Director, Information Security Risk & Compliance

PenFed is hiring (Hybrid) Director, Information Security Risk & Compliance at our Tysons, Virginia location.  The primary purpose of this role is to lead the development, implementation, and continuous improvement of the enterprise Information Security risk and compliance program. This includes overseeing comprehensive risk reporting, driving the creation and maintenance of Information Security policies and standards, steering security education and awareness activities, and ensuring ongoing compliance with internal policies, regulatory requirements, and applicable laws. The Director provides strategic leadership to strengthen the organization’s security posture, promote policy adherence, and enable effective risk‑based decision‑making across the enterprise.

Reasonable accommodation may be made to enable individuals with disabilities to perform the essential functions. This is not intended to be an all-inclusive list of job duties, and the position will perform other duties as assigned.

• Drive the execution of the cybersecurity risk management program, ensuring risks are identified, assessed, and addressed in alignment with organizational and regulatory requirements.
• Perform detailed cyber risk assessments, clear document findings, and partner with stakeholders to define and prioritize actionable remediation plans.
• Lead the development and implementation of security risk management strategies and frameworks.  Establish and maintain security risk frameworks, policies, and standards that guide consistent, enterprise‑wide risk management practices.
• Oversee the enterprise’s third‑party, business continuity, and IT operational risk management activities, ensuring risks are identified, assessed, monitored, and effectively mitigated.
• Establish, maintain, and continuously improve the enterprise control inventory, including leading control effectiveness assessments to drive measurable risk reduction.
• Lead, mentor, and manage the security compliance team, fostering a high‑performance culture that supports organizational security, regulatory, and audit requirements.
• Develop, track, and report risk-related key performance indicators and metrics that measure the effectiveness of Information Security compliance and risk programs, providing proactive insights to the VP, IT Security Risk and Governance.
• Ensure all Information Security compliance programs meet applicable regulatory, industry, and credit‑union-specific requirements, and evolve in response to changes in laws, guidance, and risk posture.
• Lead the design, delivery, and governance of Information Security training and awareness initiatives, in partnership with business units to advance organizational security culture.
• Prepare and deliver risk-related executive‑level reporting and performance dashboards for senior leadership, regulators, Cyber Risk Management Council, and the Board of Directors, ensuring clarity, accuracy, and risk‑based insight.
• Provide expert guidance on security compliance strategies, control design, and implementation, using strong analytical, research, and communication skills to influence decision‑making.
• Support enterprise-wide compliance communications, reporting, issues tracking, and remediation efforts in response to internal audit, external audit (e.g., NCUA, GLBA), and regulatory reviews.
• Oversee the development, review, and modernization of security policies, standards,and procecures, ensuring alignment with enterprise objectives.
• Maintain deep awareness of emerging technologies, industry trends, and evolving threats, proactively adapting compliance and risk practices to strengthen the security posture.
• Represent the organization’s security compliance and risk posture externally, engaging with partners, suppliers, regulators, and industry groups to support information exchange and best‑practice adoption.
• Collaborate across IT, Risk, Legal, Privacy, and business functions to ensure security compliance and risk requirements are fully integrated into enterprise operations and strategic initiatives.

*This is not intended to be an all-inclusive list of job duties.*

Equivalent combination of education and experience is considered.

• Master’s Degree and/or bachelor’s degree in computer science or equivalent in related field preferred.
• Minimum of twelve (12) years of relevant Information Security risk management experience.
• Experience in the management of security control capabilities within large, complex financial services organization.
• Minimum of four (4) years of direct management experience.
• Solid working knowledge of understanding key security controls (Access Control, Encryptions, etc.).
• Ability to communicate effectively and influence Business and IT leadership, staff, and other stakeholders, company-wide, to implement security recommendations.
• Ability to establish and develop effective, trusting relationships with internal business units, together with a proven knowledge of the methods necessary to assess information security within a large organization.
• Experience with risk management tracking tools (e.g., Archer, ServiceNow GRC, or similar platforms) to document risks, monitor remediation progress, maintain control inventories, and deliver accurate, data‑driven risk reporting.
• Experience in formal risk assessment and risk management practice.
• Strong familiarity with information security, risk management, and IT government standards and frameworks (e.g. NIST 800-53, NIST Cyber Security Framework, ISO 27000, ISO31000, etc.).

Supervisory Responsibility

This position will supervise employees.

Licenses and Certifications

CISSP, CISA, CISM, CRISC, etc.

Work Environment

While performing the duties of this job, the employee is regularly exposed to an indoor office setting with moderate noise.

*Most roles require working in an office setting with moderate noise and the ability to lift 25 pounds.*

Travel

Ability to travel to various worksites and be on-call is required.

#LI-Hybrid