Business Information Security Officer (Local Candidates Only / No C2C)

Business Information Security Officer (BISO)Position Summary The Business Information Security Officer (BISO) is a Legal‑embedded information security and privacy risk leader responsible for ensuring that the company’s information security program is legally compliant, defensible, and operationally effective across mortgage operations nationwide.Reporting into Legal, the BISO serves as the primary liaison between Legal, Compliance, the CISO, IT, and the business, translating regulatory, contractual, and litigation risk into practical security and privacy controls. The role is designed to ensure that information security decisions are aligned with legal risk tolerance, regulatory obligations, and investor expectations applicable to a multi‑state independent mortgage lender.The BISO does not own technical security operations, but provides legal and risk oversight, challenge, and accountability to ensure controls are appropriately designed, implemented, documented, and defensible.Core Responsibilities:Legal & Regulatory Risk OversightServe as Legal’s designated information security risk lead for business operations.Interpret and operationalize GLBA Safeguards Rule, FTC guidance, state privacy and cybersecurity laws, and investor security requirements.Ensure the company’s Written Information Security Program (WISP) and supporting policies are legally sufficient, current, and consistently applied.Partner with Legal to assess litigation exposure, enforcement risk, and regulatory interpretation related to cybersecurity and privacy.Business‑Level Security Risk ManagementIdentify and document business‑level information security risks across mortgage origination, servicing, capital markets, and corporate functions.Ensure risk assessments appropriately reflect data sensitivity, regulatory exposure, consumer impact, and contractual obligations.Provide independent challenge to security design decisions where legal or regulatory risk is elevated.Incident & Breach GovernanceAct as Legal’s security incident governance lead, coordinating with:CISO and IT on technical investigationCompliance on regulatory notificationLegal on privilege, disclosure, and risk mitigationEnsure incidents are evaluated for legal notification triggers, contractual obligations, and record‑retention requirements.Maintain incident documentation suitable for regulators, investors, and litigation defense.Vendor & Contractual Security RiskPartner with Legal and Procurement to:Review vendor security representations, SOC reports, and risk assessmentsEnsure contracts contain appropriate data protection, audit, and breach notification provisionsEscalate unacceptable vendor security risks from a legal exposure perspective.Governance, Reporting & EscalationSupport board and executive reporting on information security risk from a legal and regulatory lens.Escalate material security risks, control gaps, and unresolved issues through Legal and Enterprise Risk governance channels.Support regulatory exams, audits, and investor reviews as the business and legal security SME.Required Qualifications Strong experience at the intersection of information security, regulatory compliance, and legal riskFinancial services or mortgage industry experience strongly preferredDemonstrated comfort working with Legal leadership, regulators, auditors, and executive managementBusiness Information Security Officer (BISO)Education • Bachelor’s degree in Information Security, Cybersecurity, Information Systems, Computer Science, or Business Administration/Finance with security experience.• Graduate degree (optional but differentiating): MBA or MS in Cybersecurity, Information Assurance, or Risk Management.• Degrees are less critical than demonstrated risk leadership and framework fluency.Core Professional Experience • 10–15+ years of experience in information security, IT risk, compliance, or audit.• Proven business-facing risk ownership and accountability.• Experience with regulatory exams, audits, and executive/board-level communication.• Ability to translate security findings into financial and operational impact.Professional Certifications • CISSP – Certified Information Systems Security Professional.• CISM – Certified Information Security Manager (best aligned to BISO role).• CRISC – Certified in Risk and Information Systems Control.Governance, Audit, Risk: • CISA – Certified Information Systems Auditor.• CGRC (formerly CAP).• ISO 27001 Lead Implementer or Lead Auditor.• FAIR Risk Analysis Certification.Business & Leadership: • MBA or Executive Leadership Programs.• ITIL (Managing Professional or Strategic Leader).• Six Sigma / Lean certifications.Framework Fluency • NIST Cybersecurity Framework (CSF) and NIST 800-53.• ISO 27001 / 27002.• SOC 2.• Industry-specific regulations such as GLBA, FFIEC, and SOX.Executive Presence & Business Credibility • Ability to quantify cyber risk in financial terms.• Confidence to challenge business decisions while maintaining credibility.• Accountability for security outcomes, not just advisory posture.• Operates as first line of defense embedded in the business.