Chief Information Security Officer

Vestwell is the financial technology company powering the new savings economy. The New York City-based fintech platform redefines how people save for the critical aspects of life across retirement, education, and healthcare savings needs. Today, Vestwell enables over 350,000 businesses and nearly 1.5 Million active savers, with over $30 billion in assets saved across all 50 United States. 

Vestwell offers a range of products, including workplace-delivered retirement plans, employer-offered student loan repayment benefits, and various savings accounts for education, emergencies, and individuals with disabilities.

Vestwell's platform serves a diverse clientele, including financial advisers, employers, third-party administrators, financial institutions, payroll providers, government agencies, and individual savers. To learn more, visit vestwell.com

Who Are We Looking For?

The Vestwell Technology organization seeks an exceptional CISO to define and lead our enterprise-wide security strategy. The ideal candidate is a visionary and pragmatic security leader who can translate complex risk into business outcomes, influence across the company and Board, and scale programs that protect our customers, partners, and platform. They bring proven experience building and maturing security programs aligned to leading frameworks, navigating financial services regulatory requirements, and fostering a security-first culture across product, engineering, operations, and all corporate functions. They are as comfortable in the SOC as they are in the boardroom, with equal fluency in technology, governance, and business risk.

What Will You Be Doing?

• Own the enterprise information security vision, multi-year strategy, roadmap, and governance model that align to Vestwell’s business goals and growth.
• Build, lead, and develop a high-performing security organization; attract and mentor top talent and scale operating models and processes to meet Vestwell’s future needs.
• Evaluate current security technologies and capabilities (e.g., endpoint protection, monitoring/telemetry, DLP, IAM/zero trust, secret management, vulnerability and patch management) and recommend any changes or additions needed to elevate Vestwell’s security posture.
• Build and mature a comprehensive security program grounded in recognized frameworks (e.g., NIST, ISO 27001, CIS Controls), including policy architecture, control implementation, and continuous improvement and audit readiness.
• Establish and operationalize key cybersecurity metrics and KRIs/KPIs; provide concise, decision-oriented reporting to executive leadership and key stakeholders.
• Champion a security-first culture via company-wide awareness, training, and targeted education (e.g., phishing exercises), and ensure policies are well-understood and adopted.
• Drive secure-by-design practices across product and engineering (e.g., SDLC, threat modeling, code scanning, penetration testing, cloud/infrastructure hardening) and partner closely with IT, Legal, Compliance, and Operations to safeguard PII and sensitive data.
• Lead security incident management, including strategy, readiness, tabletop exercises, detection/response, crisis communications, lessons-learned, and executive/Board reporting; ensure tight alignment with business continuity and disaster recovery.
• Serve as the technical owner for cyber risk: define risk appetite/tolerances in partnership with executive leadership, establish risk assessment and reporting cadences, and present security posture, investments, and material risks to the CTO and the executive leadership 

Requirements

The Necessities

• 10+ years of progressive experience in cybersecurity with 5+ years leading enterprise security programs or functions; proven leadership in high-growth or highly regulated environments.
• Demonstrated success designing and operating security programs aligned to leading frameworks and sustaining regulatory compliance and audit readiness.
• Expert ability to identify, prioritize, and communicate risk; proven track record translating complex technical concepts into actionable insights and decisions for executive, Board, and technical audiences.
• Strong cross-functional leadership and collaboration skills; experienced at influencing product, engineering, IT, legal, compliance, and operations stakeholders.
• Advanced knowledge across core security domains: endpoint protection, monitoring/telemetry, DLP, IAM/zero trust, vulnerability/patch management, incident response, cloud and infrastructure security, authentication/authorization, and sensitive data protection.
• Experience leading incident response, resiliency programs, and crisis management, including executive and Board-level reporting.

The Extras

• Advanced certifications such as CISSP, CISM, CISA, CCSP, or comparable.
• Familiarity with secure SDLC practices, threat modeling, and penetration testing at scale.
• Experience leading or supporting SOC examinations and financial services regulatory compliance.
• Commitment to continuous learning; up to date on evolving threats, trends, and innovations.

Leadership Competencies

• Strategic thinking with the ability to set vision and drive measurable outcomes.
• Executive communication and Board reporting; crisp, decision-oriented storytelling.
• Talent builder who develops high-performing teams and scalable operating models.
• Bias for partnership and execution; balances risk reduction with business velocity.

The expected base salary range for this position is $200K-250K. This position is eligible to participate in the Company Bonus Pool and is eligible to receive new hire equity in the Company. Please note that salary bands are based on NY and other similar metro areas and may differ based on where the role is ultimately hired.

OUR BENEFITS

We’re an innovative, high-growth company, with lots of exciting milestones ahead. We value health and wellness at Vestwell and in addition to a dedicated Employee Wellbeing Committee, we offer competitive health coverage and generous vacation offering. We have adopted a hybrid office policy, but all employees are welcome at our bright, comfortable office with many workspace options in our Midtown Manhattan office, so everyone has a setting that is the most productive for them. Oh, and naturally we have a great 401(k) plan!

OUR PROCESS

It starts the same for every candidate: getting to know the team members through 1-2 conversations about Vestwell, your experience, and your interests. Next steps can vary by role, but the usual next steps are a skill or experience screen (e.g. a coding interview for an Engineer, a portfolio review for a Designer, deeper experience call for other roles) which leads to a virtual or in-person interview panel after that if the screens go well. Before making an offer, our interview process concludes with a references check stage for your recruiter to meet with a current or former supervisor and peer. We prioritize transparency and lack of surprise throughout the process.

For your awareness you will only receive correspondence from recruiting@vestwell.com any other domain not ending in Vestwell.com is not our Recruitment team.

Vestwell’s Privacy Policy. Attention California residents: In the course of conducting our business and complying with federal, state, and local government regulations governing such matters as employment, tax, insurance, etc., we must collect Personal Information from you. Should you accept employment with Vestwell you may view our California Privacy Rights Act here: Vestwell’s California Privacy Rights Policy.