AVP, Head of Information Security Protection Executive

Why USAA?

At USAA, our mission is to empower our members to achieve financial security through highly competitive products, exceptional service and trusted advice. We seek to be the #1 choice for the military community and their families.

Embrace a fulfilling career at USAA, where our core values – honesty, integrity, loyalty and service – define how we treat each other and our members. Be part of what truly makes us special and impactful.

The Opportunity

The AVP, Head of Information Security Protection function requires a robust blend of technical expertise, strategic leadership, and deep understanding of the financial sector's unique regulatory and threat landscape.

We offer a flexible work environment that requires an individual to be in the office 4 days per week. This position can be based in one of the following offices: San Antonio, Plano, or Charlotte.  

*** Relocation assistance is available for this position ***

What You Will Do:

• Envisions and develops short and long-term strategies within assigned Information Security functional areas including but not limited to Identity and Access Management (IAM), Cyber Threat Operations, or Risk Management based on sound enterprise architecture practices.
• Accountable for the teams that identify, measure, track and manage information security programs and strategies in a manner that meets compliance and regulatory requirements.
• Influences and executes the development, implementation, and execution of security access controls across USAA environments.
• Responsible for oversight of the investigation, analysis and response associated with suspicious behavior, attacks, and security breaches within USAA’s environments using a variety of cyber defense tools to identify and mitigate threats.
• Oversees the identification of security trends and evolving technologies to promote the utilization of industry policies, standards, and best practices to protect USAA’s brand and reputation.
• Provides executive level oversight in the development of functional policies, procedures, and guidelines.
• Responsible for effective written risk and compliance policies, procedures and controls are in place supporting all business activities, processes, systems, strategies, and implementations. 
• Promotes, facilitates, and sponsors information security opportunities in support of major improvements to processes and systems.
• Accountable for communication and collaboration and influencing of senior leaders on matters pertaining to information security threats, risks and mitigation initiatives.
• Reports information security risks to executive leadership to assist USAA in meeting compliance and regulatory requirements.
• Manages complex business requirements/relationships in accordance with USAA’s adopted information security framework.
• Collaborates with leaders from the USAA control partner community including risk management, enterprise compliance, and internal audit.
• Provides executive level oversight of the development, implementation, and execution of enterprise information security training programs.
• Builds and oversees a team of employees for assigned functional area through ongoing execution of recruiting, development, retention, coaching and support, performance management, and managerial activities. 
• Ensures risks associated with business activities are effectively identified, measured, monitored, and controlled in accordance with risk and compliance policies and procedures.

Minimum Education:

• Bachelor’s degree in any of the following majors: Information Security, Information Technology, Computer Science, Business Administration, Information Systems/Management, or related field; OR 4+ years of related experience (in addition to the minimum years of experience required) may be substituted in lieu of degree.

Minimum Experience:

• 10+ years of experience in a progressive technical discipline (e.g., Information Security Assurance and Governance, IAM, etc.) with a proven track record of managing major initiatives (e.g., information governance / security, electronic information) and delivering results in a complex matrix environment.
• 6+ years of relevant experience in a large financial institution in a supervisory role in IT, cybersecurity, or operational risk management.
• 6+ years of people leadership experience in building, managing and/or developing high-performing teams.
• Well-versed in regulations and standards related to risk management and information security (FFIEC, HIPAA, Gramm-Leach-Bliley, FFIEC Cybersecurity Assessment Tool, NIST Cybersecurity Framework and the Payment Card Industry Data Security Standard).
• Experience collaborating with key resources and stakeholders, influencing decisions, and managing work to achieve strategic goals.
• Executive-level business acumen in the areas of business operations, industry practices and emerging trends.
• Demonstrated ability to communicate technical information to a non-technical audience.
• Advanced knowledge in the field of information systems security, including such areas as identity and access management, cybersecurity engineering, security program policies, processes, and procedures.
• Demonstrated experience in vendor contract management and management of distributed development teams and resources.
• Demonstrated financial acumen involving budgets, forecasting, and executing on the budgets for applicable information security, cybersecurity, or technology support function.
• Extensive knowledge of policy formulation, information security management, and business risk management.
• Experience driving the programs necessary to achieve compliance with relevant information security and cybersecurity regulations at an enterprise level.

Key preferred skills and experience include:

Technical Expertise & Experience:

• Vulnerability Management: Proven experience in establishing and managing comprehensive vulnerability scanning, assessment, and remediation programs. This includes understanding risk-based prioritization, utilizing various scanning tools, and ensuring timely patching and mitigation of identified weaknesses. Experience with CISA advisories and frameworks like NIST CSF is crucial. 

• Secure Configuration Management: Deep understanding of establishing and enforcing secure configuration baselines across diverse IT environments (operating systems, applications, network devices, cloud assets). This involves automated monitoring for deviations, managing configuration drift, and ensuring compliance with regulatory standards such as FFIEC, NIST, and CIS controls.

• Application Security (AppSec): Extensive experience in securing applications throughout the software development lifecycle (SDLC), including implementing DevSecOps practices, secure coding standards, SAST, DAST, and API security. A strong understanding of OWASP Top 10 and OWASP MASVS is beneficial.

• Secure Web/Email and Data Labeling: Expertise in implementing and managing secure email and web solutions, including advanced encryption, and implementing safe/block lists. Experience with data sensitivity labeling for PII and financial data, along with associated warning alerts and training, is also important.

• Cryptographic Protection: A solid understanding of cryptographic principles and their application in securing data at rest and in transit. This includes knowledge of symmetric and asymmetric encryption, key management best practices (including HSMs), and the use of cryptography in securing financial transactions, digital signatures, and payment systems. Awareness and strategic planning for the transition to post-quantum cryptography (PQC) that involves understanding the threat landscape, identifying cryptography that could be broken by quantum computers, and developing roadmaps for migration to quantum-resistant algorithms, aligning with NIST standards and regulatory mandates.

Leadership & Strategic Skills:

• Information Security Leadership: Demonstrated experience in leading and managing information security teams, developing and executing comprehensive security strategies and roadmaps, and fostering a strong security-aware culture.

• Risk Management: Proven ability to identify, assess, prioritize, and mitigate security risks. This includes developing and implementing risk management frameworks and strategies aligned with business objectives.

• Compliance and Regulatory Knowledge: Deep understanding of the regulatory landscape governing financial institutions, such as FFIEC, GLBA, PCI DSS, GDPR, SOX, and emerging regulations related to AI and data privacy. Experience in preparing for and managing audits is critical.

• Incident Response & Business Continuity: Experience in developing, testing, and executing incident response plans and business continuity strategies to minimize the impact of security breaches.

• Communication and Stakeholder Management: Excellent communication, interpersonal, and reporting skills to effectively convey complex security concepts to technical and non-technical stakeholders, including executive leadership and the board of directors.

• Strategic Planning & Vision: Ability to develop a long-term vision for information security, anticipating future threats and technological advancements, and aligning security initiatives with the institution's overall business goals.

• Budget Management: Experience in managing security budgets, allocating resources effectively, and justifying security investments to senior leadership.

• Team Leadership & Development: Ability to lead, mentor, and develop a high-performing information security team.

Experience in the Financial Sector:

• Direct experience working within a financial services organization is highly advantageous, given the industry's specific risks, regulatory environment, and the sensitive nature of its data.

• Understanding the unique threat vectors targeting financial institutions is crucial.

A candidate with this profile will be well-equipped to lead the "Protect" function, ensuring the institution's security posture is robust, compliant, and adaptable to the evolving threat landscape.

*** Compensation range: The salary range for this position is: $224,250 - $403,650.

*** USAA does NOT provide visa sponsorship for this role. Please do not apply for this role if at any time (now or in the future) you will need immigration support (i.e., H-1B, TN, STEM OPT Training Plans, etc.).

Compensation: USAA has an effective process for assessing market data and establishing ranges to ensure we remain competitive. You are paid within the salary range based on your experience and market data of the position.

Employees may be eligible for pay incentives based on overall corporate and individual performance and at the discretion of the USAA Board of Directors.

The above description reflects the details considered necessary to describe the principal functions of the job and should not be construed as a detailed description of all the work requirements that may be performed in the job.

Long Term Incentive Plan: Cash payment for Executive level roles only, representing a cash payment which is both time and performance based.

Benefits: At USAA our employees enjoy best-in-class benefits to support their physical, financial, and emotional wellness. These benefits include comprehensive medical, dental and vision plans, 401(k), pension, life insurance, parental benefits, adoption assistance, paid time off program with paid holidays plus 16 paid volunteer hours, and various wellness programs. Additionally, our career path planning and continuing education assists employees with their professional goals.

For more details on our outstanding benefits, visit our benefits page on USAAjobs.com.

Applications for this position are accepted on an ongoing basis, this posting will remain open until the position is filled. Thus, interested candidates are encouraged to apply the same day they view this posting.

USAA is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or status as a protected veteran.