor authentication, adequate password management, and timely patching to mitigate UDAAP exposure.
BUSINESS CONTINUITY & OPERATIONAL RESILIENCE
• Own the enterprise Business Continuity Management. • Oversee Business Continuity and Disaster Recovery frameworks in partnership with enterprise risk. • Ensure cyber resilience testing and tabletop exercises are conducted regularly. • Integrate operational resilience planning into infrastructure modernization efforts. • Direct the Business Impact Analysis process, establishing Recovery Time Objectives (RTO), Recovery Point Objectives (RPO), and Maximum Tolerable Downtime (MTD) for all critical business functions.
EMERGING TECHNOLOGY & AI GOVERNANCE
• Establish and maintain the Bank's AI and emerging technology acceptable use policy, define approved use cases, prohibited activities, and approval workflows for all AI tools deployed internally or through third-party and fintech partner relationships. • Classify each AI tool as a "model" or "non-model" under the OCC's model risk management framework, and apply risk-proportionate governance controls including documentation, validation frequency, and ongoing monitoring commensurate with each tools' materiality and complexity.
DESIGNATED SECURITY OFFICER RESPONSIBILITIES
• Serve as the Bank's formally designated Security Officer. • Administer and periodically review the Bank's written Security Program addressing robbery prevention, physical safeguards and employee safety. • Ensure appropriate security devices and procedures are in place across all banking offices and facilities, including alarm systems, surveillance, access controls and cash handling safeguards. • Coordinate with Director of Branch leadership and Operations on physical security risk assessments and mitigation strategies; serve as Chair of the Physical Security Committee conducting quarterly meetings.
REQUIREMENTS
• Occasionally lift and/or move up to 25 lbs. • Ability to understand and follow instructions in English. • Ability to sit for extended periods of time, twist, bend, sit, walk use hands to twist, handle or feel objects, tools or controls, such as computer mouse, computer keyboard, calculator, stapler, telephone, staple puller, etc., reach with hands and arms, balance, stoop, kneel, talk or hear. • Specific vision abilities required by the job include close vision, distance vision, peripheral vision, depth perception and the ability to adjust focus.
EXPERIENCE
• 10+ years of progressive experience in cybersecurity, infrastructure security, or enterprise technology risk. • Experience in a regulated financial institution (OCC or FDIC supervised preferred). • Demonstrated experience leading security strategy in cloud or hybrid environments. • Experience overseeing third-party and fintech technology risk. • Demonstrated ability to lead cross-functional initiatives. • Experience engaging directly with regulators and auditors. • Strong program management capabilities. • High integrity, executive presence and clear communication skills. • Proven working knowledge of requirements for GLBA, SOC, FFIEC and PCI and OCC and FDIC guidance on data security and IT examination requirements. • Experience with auditing processes, including Network Security, SDLC/Change Management and IT related functions. • Knowledge of the global IT Risk Regulatory Landscape and Risk Management Model (e.g. Threats, Vulnerabilities, and Controls). • Strong technical skills (application and operating system hardening, vulnerability assessments, security audits, TCP/IP, intrusion detection systems, firewalls, etc.). • Experience in developing and maintaining a technology Risk Assessment process. • Project and program management concepts and controls experience. • Must possess a high degree of integrity and trust along with strong communication skills and ability to work individually, within a team and with other business groups. • Experience or understanding of Disaster Recovery, Business Continuity, and Incident Response initiatives. • Must have ability to develop policies and procedures and communicate effectively. • Understanding of federal and other regulatory requirements and the ability to keep current. • Experience working with federal examiners. • Must be open to working on-call. • BS/MA degree in related technical and security disciplines. • Certifications in data security and/or auditing procedures not required but preferred. • Familiarity with banking related software (Fiserv preferred).
THE COMPANY
Founded in 1912, Stearns Financial Services Inc. (SFSI) is a $3.2 billion, independently owned financial institution with locations in Minnesota, Florida and Arizona, and over 35,000 small business customers nationwide. Specializing in affordable housing financing, USDA and SBA lending, and small business and equipment financing, Stearns Bank is regularly recognized as one of the country's top-performing banks and "Best Banks to Work For" by American Banker.
As a Star Tribune Top Workplaces award recipient and an award recipient of the Minnesota Business Magazine 100 Best Places to Work in Minnesota, Stearns takes pride in their team and holds their employees in extremely high regard. We offer a competitive salary and benefit package including our Employee Stock Ownership Program-one of the best long-term incentive programs in the nation. To learn more about Stearns Bank, visit www. StearnsBank.com.
EQUAL OPPORTUNITY EMPLOYER /AFFIRMATIVE ACTION PLAN
We are an equal opportunity employer and all qualified applicants will receive consideration for employment without regard to race, color, or creed, religion