The Information Security & Technology Risk Manager supports and executes second line of defense (2LOD) governance, oversight, and independent challenge across information security and technology risk at Old National Bancorp. Reporting to the Director of Information Security & Technology Risk, this role is responsible for establishing and maintaining the enterprise information security and technology risk framework, including policies, standards, and monitoring practices, to ensure alignment with Board‑approved risk appetite and regulatory expectations.

This role supports the execution and continuous enhancement of the Information Security and Technology Risk Management Program, helping to safeguard the confidentiality, integrity, and availability of customer, employee, and business information in accordance with ONB policies and applicable regulatory requirements. The Manager serves as a consultative partner to both the first and second lines of defense, providing risk advisory and interpretation of regulatory expectations to business units and leadership.

Additionally, this role provides independent oversight of first‑line technology and information security activities, leveraging strong analytical expertise and sound risk judgment to assess, challenge, and strengthen risk management practices and control effectiveness. Key responsibilities include overseeing governance, risk, and compliance (GRC) activities, leading independent testing and validation, and managing corporate security awareness initiatives.

Key Accountabilities

The Information Security and Technology Risk Manager and the second line team are directly responsible for enterprise oversight of Information Security and Technology Risk Management including but not limited to:

Governance, Risk & Compliance (GRC) – Information Security and Technology Risk Management Framework Ownership

• Support the development, enhancement, and ongoing maintenance of the enterprise Information Security & Technology Risk Management (ISTRM) framework, including programs, policies, standards, guidelines, and procedures to ensure alignment with regulatory and industry expectations.
• Contribute to the maintenance of technology and cyber risk taxonomy, risk appetite alignment, and key risk indicators (KRIs), supporting consistent risk measurement, monitoring, and reporting to management and Board committees.
• Provide independent challenge and advisory support to first line risk offices and technology leadership on risk identification, control effectiveness, and remediation prioritization, while partnering with stakeholders to ensure timely issue identification and resolution.
• Oversee adherence to information security and technology risk policies, programs, and standards, including monitoring control effectiveness and supporting continuous improvement of governance, risk analysis, and oversight practices.
• Support the implementation of information security and technology risk governance, monitoring, and risk management activities, including security awareness initiatives, to promote a strong control environment and risk-aware culture.
• Apply risk management practices to safeguard sensitive data and support compliance with applicable legal, regulatory, and industry requirements across information assets and technology systems.

Risk Identification, Assessment, Monitoring & Reporting (2LOD)

• Execute and oversee second line monitoring and review activities using a risk-based approach, including validation of control design and operating effectiveness performed by first line teams.
• Maintain and support governance of risk registers, issue inventories, and exception tracking within the enterprise GRC platform; ensure appropriate documentation, escalation, and reporting cadence.
• Develop and deliver clear, concise risk reporting for management and risk committees, including trends, material findings, and aging issues/exceptions.

Independent Testing & Validation (Assurance within 2LOD)

• Establish and execute an annual independent testing and validation plan across information security and technology risk domains, informed by risk assessments, regulatory expectations, and audit/exam feedback.
• Perform independent validation of remediation for material issues and control deficiencies; confirm evidence sufficiency and recommend formal closure or escalation where gaps remain.
• Coordinate with Internal Audit (3LOD) and external examiners to align testing scopes, reduce duplication, and ensure timely resolution of findings.

Security Training, Awareness & Culture

• Manage and enhance enterprise security training and awareness activities, including administration of required training and tracking of completion metrics.
• Monitor alignment of enterprise training and awareness efforts with regulatory expectations and evolving threat landscape; report on participation and identified gaps.
• Partner with HR, Compliance, and business units to promote a consistent and risk-aware culture across the organization.

Regulatory, Audit & Committee Engagement

• Support regulatory examinations and audits related to information security, technology risk, and resilience by providing documentation, evidence, and responses as needed.
• Contribute to preparation of management and committee reporting materials, including risk posture updates and tracking of action items.
• Collaborate with Technology, Information Security (1LOD), ERM, Compliance, TPRM, and Legal to support practical and effective governance and risk management practices.

Key Competencies for Position

People Leadership:

• Coach & Empower Others: Provides timely feedback, support, and guidance to encourage and support associates to accomplish tasks, solve problems, and enhance their professional development.
• Lead Change: Leads change efforts, engaging team members who are resistant to change to gain their support and commitment, helps associates understand why the change is occurring, continuously sharing information, and assessing the adoption of the change.

Culture Leadership:

• Culture & Values Leadership: Demonstrates Old National's culture in daily interactions and encourages associates to live by our culture and core values.

Execution Leadership:

• Drive and Execution: Establishes clear objectives, metrics, and governance cadence; delivers risk oversight commitments with rigor and follow-through.
• Collaboration: Builds trusted partnerships across Risk, Technology, Security, Compliance, and the business to drive consistent risk outcomes.
• Risk Leadership / Independent Challenge: Demonstrates credibility and judgment to challenge first line decisions, validate evidence, and escalate material risks appropriately.
• Communication: Communicates complex risk and control topics clearly to executive management and governance committees; ensures timely escalation and stakeholder alignment.
• Analytical Problem Solving: Synthesizes qualitative and quantitative risk data to identify themes, prioritize actions, and recommend pragmatic risk responses.

Qualifications and Education Requirements

• Bachelor degree in Information Technology, Cybersecurity, Risk Management, Audit, or related field (advanced degree preferred).
• 10+ years relevant experience across information security, technology risk, governance, risk, and compliance (GRC), or related disciplines in a highly regulated industry, with a minimum of 3 years managing teams.
• 3+ years of management experience.
• Demonstrated experience aligning security and technology risk governance to recognized frameworks (e.g., NIST, ISO 27001) and banking regulatory expectations.
• Experience establishing risk monitoring, independent testing/validation, and issue/exception governance processes with strong evidence discipline.
• Strong communication skills; experience presenting risk posture, trends, and recommendations to management committees.
• Proven ability to partner effectively across all levels of the organization and develop positive working relationships.
• Strong presence with internal partners and external constituents, as necessary
• Thorough understanding of auditing/examination techniques. Knowledge of applicable state and federal banking laws and regulations and of bank services, policies, and procedures.
• Demonstrates conceptual thinking and analytical skills. Advanced problem-solving skills with the ability to define problems, analyze variables and propose solutions.
• Strong leadership skills with supervisory experience, strong interpersonal skills and knowledgeable risk management professional.

Preferred certifications:

• CISSP, CISM, CISA, CRISC, or equivalent.