ROLEThis is a hands-on practitioner role. You will meet with clients, assess their security posture, and then do the work - drafting the policy, completing the risk assessment, building the remediation plan, and delivering it back to the client in a finished, usable form.
The right candidate thrives on the full cycle: client meeting 1 assessment 1 heads-down execution 1 polished deliverable back in the client's hands
You will manage a portfolio of clients that is predominantly financial institutions - community banks, credit unions, and financial services firms make up approximately 80% of the practice. The remainder includes clients in professional services, healthcare, and construction.
On any given week, you might:
- Spend a morning walking a community bank through their pre-exam request list, then spend the afternoon drafting their written response findings.
- Design and facilitate a tabletop exercise for a bank's leadership team simulating a ransomware event, then write up the after-action report and deliver it within the week
- Review vendor SOC 2 reports that came in for a client, assess the findings, and produce a risk summary the bank's risk committee can act on
- Rewrite a client's outdated Acceptable Use Policy and Information Security Policy to align with current FFIEC guidance and have both ready for board approval
- Lead a SOC 2 readiness check-in with a professional services client, update their evidence tracker, and coordinate with their external auditor on outstanding items
KEY RESPONSIBILITIESBank Exam & Audit Support- Serve as the primary point of contact for clients preparing for FDIC, OCC, NCUA, and state banking regulator IT examinations, owning the preparation process from start to finish
- Organize and package audit requested items, complete pre-exam readiness checklists, and produce written summaries of control effectiveness that clients can hand directly to examiners
- Review third-party audit findings and examination results, then draft formal written responses, corrective action plans, and remediation timelines on the client's behalf
- Track open findings and recommendations to closure, producing status updates and evidence packages at each milestone
- Maintain current knowledge of FFIEC IT Examination Handbook updates and translate regulatory changes into specific, actionable steps for each client
- Document client check-ins using Microsoft Planner or a similar task management tool, ensuring all action items, deliverables, and blockers are clearly captured, assigned, and tracked through resolution.
SOC 2 Readiness- Lead clients through SOC 2 Type I and Type II readiness assessments including scoping, gap analysis, control testing, and evidence collection
- Produce formal gap analysis reports with prioritized remediation roadmaps in finished, client-ready form
- Build and maintain client control evidence libraries and audit packages, keeping documentation current between audit cycles
- Coordinate with external auditors on the client's behalf and serve as the primary point of contact throughout the audit process
Tabletop Exercises- Design, facilitate, and debrief tabletop exercises for community bank clients covering security incident response, business continuity, and disaster recovery scenarios
- Develop realistic, client-specific exercise scenarios based on current threat intelligence and regulatory expectations for financial institutions
- Produce written after-action reports documenting exercise findings, gaps identified, and recommended improvements, delivered to the client within an agreed turnaround
- Update client incident response, business continuity, and disaster recovery plans based on exercise outcomes
Third-Party & Vendor Risk- Review third-party vendor audit reports (SOC 2, penetration tests, security assessments) on behalf of clients and produce written summaries of findings and risk exposure
- Draft formal vendor risk assessment responses and management memos that clients can file, present to examiners, or include in board reporting
- Maintain client vendor inventories and assessment schedules, tracking due dates and ensuring assessments are completed on time
Security Policy Development- Draft, update, and maintain client information security policies, standards, and procedures written in plain language, tailored to each client's environment, and ready to adopt without further editing
- Conduct periodic policy reviews against current FFIEC guidance, NIST CSF, and SOC 2 requirements and produce updated versions that reflect any gaps or regulatory changes
- Manage client policy libraries to ensure all documents are versioned, reviewed on schedule, and accessible for audit purposes
Ongoing Client Engagement- Meet regularly with client stakeholders to review program status, prioritize the work queue, and present completed deliverables
- Manage a multi-client portfolio with disciplined task tracking, clear timelines, and consistent follow-through on every commitment made in a client meeting
- Serve as an advisory resource during client security incidents, providing written guidance on containment, notification obligations, and regulatory reporting requirements
Requirements- 3+ years of information security experience with a strong emphasis on hands-on program execution - risk assessments, policy writing, audit preparation, and control documentation
- Deep, working knowledge of the FFIEC IT Examination Handbook requirements, including the new tools available to replace the retired Cybersecurity Assessment Tool (CAT)
- Direct experience completing SOC 2 readiness assessments and producing formal gap analysis and remediation documentation
- Demonstrated ability to author professional-grade security deliverables - policies, risk assessments, remediation plans, board summaries - independently and to a high standard
- Strong written communication skills; comfortable producing polished, client-facing documents without editorial support
- Proven ability to manage multiple client engagements simultaneously with discipline, reliability, and follow-through
- Active CISSP, CISM, CRISC, or equivalent certification
- Direct experience preparing financial institutions for FDIC, OCC, or NCUA IT examinations and responding to regulatory findings
- Familiarity with GRC platforms commonly used in financial services (e.g., Ncontracts, LogicManager, or similar)
- Working knowledge of HIPAA security rule requirements for healthcare clients and general compliance frameworks applicable to professional services environments
- Experience with Microsoft 365 security controls as deployed in community bank and small-to-mid-market business environments
- Background in an MSP, consulting firm, or multi-client security advisory practice
WHAT SUCCESS LOOKS LIKEIn your first 90 days:
- Own and deliver at least two client engagements end-to-end - from intake meeting to finished deliverable - with high client satisfaction
- Demonstrate consistent follow-through: every commitment made in a client meeting has a deliverable behind it
- Establish your working rhythm and task management system for managing a multi-client portfolio
Within 12 months:
- Carry a full client portfolio with strong retention and client satisfaction scores
- Have guided at least one client through a table top exercise, 3rd party audit, a regulatory examination, or SOC 2 audit with documented, positive outcomes
- Be the person clients call not just for advice, but because they know something finished will come back to them
Benefits- Annual salary between $115,000 - 125,000 depending on fit and experience.
- 100% employer paid health insurance (medical and dental) and first $1,000 of qualified medical expenses covered
- Company Matching 401k
- Flexible hybrid schedule
- Fun working environment and culture with regular activities both for employees and their families
- Family vacation bonus at 5th year