Pushpay (https://pushpay.com/ , Redmond, WA and Denver, CO-based), is looking for a Chief Information Security Officer (CISO) with B2B SaaS experience (with a co. selling software as vendor) and who has deep PCI experience (they have owned and been responsible for security of credit cardholder data).
Pushpay is a $200M rev, 600 employee leading provider of SaaS church management systems (ChMS) – basically an ERP-to-CRM b2b SaaS software platform and mobile app to manage donor and congregation engagement. They are PE-backed by Sixth Street Capital ($75B AUM, https://sixthstreet.com/ ).
They focus on the faith, education, and nonprofit sectors in the US and around the world, changing the way churches, schools, and charities engage their communities using mobile technology while driving generosity.
The role and challenge are new. The CISO reports to the CTO, and has a 5 person team. Pushpay is not in security crisis management, but as they scale they realize they have to up their game in cyber security. This person will identify risk, and develop mitigation plans and a 3-5 year security roadmap.
They are open to a hybrid (remote + commute 50%) situation, or fully paid relocation to Redmond, WA, Denver, CO, or Dallas, TX – the three co-HQ sites. To note, 20% travel to all locations, including office in New Zealand.
The mandate is the following:
1) Payments Compliance – continue to comply with PCI given current strong foundation, and develop next generation well-adopted and deployed processes around PCI. Keeping up with state and local regulations. Successful completion of our NIST and CSF assessment and ensuring an optimal GRC management (governance, risk, and compliance)
2) Application Security Upgrade – leverage the current strong engineering team that is responsible for that.
3) Continued Risk Assessment and related mitigation plans
4) Install a world-class governance model for risk assessment, and regular PE board reporting
5) Develop Plans for our customers’ security and data practices – starting to communicate with the customers about what they need to from a security and risk perspective.
The CISO is responsible for designing and implementing the information security program. The information security program will protect the company products, systems and personnel from both external and internal threats. This role applies to products and systems across the Pushpay ecosystem. The role is expected to work alongside company executives to establish and enforce policy, assess security risks and implement mitigation plans where needed. It is considered a VP/Sr VP level role.
We are looking for a person with following profile:
· Hands-on, player-coach;
· Deep PCI experience with payment card security, and other sensitive data and highest risk type business models (PCI, SOC2, ISO27001, GDPR, CCPA
· Mid-Market company experience ($100M to $1B rev)
· PE experience, a plus
If interested, please send resume to juan@gonzasearch.com with a short email write-up on why you are a good fit - don’t just click LinkedIn’s easy, fast-apply. That is a black hole.
II. Major Responsibilities:
· Is responsible for the design, implementation and monitoring of a company wide information security program
· Maintains responsibility for the development, socialization, approval, and implementation of procedures, standards, and policies to protect the privacy and integrity of Pushpay products, systems, and data.
· Ensures compliance with regulations and security policies that apply to Pushpay products and systems, such as PCI compliance and regional or national data privacy regulations
· Responsible for the internal PCI program and compliance.
· Responsible for identifying the standards and frameworks that apply to the company and maintaining compliance - such as SOC2, ISO 27001, NIST cybersecurity framework, or other relevant standards.
· Responsible for working with product engineering to establish a Security by Design practice, including elements such as secure coding practices, and threat modeling, response and recovery plans from a cybersecurity event.
· Works across other executive functions to establish policies, assess risk, and implement mitigations where required.
· Develops and maintains a document framework of continuously up-to-date information security policies, standards, and guidelines.
· Responsible for company wide training necessary to maintain awareness internally of data privacy and security practices and expectations.
· Responsible for the development, maintenance and execution of security related incident response plans and procedures to ensure that business-critical services are recovered in the event of a security event; provides direction, support, and in-house consulting in these areas.
· On a continuous basis, evaluates overall information security capabilities and needs of the company, and ensures that policies and plans are sufficient and effective.
· Develops budget plans for personnel and non-personnel resources.
· Acts as the appointed Data Protection Officer for the company.
III. Key Skills:
· Formal qualifications and considerable application experience in the field of cybersecurity, data privacy and internal security policy.
· Sound knowledge of relevant standards such as PCI, GDPR, CCPA, SOC2, ISO27001 and similar.
· Ability to design, implement and enforce enterprise wide policies and programs.
· Knowledge of Security by Design practices and practical applications in a SaaS business.
· Ability to lead and guide a team of cybersecurity professions
· Outstanding relationship building and stakeholder management skills
· Ability to communicate effectively with both front line staff through senior leadership and board level audiences.
IV. Candidate Profile & Qualifications
· 10-15+ yrs of IT experience - technology processes, methodologies, and frameworks – with a career path starting as a developer, engineering manager, cybersecurity analyst, or systems architect
· 3-5 Years of senior leadership experience, directly managing cybersecurity personnel leadership or equivalent experiences, directing a team, leading strategy, budgets, and tech roadmaps
· Compliance experience - administering programs with some or all of PCI, SOC2, ISO27001, GDPR, CCPA
· 8+ yrs of hands-on Infrastructure & Security experience
· CISSP, CISM, or GIAC certification(s) preferred
· Experience with Case/Knowledge/Process Management tools, and ITIL or similar best practices.
· Expert knowledge of TCP/IP, Routing, VPN, LAN/WAN topologies, Active Directory, backups and disaster recovery.
· Entrepreneurial, Hands-on, Self-starter who can proactively identify opportunities for improvement and take action.
· Bachelor’s Degree in Computer Science, Computer of Software Engineering, Information Technology or related field or equivalent industry experience
· Master’s or Advanced Education, a plus
If interested, please send resume to juan@gonzasearch.com
Employment type
Full-time
Get notified about new Chief Information Security Officer jobs in United States.