Information Security Manager

Acumen Technology

$115K — $125K *
Finance & Insurance
Less than 5 years of experience
Job Overview by Ladders

Qualifications

  • 3+ years of information security experience with a focus on program execution
  • Strong knowledge of FFIEC IT Examination Handbook requirements
  • Experience conducting SOC 2 readiness assessments and producing gap analysis documentation
  • Proven ability to create professional-grade security documents independently
  • Strong written communication skills, producing polished client-facing content
  • Demonstrated ability to manage multiple client engagements effectively
  • Active CISSP, CISM, CRISC or similar certification

Responsibilities

  • Serve as primary contact for clients preparing for regulatory IT examinations
  • Organize audit requested items and produce written summaries of control effectiveness
  • Draft formal written responses and corrective action plans for third-party audit findings
  • Track open findings and produce status updates for clients
  • Lead clients through SOC 2 Type I and Type II readiness assessments
  • Design and facilitate tabletop exercises for security incident response
  • Review third-party vendor audit reports and produce risk summaries

Benefits

  • 100% employer-paid health insurance (medical and dental) with coverage for initial medical expenses
  • Company matching 401k
  • Flexible hybrid work schedule
  • Fun work environment with regular employee and family activities
  • Family vacation bonus after 5 years of service
Full Job Description
ROLE

This is a hands-on practitioner role. You will meet with clients, assess their security posture, and then do the work - drafting the policy, completing the risk assessment, building the remediation plan, and delivering it back to the client in a finished, usable form.

The right candidate thrives on the full cycle: client meeting 1 assessment 1 heads-down execution 1 polished deliverable back in the client's hands

You will manage a portfolio of clients that is predominantly financial institutions - community banks, credit unions, and financial services firms make up approximately 80% of the practice. The remainder includes clients in professional services, healthcare, and construction.

On any given week, you might:
  • Spend a morning walking a community bank through their pre-exam request list, then spend the afternoon drafting their written response findings.
  • Design and facilitate a tabletop exercise for a bank's leadership team simulating a ransomware event, then write up the after-action report and deliver it within the week
  • Review vendor SOC 2 reports that came in for a client, assess the findings, and produce a risk summary the bank's risk committee can act on
  • Rewrite a client's outdated Acceptable Use Policy and Information Security Policy to align with current FFIEC guidance and have both ready for board approval
  • Lead a SOC 2 readiness check-in with a professional services client, update their evidence tracker, and coordinate with their external auditor on outstanding items


KEY RESPONSIBILITIES

Bank Exam & Audit Support
  • Serve as the primary point of contact for clients preparing for FDIC, OCC, NCUA, and state banking regulator IT examinations, owning the preparation process from start to finish
  • Organize and package audit requested items, complete pre-exam readiness checklists, and produce written summaries of control effectiveness that clients can hand directly to examiners
  • Review third-party audit findings and examination results, then draft formal written responses, corrective action plans, and remediation timelines on the client's behalf
  • Track open findings and recommendations to closure, producing status updates and evidence packages at each milestone
  • Maintain current knowledge of FFIEC IT Examination Handbook updates and translate regulatory changes into specific, actionable steps for each client
  • Document client check-ins using Microsoft Planner or a similar task management tool, ensuring all action items, deliverables, and blockers are clearly captured, assigned, and tracked through resolution.


SOC 2 Readiness
  • Lead clients through SOC 2 Type I and Type II readiness assessments including scoping, gap analysis, control testing, and evidence collection
  • Produce formal gap analysis reports with prioritized remediation roadmaps in finished, client-ready form
  • Build and maintain client control evidence libraries and audit packages, keeping documentation current between audit cycles
  • Coordinate with external auditors on the client's behalf and serve as the primary point of contact throughout the audit process


Tabletop Exercises
  • Design, facilitate, and debrief tabletop exercises for community bank clients covering security incident response, business continuity, and disaster recovery scenarios
  • Develop realistic, client-specific exercise scenarios based on current threat intelligence and regulatory expectations for financial institutions
  • Produce written after-action reports documenting exercise findings, gaps identified, and recommended improvements, delivered to the client within an agreed turnaround
  • Update client incident response, business continuity, and disaster recovery plans based on exercise outcomes


Third-Party & Vendor Risk
  • Review third-party vendor audit reports (SOC 2, penetration tests, security assessments) on behalf of clients and produce written summaries of findings and risk exposure
  • Draft formal vendor risk assessment responses and management memos that clients can file, present to examiners, or include in board reporting
  • Maintain client vendor inventories and assessment schedules, tracking due dates and ensuring assessments are completed on time


Security Policy Development
  • Draft, update, and maintain client information security policies, standards, and procedures written in plain language, tailored to each client's environment, and ready to adopt without further editing
  • Conduct periodic policy reviews against current FFIEC guidance, NIST CSF, and SOC 2 requirements and produce updated versions that reflect any gaps or regulatory changes
  • Manage client policy libraries to ensure all documents are versioned, reviewed on schedule, and accessible for audit purposes


Ongoing Client Engagement
  • Meet regularly with client stakeholders to review program status, prioritize the work queue, and present completed deliverables
  • Manage a multi-client portfolio with disciplined task tracking, clear timelines, and consistent follow-through on every commitment made in a client meeting
  • Serve as an advisory resource during client security incidents, providing written guidance on containment, notification obligations, and regulatory reporting requirements

Requirements
  • 3+ years of information security experience with a strong emphasis on hands-on program execution - risk assessments, policy writing, audit preparation, and control documentation
  • Deep, working knowledge of the FFIEC IT Examination Handbook requirements, including the new tools available to replace the retired Cybersecurity Assessment Tool (CAT)
  • Direct experience completing SOC 2 readiness assessments and producing formal gap analysis and remediation documentation
  • Demonstrated ability to author professional-grade security deliverables - policies, risk assessments, remediation plans, board summaries - independently and to a high standard
  • Strong written communication skills; comfortable producing polished, client-facing documents without editorial support
  • Proven ability to manage multiple client engagements simultaneously with discipline, reliability, and follow-through
  • Active CISSP, CISM, CRISC, or equivalent certification
  • Direct experience preparing financial institutions for FDIC, OCC, or NCUA IT examinations and responding to regulatory findings
  • Familiarity with GRC platforms commonly used in financial services (e.g., Ncontracts, LogicManager, or similar)
  • Working knowledge of HIPAA security rule requirements for healthcare clients and general compliance frameworks applicable to professional services environments
  • Experience with Microsoft 365 security controls as deployed in community bank and small-to-mid-market business environments
  • Background in an MSP, consulting firm, or multi-client security advisory practice


WHAT SUCCESS LOOKS LIKE

In your first 90 days:
  • Own and deliver at least two client engagements end-to-end - from intake meeting to finished deliverable - with high client satisfaction
  • Demonstrate consistent follow-through: every commitment made in a client meeting has a deliverable behind it
  • Establish your working rhythm and task management system for managing a multi-client portfolio


Within 12 months:
  • Carry a full client portfolio with strong retention and client satisfaction scores
  • Have guided at least one client through a table top exercise, 3rd party audit, a regulatory examination, or SOC 2 audit with documented, positive outcomes
  • Be the person clients call not just for advice, but because they know something finished will come back to them

Benefits

  • Annual salary between $115,000 - 125,000 depending on fit and experience.
  • 100% employer paid health insurance (medical and dental) and first $1,000 of qualified medical expenses covered
  • Company Matching 401k
  • Flexible hybrid schedule
  • Fun working environment and culture with regular activities both for employees and their families
  • Family vacation bonus at 5th year


Similar Jobs

More Jobs at Acumen Technology

More Finance & Insurance Jobs

Find similar Information Security Manager jobs: