Vice President, Information Security

About InvoiceCloud:

InvoiceCloud is a leading provider of online bill payment services. Founded in 2009, the company has grown to be one of the leading disruptors in the cloud-based electronic bill presentment and payment (EBPP) space, helping institutions put customer experience first. By switching to InvoiceCloud, clients can improve customer engagement, loyalty, and efficiency while reducing churn and missed payments in the process. With over 50 million payments processed annually, InvoiceCloud is one of the most secure, innovative, and inclusive fintech solutions in the market. To learn more, visit www.InvoiceCloud.com.

The fundamental duty of the Vice President, Information Security is to reduce or eliminate the security risks to InvoiceCloud's intellectual property, data, critical infrastructure and other information and physical assets. They are primarily responsible for establishing and maintaining the governance, strategy, actions, processes, policies, tools, partnerships, and other controls designed to protect those assets from unauthorized access, use, theft, tampering, or damage. The Vice President, Information Security will report to InvoiceCloud's General Counsel.

More detailed responsibilities for the Vice President, Information Security role include, but are not limited to the following:

• Build and maintain a culture of security for the organization where security is a forethought, not an afterthought and is integral to the key ingredients of success for InvoiceCloud.
• Develop and nurture a team of crack security professionals focused on honing their craft while improving the reputation of InvoiceCloud as a market leader in digital payment and customer engagement services.
• Assemble a network of key stakeholders, service provides, and industry experts to provide the Vice President, Information Security and their team the necessary support in pursuit of their objectives.
• Foster collaboration, encourage diverse thought and productive debate, and inspire innovation that quickly produces solutions to security challenges.
• Promote a security vision aligned with InvoiceCloud's mission and company objectives through actions and communication.
• Develop security capabilities that present obvious value to customers and are recognized as competitive differentiators.
• Abstain from creating security impediments to product innovation and customer engagement.

The Vice President, Information Security will also be responsible for maintaining a comprehensive security program that includes coverage for the following domains including but not limited to:

• Oversight, governance, and management: ensure that security operations run smoothly and in a manner that continuously improves the overall security maturity level as measured against industry-standard frameworks such as HiTrust, PCI –DSS, NIST CSF, SP 800-53, 171, or others; maintain compliance with standards commensurate with business needs; maintain communication with key leaders such that risks are known and managed.
• Open-source software: continually evaluate the suitability and integration of open-source software and services; maintain and expand understanding of open-source software, licensing, and ecosystem; develop and oversee open-source security policies, protocols, and procedures; and conduct security research on the latest open-source threats, vulnerabilities, and mitigation strategies.
• Artificial intelligence: develop and implement a GenAI security strategy that aligns with InvoiceCloud's objectives and the regulatory landscape; ensure compliance with AI-specific security frameworks; lead efforts to identify and mitigate vulnerabilities specific to GenAI systems; and collaborate with development teams to integrate security best practices into the deployment of AI models.
• Security architecture and strategy: plan, budget, procure, and implement security strategy as an integrated function inside business operations and product development; design and implement a security architecture that is aligned to and supportive of business goals.
• Threat intelligence and risk assessments: maintain awareness of current and potential security threats, breaches, and attack vectors through a variety of channels; provide company executives with insight and warnings to possible issues vendors, partners, customers, potential mergers or acquisitions, and other material business strategies or relationships.
• Legal and compliance integration: continuously maintain a proactive posture and level of preparedness for pending legislation or industry shifts impacting applicable information security; foster an assertive bias towards innovation in integrating information security practices into the fabric of the organization.
• Security operations: real-time threat detection, analysis, response, and remediation; general security hygiene, patch management, and security awareness training/testing; incident response and management; comprehensive vendor risk management.
• Data loss prevention: ensure data, information, assets, and proprietary property remain secure from corruption, misuse, and theft.
• Investigations and forensics: assemble the capabilities, including but not limited to technology and team, to conduct investigations with the appropriate chain of custody and forensic procedures to determine the potential indicators of compromise for a known or suspected security breach, leak, hack, or other related issue; work with law enforcement, internal and external legal counsel to conduct the investigation in a discreet and confidential manner; incorporate finding information and remediation activity into controls to prevent future issues.
• Application Security: ensure that engineering teams are trained and consistently exercising application security best practice in accordance with industry standards; ensure that application risks are known and mitigated in both internally and externally developed software
  
  

What success looks like:

First 30 days

• Gain business and organizational context:
  • Research the business model, product offering, and organizational structure of InvoiceCloud.
  • Observe meetings.
  • Insert into communications streams (Slack, Teams, email, recurring meetings)
• Build relationship map for achieving goals, removing obstacles, and strategic alignment.
• Meet with company's executive leadership team members.
• Present initial overview of business context and key relationship map to General Counsel.

First 60 days

• Establish an understanding of InvoiceCloud's information security profiles that identifies the applicable controls, frameworks, and relative maturity levels;
• Evaluate the existing security program goals, progress, and effectiveness.
• Review available information security risk artifacts, including incident reports, risk register, program documentation, training material and other relevant information, identifying specific improvement opportunities and themes.
• Assess existing team member talent, experience, productivity and summarize key findings, observations, themes, and actions to discuss with General Counsel.
• Present an initial draft of a comprehensive security strategy plan document to the General Counsel that outlines organizational structure requirements, key actions, long and short-term objectives, high-level budget needs, and timeline for execution.
• Prepare an observations and action report for executive leadership team presentation.

First 90 days

• Deliver final comprehensive security strategy plan document that outlines centralized and harmonized security reporting strategy, organizational structure, key actions, long and short-term objectives, high-level budget needs and timeline for execution.
• Develop an annual budget and goals aligned with overall InvoiceCloud planning process.

Qualifications

• Bachelor's degree in IT, Computer Science, Computer Engineering, or related technical field; Master's degree or MBA preferred
• 10-15 years of relevant experience in information security
• Aptitude to articulate technical and security content in a manner that non-technical audiences can understand.
• Experience with enterprise-level governance and policy development.
• A developed network of security professionals, law enforcement contacts, and vendor relationships.
• Knowledge of and personal certification in various industry standards, frameworks, and programs.
• Experience with application security.
• Accustomed to customer and prospective customer interaction and communication.
• Knowledge of current relevant legislation as well as potential and upcoming legislation and ethical considerations impacting information security practices and requirements.
• Incident management and remediation skills.
• Strategic management, planning, and budgeting skills.
• A diverse background in various fields of technology and business.

Benefits

We offer a competitive benefits program including:

• Medical, dental, vision, life & disability insurance
• 401(k) plan with company match
• Flexible Time Off (FTO), wellbeing days, paid holidays, and summer Fridays
• Mental health resources
• Paid parental leave & Backup Care
• Tuition reimbursement
• Employee Resource Groups (ERGs)

InvoiceCloud is an Equal Opportunity Employer. 

InvoiceCloud provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws. 

This policy applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation, and training. 

If you have a disability under the Americans with Disabilities Act or similar law, or you require a religious accommodation, and you wish to discuss potential accommodations related to applying for employment at our company, please contact jobs@invoicecloud.com.

Click here to review InvoiceCloud's Job Applicant Privacy Policy.

To all recruitment agencies: InvoiceCloud does not accept agency resumes. Please do not forward resumes to our job's alias, employees, or any other organization location. Invoice Cloud is not responsible for any fees related to unsolicited resumes.