USAA Property and Casualty Insurance Group
AVP, Head of Information Security Protection Executive
USAA Property and Casualty Insurance Group, Charlotte, North Carolina, United States, 28245
At USAA, our mission is to empower our members to achieve financial security through highly competitive products, exceptional service and trusted advice. We seek to be the #1 choice for the military community and their families.Embrace a fulfilling career at USAA, where our core values – honesty, integrity, loyalty and service – define how we treat each other and our members. Be part of what truly makes us special and impactful.**The Opportunity**The **AVP, Head of Information Security Protection** function requires a robust blend of technical expertise, strategic leadership, and deep understanding of the financial sector's unique regulatory and threat landscape.We offer a flexible work environment that requires an individual to be in the office 4 days per week. This position can be based in one of the following offices: San Antonio, Plano, or Charlotte.
\*\*\* Relocation assistance is available for this position \*\*\***What You Will Do:*** Envisions and develops short and long-term strategies within assigned Information Security functional areas including but not limited to Identity and Access Management (IAM), Cyber Threat Operations, or Risk Management based on sound enterprise architecture practices.* Accountable for the teams that identify, measure, track and manage information security programs and strategies in a manner that meets compliance and regulatory requirements.* Influences and executes the development, implementation, and execution of security access controls across USAA environments.* Responsible for oversight of the investigation, analysis and response associated with suspicious behavior, attacks, and security breaches within USAA’s environments using a variety of cyber defense tools to identify and mitigate threats.* Oversees the identification of security trends and evolving technologies to promote the utilization of industry policies, standards, and best practices to protect USAA’s brand and reputation.* Provides executive level oversight in the development of functional policies, procedures, and guidelines.* Responsible for effective written risk and compliance policies, procedures and controls are in place supporting all business activities, processes, systems, strategies, and implementations.* Promotes, facilitates, and sponsors information security opportunities in support of major improvements to processes and systems.* Accountable for communication and collaboration and influencing of senior leaders on matters pertaining to information security threats, risks and mitigation initiatives.* Reports information security risks to executive leadership to assist USAA in meeting compliance and regulatory requirements.* Manages complex business requirements/relationships in accordance with USAA’s adopted information security framework.* Collaborates with leaders from the USAA control partner community including risk management, enterprise compliance, and internal audit.* Provides executive level oversight of the development, implementation, and execution of enterprise information security training programs.* Builds and oversees a team of employees for assigned functional area through ongoing execution of recruiting, development, retention, coaching and support, performance management, and managerial activities.* Ensures risks associated with business activities are effectively identified, measured, monitored, and controlled in accordance with risk and compliance policies and procedures.**Minimum Education:*** Bachelor’s degree in any of the following majors: Information Security, Information Technology, Computer Science, Business Administration, Information Systems/Management, or related field; OR 4+ years of related experience (in addition to the minimum years of experience required) may be substituted in lieu of degree.**Minimum Experience:*** 10+ years of experience in a progressive technical discipline (e.g., Information Security Assurance and Governance, IAM, etc.) with a proven track record of managing major initiatives (e.g., information governance / security, electronic information) and delivering results in a complex matrix environment.* 6+ years of relevant experience in a large financial institution in a supervisory role in IT, cybersecurity, or operational risk management.* 6+ years of people leadership experience in building, managing and/or developing high-performing teams.* Well-versed in regulations and standards related to risk management and information security (FFIEC, HIPAA, Gramm-Leach-Bliley, FFIEC Cybersecurity Assessment Tool, NIST Cybersecurity Framework and the Payment Card Industry Data Security Standard).* Experience collaborating with key resources and stakeholders, influencing decisions, and managing work to achieve strategic goals.* Executive-level business acumen in the areas of business operations, industry practices and emerging trends.* Demonstrated ability to communicate technical information to a non-technical audience.* Advanced knowledge in the field of information systems security, including such areas as identity and access management, cybersecurity engineering, security program policies, processes, and procedures.* Demonstrated experience in vendor contract management and management of distributed development teams and resources.* Demonstrated financial acumen involving budgets, forecasting, and executing on the budgets for applicable information security, cybersecurity, or technology support function.* Extensive knowledge of policy formulation, information security management, and business risk management.* Experience driving the programs necessary to achieve compliance with relevant information security and cybersecurity regulations at an enterprise level.**Key preferred skills and experience include:****Technical Expertise & Experience:*** **Vulnerability Management:** Proven experience in establishing and managing comprehensive **vulnerability scanning, assessment, and remediation programs**. This includes understanding risk-based prioritization, utilizing various scanning tools, and ensuring timely patching and mitigation of identified weaknesses. Experience with **CISA advisories and frameworks like NIST CSF** is crucial.* **Secure Configuration Management:** Deep understanding of establishing and enforcing secure configuration baselines across diverse IT environments (operating systems, applications, network devices, cloud assets). This involves automated monitoring for deviations, managing configuration drift, and ensuring compliance with regulatory standards such as **FFIEC, NIST, and CIS controls**.* **Application Security (AppSec):** Extensive experience in securing applications throughout the software development lifecycle (SDLC), including implementing **DevSecOps practices**, secure coding standards, **SAST, DAST, and API** security. A strong understanding of **OWASP Top 10 and OWASP MASVS** is beneficial.* **Secure Web/Email and Data Labeling:** Expertise in implementing and managing secure email and web solutions, including **advanced encryption, and implementing safe/block lists**. Experience with **data sensitivity labeling*** **Cryptographic Protection:** A solid understanding of **cryptographic principles** and their application in securing data at rest and in transit. This includes knowledge of **symmetric and asymmetric encryption**, key management best practices (including **HSMs**), and the use of cryptography in securing financial transactions, digital signatures, and payment systems. Awareness and strategic planning for the transition to post-quantum cryptography (**PQC**) that involves understanding the threat landscape, identifying cryptography that could be broken by quantum computers, and developing roadmaps for migration to quantum-resistant algorithms, aligning with NIST standards and regulatory mandates.**Leadership & Strategic Skills:*** **Information Security Leadership:** Demonstrated experience #J-18808-Ljbffr
\*\*\* Relocation assistance is available for this position \*\*\***What You Will Do:*** Envisions and develops short and long-term strategies within assigned Information Security functional areas including but not limited to Identity and Access Management (IAM), Cyber Threat Operations, or Risk Management based on sound enterprise architecture practices.* Accountable for the teams that identify, measure, track and manage information security programs and strategies in a manner that meets compliance and regulatory requirements.* Influences and executes the development, implementation, and execution of security access controls across USAA environments.* Responsible for oversight of the investigation, analysis and response associated with suspicious behavior, attacks, and security breaches within USAA’s environments using a variety of cyber defense tools to identify and mitigate threats.* Oversees the identification of security trends and evolving technologies to promote the utilization of industry policies, standards, and best practices to protect USAA’s brand and reputation.* Provides executive level oversight in the development of functional policies, procedures, and guidelines.* Responsible for effective written risk and compliance policies, procedures and controls are in place supporting all business activities, processes, systems, strategies, and implementations.* Promotes, facilitates, and sponsors information security opportunities in support of major improvements to processes and systems.* Accountable for communication and collaboration and influencing of senior leaders on matters pertaining to information security threats, risks and mitigation initiatives.* Reports information security risks to executive leadership to assist USAA in meeting compliance and regulatory requirements.* Manages complex business requirements/relationships in accordance with USAA’s adopted information security framework.* Collaborates with leaders from the USAA control partner community including risk management, enterprise compliance, and internal audit.* Provides executive level oversight of the development, implementation, and execution of enterprise information security training programs.* Builds and oversees a team of employees for assigned functional area through ongoing execution of recruiting, development, retention, coaching and support, performance management, and managerial activities.* Ensures risks associated with business activities are effectively identified, measured, monitored, and controlled in accordance with risk and compliance policies and procedures.**Minimum Education:*** Bachelor’s degree in any of the following majors: Information Security, Information Technology, Computer Science, Business Administration, Information Systems/Management, or related field; OR 4+ years of related experience (in addition to the minimum years of experience required) may be substituted in lieu of degree.**Minimum Experience:*** 10+ years of experience in a progressive technical discipline (e.g., Information Security Assurance and Governance, IAM, etc.) with a proven track record of managing major initiatives (e.g., information governance / security, electronic information) and delivering results in a complex matrix environment.* 6+ years of relevant experience in a large financial institution in a supervisory role in IT, cybersecurity, or operational risk management.* 6+ years of people leadership experience in building, managing and/or developing high-performing teams.* Well-versed in regulations and standards related to risk management and information security (FFIEC, HIPAA, Gramm-Leach-Bliley, FFIEC Cybersecurity Assessment Tool, NIST Cybersecurity Framework and the Payment Card Industry Data Security Standard).* Experience collaborating with key resources and stakeholders, influencing decisions, and managing work to achieve strategic goals.* Executive-level business acumen in the areas of business operations, industry practices and emerging trends.* Demonstrated ability to communicate technical information to a non-technical audience.* Advanced knowledge in the field of information systems security, including such areas as identity and access management, cybersecurity engineering, security program policies, processes, and procedures.* Demonstrated experience in vendor contract management and management of distributed development teams and resources.* Demonstrated financial acumen involving budgets, forecasting, and executing on the budgets for applicable information security, cybersecurity, or technology support function.* Extensive knowledge of policy formulation, information security management, and business risk management.* Experience driving the programs necessary to achieve compliance with relevant information security and cybersecurity regulations at an enterprise level.**Key preferred skills and experience include:****Technical Expertise & Experience:*** **Vulnerability Management:** Proven experience in establishing and managing comprehensive **vulnerability scanning, assessment, and remediation programs**. This includes understanding risk-based prioritization, utilizing various scanning tools, and ensuring timely patching and mitigation of identified weaknesses. Experience with **CISA advisories and frameworks like NIST CSF** is crucial.* **Secure Configuration Management:** Deep understanding of establishing and enforcing secure configuration baselines across diverse IT environments (operating systems, applications, network devices, cloud assets). This involves automated monitoring for deviations, managing configuration drift, and ensuring compliance with regulatory standards such as **FFIEC, NIST, and CIS controls**.* **Application Security (AppSec):** Extensive experience in securing applications throughout the software development lifecycle (SDLC), including implementing **DevSecOps practices**, secure coding standards, **SAST, DAST, and API** security. A strong understanding of **OWASP Top 10 and OWASP MASVS** is beneficial.* **Secure Web/Email and Data Labeling:** Expertise in implementing and managing secure email and web solutions, including **advanced encryption, and implementing safe/block lists**. Experience with **data sensitivity labeling*** **Cryptographic Protection:** A solid understanding of **cryptographic principles** and their application in securing data at rest and in transit. This includes knowledge of **symmetric and asymmetric encryption**, key management best practices (including **HSMs**), and the use of cryptography in securing financial transactions, digital signatures, and payment systems. Awareness and strategic planning for the transition to post-quantum cryptography (**PQC**) that involves understanding the threat landscape, identifying cryptography that could be broken by quantum computers, and developing roadmaps for migration to quantum-resistant algorithms, aligning with NIST standards and regulatory mandates.**Leadership & Strategic Skills:*** **Information Security Leadership:** Demonstrated experience #J-18808-Ljbffr