Information Security Officer
Summary / Objective
Shaw Systems is a leading national software provider serving the consumer lending and financial services industry. We are seeking an Information Security Officer with the potential to grow into a CISO to lead the protection of corporate and client information assets and drive a secure, scalable technology environment.
This role owns enterprise security strategy, operations, compliance, and risk management while enabling secure adoption of AI, cloud, and automation platforms. The ISO serves as Shaw’s primary authority on information security, partnering across business, technology, and client teams to strengthen security posture and support growth.
Organizational Scope
Direct Reports: Service Operations Manager, Senior Security Engineers, Security/InfoSec Analysts
Team Size: ~8 FTEs + contractors + SOC partner
Enterprise Reach: Full client portfolio (financial services focus)
Cross-Functional Influence: AI Committee; DevOps, Cloud, Implementation
Responsibilities
1. Security Strategy & Program Leadership
Define and mature enterprise information security strategy, policies, and standards
Own and evolve Shaw’s Information Security Program and SOC 2 Type II compliance
Serve as primary security representative for clients, auditors, and executives
Lead risk identification, mitigation, and enterprise security roadmap
Oversee access controls, third-party risk, and security readiness exercises (DR, incident tabletop)
Present security posture, risks, and compliance status to leadership and external stakeholders
Hold named accountability for security representations in client agreements (including MSAs and processing agreements); present security posture and risk to clients, prospects, auditors, and executive forums as required
2. Security Operations (SecOps)
Oversee 24/7 SOC operations (via partner) and incident response lifecycle
Manage threat detection, monitoring, vulnerability management, and remediation
Lead response to authentication threats, phishing, and unauthorized access events
Maintain and enhance security tooling across the stack, including Microsoft Defender, FortiClient VPN, Arctic Wolf MDR, Keeper, KnowBe4, PAM solutions, and data protection technologies (e.g., DLP)
Ensure endpoint, identity, and infrastructure security across cloud and on-prem environments
Drive network, cloud, and infrastructure hardening initiatives
3. AI Governance & Security Architecture
Lead enterprise AI security strategy and rollout (Copilot, LLMs, AI tools)
Design and enforce AI governance framework (usage policies, data protection, access controls)
Architect secure AI/LLM environments (mitigating data leakage, prompt injection, etc.)
Own Microsoft Purview strategy (DLP, labeling, information protection)
Represent AI security posture to clients, auditors, and leadership
Manage strategic vendor relationships, including Microsoft, Anthropic, Arctic Wolf, Fortinet, Keeper, and other security and AI partners, ensuring enterprise value and risk alignment
4. Service Operations Oversight
Provide leadership oversight to Service Operations (infrastructure, endpoints, support)
Ensure reliability, patching, identity governance, and cloud operations (M365/Azure)
Drive SLA performance, operational efficiency, and automation initiatives
Ensure operational rigor through established tooling and cadences, including patch management (e.g., WSUS), endpoint monitoring, and environment audits
5. Compliance, Risk & Audit
Co-own SOC 2 Type II audit lifecycle and evidence management
Maintain enterprise risk register and mitigation tracking
Lead client/vendor security assessments and regulatory readiness
Ensure alignment with frameworks (ISO 27001, NIST, FFIEC, GLBA, SOX)
Ensure third-party vendor due diligence, security requirements, and contractual obligations are aligned with Shaw’s Information Security Program and documented appropriately
Monitor regulatory developments (including AI and privacy laws)
Own security representations in client agreements and audit responses
Provide security review, guidance, and approval on security-related representations in client, regulatory, and third-party engagements, in partnership with executive leadership, Legal, and Compliance
6. Leadership & Culture
Lead, mentor, and develop InfoSec and Service Ops teams
Manage vendors, contractors, and partner performance
Promote enterprise-wide security awareness and training programs
Partner with HR on hiring, workforce planning, and organizational design
7. Strategic & Cross-Functional Collaboration
Advise executive leadership on security and AI risk strategy
Partner with DevOps, Cloud, and Implementation teams on secure design practices
Support business development (security questionnaires, client discussions)
Translate technical risk into business impact for diverse stakeholders
Requirements
Education
Bachelor’s or Master’s degree in Computer Science, Engineering, or related field
Experience & Expertise
10+ years in information security leadership
5+ years securing cloud environments (Azure preferred, AWS acceptable)
Strong experience with SOC 2, ISO 27001, NIST, OWASP, FFIEC, GLBA, SOX
Deep technical background across DevOps, infrastructure, and security tooling
Expertise in network security, IAM, DLP, SIEM, and vulnerability management
Experience with Microsoft security stack (Defender, Purview, Intune, Entra ID, Azure)
Demonstrated experience with AI platforms and governance (e.g., Copilot, LLMs)
Financial services or lending industry experience preferred
Certifications
CISSP (required)
CCSP (required)
ISSAP (preferred)
Leadership Competencies
Strategic security leadership and business alignment
AI governance and emerging technology risk management
Operational execution and compliance discipline
Strong communication, stakeholder influence, and executive presence
Analytical problem-solving and results orientation
Vendor and partner management expertise
Performance Expectations (First 12 Months)
SOC 2 Type II audit completed with no material findings
Enterprise AI governance framework fully implemented
Microsoft Purview DLP and labeling deployed enterprise-wide
Mature security operations cadence with measurable SLAs
Updated BCP/DR program tested
Improved phishing awareness and security training outcomes
Supervisory Responsibility
Leads a team of internal, contractor, and external partners supporting security operations and enterprise infrastructure.
Location
Hybrid: Within 75 miles of Houston, TX
Remote (eligible states): TX, VA, FL, GA, ID, LA, MI, MN, NJ, NC, PA, UT
Travel: 10–25% as needed
Work Environment
Full-time, Monday–Friday; standard business hours with occasional after-hours support as needed.