Chief Information Security Officer

Cottonwood Financial

Founded in 1996, Cottonwood Financial is one of the largest privately held retail consumer finance companies in the United States.

Reporting to our Chief Information Officer, this position is responsible for establishing and maintaining the information security program to ensure information assets and associated technology, applications, systems infrastructure, and processes are adequately protected in the digital ecosystem. The CISO is responsible for identifying, evaluating, and reporting on legal and regulatory, IT, and cybersecurity risk to information assets (data, networks, applications, and people), while supporting and advancing business objectives. The CISO must be knowledgeable about both internal and external business environments, and ensure governance of information systems are maintained fully functional and secure mode.

The CISO will create and own the security policy, setting the tone for the security program and practices. He/she will be accountable for the content of the security policy and will have a collaborative approach with internal business compliance groups. The CISO will identify applicable regulations and the status of regulatory compliance on the practice of information security. Security of data is of utmost importance and centralization, tokenization, encryption, and masking, along with confidentiality, integrity, and availability will be incorporated.   The CISO will reveal and quantify third-party exposure and will employ protections accordingly. A vast array of functions, processes, and procedures to measure maturity of the cybersecurity and risk management is expected, and it is critical to provide a clear understanding of security goals and risk management objectives. A function of the position is to continually measure and manage cyber risk and establish and cultivate a risk management program.

Specific experience and proven success in leading digital security and governance programs including establishment of strategy and frameworks are required. Additionally, knowledge of hybrid ecosystem architectures, including custom, open source, third-party (both on-premise and SaaS/cloud), all integrated for optimal business solutions is required.

The successful candidate will lead, prioritize, and develop the overall digital security and governance approach for the organization. This position is based at our Administrative Office (HQ) in Irving (Las Colinas), Texas.


  • Facilitate an information security governance structure through the implementation of a hierarchical governance program, including the formation of an information security committee
  • Provide regular reporting on the current status of the information security program to senior business leaders as part of a strategic enterprise risk management program
  • Create and manage a targeted information security awareness training program for all employees and contractors and establish metrics to measure the effectiveness of this security training program
  • Provide clear risk mitigating directives for projects with components in IT, including mandatory application controls
  • Determine the information security approach and operating model in consultation with stakeholders and aligned with the risk management approach and compliance monitoring of nondigital risk areas
  • Develop, implement, and monitor a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy, and recovery of information assets owned, controlled and/or processed by the organization
  • Develop and enhance an up-to-date information security management framework
  • Develop and maintain a document framework of continuously up-to-date information security policies, standards, and guidelines
  • Create a framework of roles and responsibilities with regard to information ownership, classification, accountability, and protection of information assets
  • Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increase maturity of the information security, and review it with stakeholders at the executive level
  • Coordinate with the enterprise architecture team to build alignment between the security and enterprise architectures to ensure those information security requirements are implicit in IT architectures and security is built in by design.
  • Work with the compliance staff to ensure that all information owned, collected, or controlled by or on behalf of the company is processed and stored in accordance with applicable laws and other global regulatory requirements, such as financial, lending, and data privacy
  • Ensure that security is embedded in the project delivery process by providing appropriate information security policies, practices, and guidelines
  • Oversee technology dependencies outside of direct organizational control that includes renewing of contracts and the creation of alternatives for managing risk
  • Manage and contain information security incidents and events that protect corporate IT assets, intellectual property, regulated data, and the company’s reputation
  • Monitor the external threat environment for emerging threats, and advise relevant stakeholders on the appropriate courses of action
  • Develop and oversee effective disaster recovery policies and standards to align with the enterprise business continuity management (BCM) program goals
  • Coordinate the development of implementation of incident response plans and procedures to ensure that business-critical services are recovered in the event of a security event; provide direction, support, and in-house consulting in these areas


  • Bachelor’s degree in computer science, information systems, computer engineering, electrical engineering, system analysis or related field of study, or equivalent experience
  • Professional security management certification such as CISSP, CCISO, CISM, and/or CISA required
  • 10+ years of experience in a combination of risk management, information security, and IT, all with 5+ years in a senior leadership role
  • 3+ years of exposure to marketing analytics, customer data, and digital commerce platforms
  • Strong knowledge of business management and a working knowledge of information security risk management and cybersecurity technologies
  • Strong knowledge of information security best practices, standards, and frameworks, such as ISO/IEC 27000, NIST 800-53, and PCI DSS
  • Proven track record and experience in developing information security policies and procedures, as well as successfully executing programs that meet the objectives of excellence in a dynamic business environment
  • Knowledge of business IT ecosystems, SaaS, IaaS, PaaS, cloud computing, SOA, APIs, open data, open systems, microservices, event-driven IT and predictive analytics
  • Exceptional soft and interpersonal skills, including teamwork, facilitation, and negotiation
  • Strong leadership skills
  • Excellent written, verbal, communication, and presentation skills
  • Excellent planning and organizational skills
  • Comfortable, experienced, and accomplished at working with business executives, and able to push back in a professional and diplomatic way
  • Highly collaborative and supportive of business and our ideas and strategies
  • Vendor and technology neutral, more interested in business outcomes than in personal, or those business and IT leaders vested personal preferences
  • Local (Dallas/Fort Worth area) candidates only – no relocation
  • Must be currently authorized to work in the United States without sponsorship and not require sponsorship in the future


  • Experience in a financial environment
  • Proven ability to manage and grow a department


  • Annual salary of $170,000


  • Medical, dental, and vision
  • Voluntary life/ AD&D
  • Short-term & long-term disability
  • 401K with company match
  • Paid vacation, holidays, and sick time
  • Paid maternity, paternity, extended medical leave, and jury duty
  • Corporate discount program on personal cell phone accounts with select providers
  • Business casual work environment


Founded in 1996, Cottonwood Financial is one of the largest privately held retail consumer finance companies in the United States.  We have zero debt, have been profitable every year since inception, and our growth is funded entirely through internally generated capital. Headquartered in Irving (Las Colinas), Texas, we have company-owned locations, under our Cash Store brand, across the country. Through this national brick-and-mortar footprint, we provide best-in-class customer service and offer an innovative mix of financial products and services to our customers.

We have been named multiple times to the Inc. 5000 list of America’s fastest-growing private companies, as well as to the Dallas 100 list of the fastest-growing private companies in North Texas.

To apply for this job please visit the following URL: →