[Hiring] Deputy Chief Information Security Officer @Mercury

Role Description

You will be the operating second to the CISO and own the bank-entity scope of Mercury's 2LOD Information Security program. You'll be the person who keeps the program examiner-ready by default:

• Coherent policy architecture
• Evidenced controls
• Credible gap-remediation track record
• Tested incident response program with documented exercise history

This is not a research or strategy role. It is a build-and-defend role. You will sit across the table from OCC examiners, FFIEC IT audit teams, our Chief Risk Officer, and the board's risk committee, and you will be expected to answer for every line in our policies and every status in our control inventory.

*Mercury is a fintech company, not an FDIC-insured bank. Banking services provided through Choice Financial Group and Column N.A., Members FDIC.

What you'll own:

• Bank-entity 2LOD InfoSec program
• Governance, policy, risk, and oversight scoped to the chartered bank
• Examiner posture
• OCC, FFIEC, FDIC and FRB examiner inquiries; ownership of the examiner-ready narrative; coordination of the evidence
• FFIEC control remediation
• Lead remediation of identified FFIEC IT control deficiencies to charter readiness ahead of the OCC pre-opening examination
• Policy architecture
• Carry the bank-scoped policy stack (Policy / Standard / Procedure), including ratification cycles, MRCC memos, and board approvals
• BC/DR
• Partner with the Chief Risk Officer on bank continuity, resilience, and recovery, including tabletop exercises and full-scale drills
• Audit and assurance
• Manage relationships with internal audit (3LOD) and external assessors (SOC 2, FFIEC CAT, regulator-led IT examinations)
• Third-party risk
• Ensure TPRM evidence holds up to bank-grade scrutiny for critical service providers and material outsourcing arrangements
• Team development
• Coach and grow the GRC sub-team; run a recurring training cadence; build the bench depth a national bank requires

Qualifications

• 8+ years in Information Security
• 3+ years inside a regulated bank, trust bank, or de novo bank charter effort
• Deep FFIEC and OCC fluency
• Direct examiner-facing experience
• Policy and standards craft
• Operating discipline
• 2LOD instinct

What we'd love:

• Prior Deputy CISO or equivalent senior 2LOD role at a national bank, trust bank, or large credit union
• Charter or de novo bank experience
• Strong technical baseline
• CISSP, CISM, or CRISC

What success looks like:

• At 30 days: Developed working knowledge of Mercury’s FFIEC IT control inventory and roadmap, every in-flight policy draft, and met one-on-one with the GRC team. Can speak to the top ten risks in the bank-entity program by name.
• At 90 days: Running the weekly bank charter status cadence, leading examiner-readiness reviews, and personally accountable for at least three priority program tracks. The CISO is briefing the board and the MRCC with material you authored.
• At one year: The charter timeline is on track. The bank-entity Information Security program sustains supervisory-grade standards as a standing posture. You are the executive other functions consult to determine whether a security risk is material.

Why this role:

We are building a security program designed to protect Mercury and enable the business. Chartering a national bank does not change that philosophy. It does mean we need a Deputy who can hold the bar to OCC standards without losing the operating tempo that has defined Mercury since inception.

If you've been waiting for a chance to build the bank-side security program you wish you'd inherited, this is it.

Compensation

The total rewards package at Mercury includes base salary, equity (stock options), and benefits. Our salary and equity ranges are highly competitive within the SaaS and fintech industry and are updated regularly using the most reliable compensation survey data for our industry. New hire offers are made based on a candidate’s experience, expertise, geographic location, and internal pay equity relative to peers.

• US employees in New York City, Los Angeles, Seattle, or the San Francisco Bay Area: $269,700 - 353,950
• US employees outside of the New York City, Los Angeles, Seattle or the San Francisco Bay Area: $242,700 - 318,550

Company Description

Mercury values diversity & belonging and is proud to be an Equal Employment Opportunity employer. All individuals seeking employment at Mercury are considered without regard to race, color, religion, national origin, age, sex, marital status, ancestry, physical or mental disability, veteran status, gender identity, sexual orientation, or any other legally protected characteristic. We are committed to providing reasonable accommodations throughout the recruitment process for applicants with disabilities or special needs. If you need assistance, or an accommodation, please let your recruiter know once you are contacted about a role.