Chief Information Security Officer

Who Are We Looking For?

The Vestwell Technology organization seeks an exceptional CISO to define and lead our enterprise-wide security strategy. The ideal candidate is a visionary and pragmatic security leader who can translate complex risk into business outcomes, influence across the company and Board, and scale programs that protect our customers, partners, and platform. They bring proven experience building and maturing security programs aligned to leading frameworks, navigating financial services regulatory requirements, and fostering a security-first culture across product, engineering, operations, and all corporate functions. They are as comfortable in the SOC as they are in the boardroom, with equal fluency in technology, governance, and business risk.

What Will You Be Doing?

• Own the enterprise information security vision, multi-year strategy, roadmap, and governance model that align to Vestwell's business goals and growth.
• Build, lead, and develop a high-performing security organization; attract and mentor top talent and scale operating models and processes to meet Vestwell's future needs.
• Evaluate current security technologies and capabilities (e.g., endpoint protection, monitoring/telemetry, DLP, IAM/zero trust, secret management, vulnerability and patch management) and recommend any changes or additions needed to elevate Vestwell's security posture.
• Build and mature a comprehensive security program grounded in recognized frameworks (e.g., NIST, ISO 27001, CIS Controls), including policy architecture, control implementation, and continuous improvement and audit readiness.
• Establish and operationalize key cybersecurity metrics and KRIs/KPIs; provide concise, decision-oriented reporting to executive leadership and key stakeholders.
• Champion a security-first culture via company-wide awareness, training, and targeted education (e.g., phishing exercises), and ensure policies are well-understood and adopted.
• Drive secure-by-design practices across product and engineering (e.g., SDLC, threat modeling, code scanning, penetration testing, cloud/infrastructure hardening) and partner closely with IT, Legal, Compliance, and Operations to safeguard PII and sensitive data.
• Lead security incident management, including strategy, readiness, tabletop exercises, detection/response, crisis communications, lessons-learned, and executive/Board reporting; ensure tight alignment with business continuity and disaster recovery.
• Serve as the technical owner for cyber risk: define risk appetite/tolerances in partnership with executive leadership, establish risk assessment and reporting cadences, and present security posture, investments, and material risks to the CTO and the executive leadership.

Requirements

The Necessities

• 10+ years of progressive experience in cybersecurity with 5+ years leading enterprise security programs or functions; proven leadership in high-growth or highly regulated environments.
• Demonstrated success designing and operating security programs aligned to leading frameworks and sustaining regulatory compliance and audit readiness.
• Expert ability to identify, prioritize, and communicate risk; proven track record translating complex technical concepts into actionable insights and decisions for executive, Board, and technical audiences.
• Strong cross-functional leadership and collaboration skills; experienced at influencing product, engineering, IT, legal, compliance, and operations stakeholders.
• Advanced knowledge across core security domains: endpoint protection, monitoring/telemetry, DLP, IAM/zero trust, vulnerability/patch management, incident response, cloud and infrastructure security, authentication/authorization, and sensitive data protection.
• Experience leading incident response, resiliency programs, and crisis management, including executive and Board-level reporting.

The Extras

• Advanced certifications such as CISSP, CISM, CISA, CCSP, or comparable.
• Familiarity with secure SDLC practices, threat modeling, and penetration testing at scale.
• Experience leading or supporting SOC examinations and financial services regulatory compliance.
• Commitment to continuous learning; up to date on evolving threats, trends, and innovations.

Leadership Competencies

• Strategic thinking with the ability to set vision and drive measurable outcomes.
• Executive communication and Board reporting; crisp, decision-oriented storytelling.
• Talent builder who develops high-performing teams and scalable operating models.
• Bias for partnership and execution; balances risk reduction with business velocity.

This role will be based in the New York City office, and will be part of Vestwell's hybrid in-office operation.

The expected base salary range for this position is $200K-$250K. This position is eligible to participate in the Company Bonus Pool and is eligible to receive new hire equity in the Company. Please note that salary bands are based on NY and other similar metro areas and may differ based on where the role is ultimately hired.