Senior Information Security Analyst

Old National Bank has been serving clients and communities since 1834. With over $70 billion in total assets, we are a regional powerhouse deeply rooted in the communities we serve. As a trusted partner, we thrive on helping our clients achieve their goals and dreams, and we are committed to social responsibility and investing in our communities through volunteering and charitable giving.

We continually seek highly motivated and talented individuals as our people are critical to our success. In return, we offer competitive compensation with our salary and incentive program, in addition to medical, dental, and vision insurance. 401K, continuing education opportunities and an employee assistance program are also included in our benefit suite. Old National also offers a variety of Impact Network Groups led by team members who are passionate about driving engagement, creating awareness of diverse backgrounds and experiences, and building inclusion across the organization. We offer a unique opportunity to join a growing, community and client-focused company that is firmly rooted in its core values.

The Senior Information Security Analyst role is responsible for driving, maintaining, and validating organizational and third-party compliance with the Information Security and Technology Risk Management (ISTRM) Policy, program, and standards which address minimum requirements in line with security laws, regulations, and contractual obligations affecting Old National. The role will perform risk and threat assessments as well as control testing to identify issues and work with team members to mitigate risk and resolve control gaps. The role will support assurance activities related to availability, integrity, and confidentiality of customer, business partner, team member, and business information as requested. This role will influence behaviors to reduce risk and foster a strong ISTRM culture throughout the enterprise.

Salary Range

The salary range for this position is $77,900 - $153,000 per year plus bonus. The base salary indicated for this position reflects the compensation range applicable to all levels of the role across the United States. Actual salary offers within this range may vary based on a number of factors, including the specific responsibilities of the position, the candidate's relevant skills and professional experience, educational qualifications, and geographic location.

Key Accountabilities

Perform risk assessments, control testing, and support issue management including identification, escalation, and risk mitigation

Facilitate risk assessments, control testing, and risk management review processes to analyze organizational and application risk and control effectiveness and assist team members in the identification and correction of control gaps.
• Offer guidance on Old National's ISTRM Program when examining impacts of new infrastructure, technologies, processes, or partnerships. Determine which laws and regulations apply and ensure adherence to the required standards for business applications, infrastructure, processes, etc.
• Escalate issues and recommendations to management, using a risk-based approach, for immediate attention as needed.
• Influence behaviors to reduce risk and foster a strong ISTRM culture throughout the enterprise.
• Perform third-party security assessments supporting due diligence requirements.
• Perform application security assessments supporting risk identification and control testing.

Maintain information security and technology risk documentation and ensure security awareness

• Support the creation, maintenance, and continuous improvement of ONB's ISTRM policies, program, procedures, standards, security documentation, regulatory documentation, etc.
• Provide leadership and effort in the buildout, maintenance, and detailed mapping of global regulatory and industry frameworks to organizational control standards.
• Work closely with IT and other first-line business units and risk offices to ensure ONB's ISTRM Program is incorporated into their program initiatives and business requirements.
• Act as an information security and technology risk advocate to management, team members, and business/process owners.
• Develop, publicize, and support education and training initiatives for all team members to raise awareness of information security and risk management issues.
• Organize and prepare committee and council decks, ensure smooth execution of meetings, present information as requested, and communicate and track outcomes of meetings.
• Participate in departmental activities including meetings, updates, planning, reporting, and other responsibilities as needed.

Collaborate with internal and external stakeholders:

• Support creation, management, maintenance, and execution of an effective ISTRM Program
• Partner with the first line of defense and risk offices on risk control assessments and provide guidance on development and enhancement of key controls and risk management.
• Support risk management through coordination with Risk and Control Owners to identify, assess, and manage enterprise risks and the control environment. This involves data analysis, risk mitigation, and regular control validation.
• Work directly with all business units and team members to ensure completion of information security and technology risk due diligence documentation and testing is performed on a timely basis and develop plans for further improving controls.
• Assess and respond to information security events and incidents. Assist in coordination with internal and external parties and assist in evaluation, communication and documentation of issues and incidents
• Support and coordinate internal audits, collaborating with auditors to ensure adherence to standards

Key Competencies for Position

• Planning, Organization, and Execution: Self-starter, motivated, able to drive efforts and propose paths forward independently. Ability to effectively prioritize, track, and execute tasks in a consistent and timely manner while simultaneously managing multiple assignments. Thorough in accomplishing a task through concern for all the areas involved, no matter how small. Monitors and checks work on information and plans while organizing time and resources efficiently. Adapts well to changes in assignments and priorities; yet, can maintain focus and stay current with day-to-day responsibilities. Committed to achieving established goals and overcoming obstacles. Ability to effectively prioritize, track, and execute tasks in a consistent and timely manner
• Problem Solving/Decision Making - Ability to define problems, collect data, establish facts, and draw valid conclusions. Ability to interpret an extensive variety of technical instructions in mathematical or diagram form and deal with several abstract and concrete variables. Able to identify issues and potential risks; incorporates input from multiple sources (e.g., lines of business, subject matter experts, industry leaders, data, policies, procedures, etc.) to ensure complete views determining an effective course of action and to promote shared ownership; decisions are sound based on what was known at the time and are based on a blend of analysis, wisdom, experience, and judgement.
• Communication: Ability to present ideas, decisions, and recommendations effectively to all levels of management in a clear and professional manner, including excellent written, oral communication, and interpersonal skills. Ability to confidently educate and advise senior leaders.
• Technical Knowledge: Possesses the required technical knowledge to perform the role effectively; ability to comprehend new information rapidly in the everchanging technical landscape; desire for continuous learning to adapt to emerging risks and threats.

Qualifications and Education Requirements

• Bachelor's degree in Computer Science, Technology, related field, or equivalent work experience required
• 5+ years experience in information security or related field.
• Minimum of 3+ years of experience in Information Security and Technology Risk Management, with a proven track record of successfully leading or supporting an ISTRM program.
• Detailed understanding of information security frameworks such as ISO27XXX, NIST, and industry best practices.
• Involvement in adhering to security laws and regulations affecting financial institutions including, but not limited to, GLBA, SOX, HIPAA, FFIEC, etc.
• Extensive knowledge of and experience with information security and technology risk management, control development, and control validation.
• Experience in policy, standards, and procedure creation based on selected framework and implementation issues related to regulatory and other requirements.
• Thorough understanding of how to analyze business applications, perform application security assessments, and recommend appropriate security controls.
• Knowledge and experience with an enterprise GRC and IT Service Management system.
• Knowledge of OCC Heightened Standards for risk assessment, incident response, and third-party risk management.
• Achieved or in pursuit of a globally recognized information security certification such as CISSP (Certified Information Systems Security Professional), CISA (Certified Information Systems Auditor), or equivalent preferred.