Bread is a technology company that aims to transform the world of paper credit card applications and hidden interest rates by providing leading point-of-sale financing options for merchants across the e-commerce journey. We build tools, technologies and APIs that allow merchants to integrate an installment loan financing and checkout experience anywhere in their customers’ shopping journey. Bread was started in 2015 by financial technology veterans, and has experienced explosive growth to date. We’re backed by top investors including Menlo Ventures, Bessemer Venture Partners, Kinnevik, among others.

Bread is looking to hire a dedicated Head of Information Security Compliance. This role is critical to Bread’s core business of offering transparent financial products for merchants and consumers while maintaining the trust and confidence of our customers that we will protect their privacy and their personal information. You’ll be creating a robust, secure and compliant data regime to protect both the company and customers’ assets and privacy, while fostering a culture of security and compliance with the various department leaders and throughout the organization.

The Head of Information Security Compliance:

• Oversees and coordinates information security risk management and compliance efforts across Bread, including departments such as Engineering, Information Technology, Human Resources, Legal, Finance and other groups
• Drives the execution of the information security risk assessments and information security compliance initiatives and standards throughout the organization. 
• Owns the development and administration of Bread’s information security policies, setting procedures and guidelines to ensure that all information systems are functional, secure and safeguarded throughout the company and are in compliance with privacy, customer trust and applicable information security laws and regulations 
• Works closely with key individuals throughout the organization to develop business cases for new security projects and provides appropriate expertise to manage associated information security risks
• Provides leadership, technical expertise and administrative support for the development of Disaster Recovery and Business Continuity programs for the company. 
• Leads information security risk management and compliance efforts related to strategic partnerships

Day to Day Responsibilities include:

• Develop and Maintain our internal information security risks and controls catalogue 
• Lead strategic partnerships and relationship-building in support of our ongoing security-compliance commitments such as SOC-1, SOC-2, PCI, and ISO27001. 
• Drive resolution of information security gaps or control deficiencies, and help business owners prioritize remediation activities
• Executing information security risk assessments for third-party vendors, and responds to information security diligence requests from external partners 
• Manage the information security relationship with key partners
• Serve as the primary point of contact for information security audits and assessments for business partners/third-party vendors, and represent IT/Engineering across these exercises
• Provide information security training and awareness to employees
• Report on the state of information security control environment to the Governance, Risk and Compliance Working Group 

Preferred Background:

• 7+ years of experience in information security compliance or information security risk management in financial services
• Experience with implementing an Information Security Risk Management and Compliance Program, including information security policies management, information security risk assessments, information security governance, information security training)
• Able to communicate security-related concepts to a broad range of technical and non-technical staff. Acting as a bridge between IT and business process owners.
• Certification is required, such as CISA, CISM or CISSP
• Knowledge and experience in the following information security areas:
• Information security assessment and auditing procedures, from both technical and business perspectives, and the use of formal methodologies such as NSA IAM
• Vulnerability scanning and auditing tools
• Network security
• E-commerce application security
• Computer investigation and forensics methods and technologies
• Secure messaging architectures
• Knowledge of regulatory bodies, and information security and privacy related regulations and/or guidance issued by these bodies such as the FDIC, CFPB, FinCEN and Federal Reserve Board
• Knowledge of privacy laws, such as GLBA, Regulation P
• Experience working with Mac Endpoint tools such as JAMF, IAM tools such as Okta/Duo, and security tools such as Sophos and Qualys.
• Strong project or program management experience
• Proven ability to collaborate cross-functionally and desire to work closely with other members of the team
• Strong verbal and written communication skills