Portfolio Information Security Officer

Asurion
Nashville, United States of America
7 days ago

Role details

Contract type
Permanent contract
Employment type
Full-time (> 32 hours)
Working hours
Regular working hours
Languages
English
Experience level
Senior

Job location

Nashville, United States of America

Tech stack

API
Amazon Web Services (AWS)
Applications Architecture
Azure
Cloud Computing
Cloud Computing Security
Control Objectives for Information and Related Technology (COBIT)
Computer Security
Continuous Integration
DevOps
Identity and Access Management
Internet Security
Key Management
Network Security
Systems Development Life Cycle
Cloud Services
Sherwood Applied Business Security Architecture
Secure Coding
Systems Integration
Software Vulnerability Management
Data Logging
Software Security
Information Technology
CIS Benchmarks
Devsecops

Job description

The Portfolio Information Security Officer (PISO) is a senior, director-level leader serving as the primary security advisor for assigned lines of business. Reporting to the Deputy Chief Information Security Officer, the PISO aligns business objectives with enterprise security requirements, advises on cyber and technology risk, and ensures application, architecture, and engineering initiatives incorporate appropriate security controls. This role influences senior stakeholders across technology, product, engineering, operations, risk, compliance, and business leadership, translating complex technical issues into actionable business risk decisions and driving remediation aligned to regulatory expectations, operational resilience, and enterprise security strategy., * Business Unit Security Leadership: Own the security relationship for assigned portfolios; participate in business planning and governance; ensure leaders understand current and emerging risks, control gaps, remediation obligations, and risk acceptance decisions; connect enterprise security functions with business and technology teams to align priorities to outcomes.

  • Cyber Risk Advisory and Prioritization: Advise on remediation prioritization, compensating controls, exceptions, and formal risk acceptance; assess findings based on likelihood, impact, exploitability, regulatory exposure, operational criticality, and customer impact; develop practical risk treatment plans; present time-bound risk acceptance recommendations with accountable ownership; escalate material risks to appropriate governance forums.
  • Application Architecture and Engineering Reviews: Provide technical security advisory for application architecture, cloud deployments, integrations, APIs, identity patterns, and third-party connectivity; partner with enterprise architecture, engineering, DevOps, cloud, and infrastructure teams to identify risk early; evaluate authentication, authorization, data protection, encryption, logging, segmentation, resilience, secrets management, secure configuration, and vulnerability exposure; ensure alignment to enterprise standards, secure SDLC, and regulatory requirements.
  • Risk Reporting and Governance: Produce business-unit-specific cyber risk reporting covering key risks, control gaps, remediation progress, exceptions, vulnerabilities, audit/regulatory issues, and emerging threats; deliver regular updates to business leaders and contribute to consolidated executive reporting; translate technical issues into clear business impact statements and decision materials; track commitments, risk acceptances, and issue closure.
  • Security Program Alignment: Drive adoption of enterprise capabilities and standards (e.g., vulnerability management, third-party risk, IAM, data protection, cloud security, incident response, threat management, awareness, secure development); identify gaps between policy and implementation; provide feedback to central security teams; support regulatory, audit, and compliance activities; partner with security architecture, GRC, risk, privacy, legal, compliance, and technology teams.
  • Incident, Threat, and Emerging Risk Support: Provide business context during incidents and investigations; advise leaders on exposure, remediation urgency, operational impact, and communications; lead post-incident risk reviews and ensure lessons learned inform sustainable control improvements.

Requirements

  • Bachelor's degree in Information Security, Computer Science, Information Technology, Engineering, Risk Management, or related field, or equivalent practical experience.
  • 10+ years across information security, technology risk, application security, infrastructure, cloud security, security architecture, engineering, or related disciplines.
  • 5+ years influencing senior technology, engineering, risk, or business stakeholders.
  • Demonstrated experience advising on cyber risk, control gaps, risk acceptance, remediation prioritization, and executive-level risk reporting.
  • Experience reviewing application, system, or platform designs for security risk and translating technical issues into business risk language for executives.
  • Preferred: Experience as a PISO/BISO or in security architecture, technology risk, or senior security advisory roles; regulated industry experience (e.g., financial services, healthcare, insurance, technology, critical infrastructure); familiarity with frameworks such as NIST CSF, NIST 800-53, ISO 27001, CIS Controls, COBIT, FAIR; relevant certifications (e.g., CISSP, CISM, CRISC, CCSP, CISA, SABSA, AWS/Azure security credentials); experience presenting to executive and board-level forums.

Knowledge, Skills, and Abilities

  • Broad technical fluency across application security and secure SDLC, cloud security architecture, IAM, infrastructure and network security, data protection and encryption, API and integration security, vulnerability management, DevSecOps and CI/CD, logging/monitoring/detection controls, third-party risk, resilience and continuity.
  • Strong risk judgment; ability to distinguish theoretical risk from material business risk and compliance exposure, and to recommend pragmatic treatments aligned to risk appetite.
  • Executive communication skills with the ability to prepare concise, decision-oriented materials and influence without direct authority.
  • Business acumen to connect security posture to strategy, revenue, operations, and customer impact.
  • Relationship management and prioritization skills to focus teams on the most impactful risks under resource constraints.
  • Ownership mindset to drive issues to closure, maintain accountability, and ensure transparent, time-bound risk decisions.

Apply for this position