Information Security Manager

Acumen Technology is a security-first Managed Service Provider (MSP) founded in 2016, serving financial institutions, healthcare organizations, and other businesses that take IT and cybersecurity seriously. With more than 25 years of leadership experience in financial services technology, Acumen’s deepest roots are in community banks, credit unions, and regulated financial institutions, while also supporting clients in professional services, healthcare, and construction.

Acumen is SOC 2 Type II certified, FFIEC-aligned, and has been recognized on the Inc. 5000, CRN MSP 500/50, and Nashville Business Journal’s Best Places to Work lists. Our vCISO practice provides hands-on security leadership to organizations that need more than guidance—they need execution.

Being part of the Acumen team means more than just great work. It includes weekly in-office lunches, memorable company events, a comprehensive benefits package, and, most importantly, training in the fine art of holding entire conversations using nothing but GIFs.

ROLE

This is a hands-on practitioner role. You will meet with clients, assess their security posture, and then do the work - drafting the policy, completing the risk assessment, building the remediation plan, and delivering it back to the client in a finished, usable form.

The right candidate thrives on the full cycle: client meeting → assessment → heads-down execution → polished deliverable back in the client’s hands

You will manage a portfolio of clients that is predominantly financial institutions - community banks, credit unions, and financial services firms make up approximately 80% of the practice. The remainder includes clients in professional services, healthcare, and construction.

On any given week, you might:

• Spend a morning walking a community bank through their pre-exam request list, then spend the afternoon drafting their written response findings.
• Design and facilitate a tabletop exercise for a bank's leadership team simulating a ransomware event, then write up the after-action report and deliver it within the week
• Review vendor SOC 2 reports that came in for a client, assess the findings, and produce a risk summary the bank's risk committee can act on
• Rewrite a client's outdated Acceptable Use Policy and Information Security Policy to align with current FFIEC guidance and have both ready for board approval
• Lead a SOC 2 readiness check-in with a professional services client, update their evidence tracker, and coordinate with their external auditor on outstanding items

KEY RESPONSIBILITIES

Bank Exam & Audit Support

• Serve as the primary point of contact for clients preparing for FDIC, OCC, NCUA, and state banking regulator IT examinations, owning the preparation process from start to finish
• Organize and package audit requested items, complete pre-exam readiness checklists, and produce written summaries of control effectiveness that clients can hand directly to examiners
• Review third-party audit findings and examination results, then draft formal written responses, corrective action plans, and remediation timelines on the client's behalf
• Track open findings and recommendations to closure, producing status updates and evidence packages at each milestone
• Maintain current knowledge of FFIEC IT Examination Handbook updates and translate regulatory changes into specific, actionable steps for each client
• Document client check-ins using Microsoft Planner or a similar task management tool, ensuring all action items, deliverables, and blockers are clearly captured, assigned, and tracked through resolution.

SOC 2 Readiness

• Lead clients through SOC 2 Type I and Type II readiness assessments including scoping, gap analysis, control testing, and evidence collection
• Produce formal gap analysis reports with prioritized remediation roadmaps in finished, client-ready form
• Build and maintain client control evidence libraries and audit packages, keeping documentation current between audit cycles
• Coordinate with external auditors on the client's behalf and serve as the primary point of contact throughout the audit process

Tabletop Exercises

• Design, facilitate, and debrief tabletop exercises for community bank clients covering security incident response, business continuity, and disaster recovery scenarios
• Develop realistic, client-specific exercise scenarios based on current threat intelligence and regulatory expectations for financial institutions
• Produce written after-action reports documenting exercise findings, gaps identified, and recommended improvements, delivered to the client within an agreed turnaround
• Update client incident response, business continuity, and disaster recovery plans based on exercise outcomes

Third-Party & Vendor Risk

• Review third-party vendor audit reports (SOC 2, penetration tests, security assessments) on behalf of clients and produce written summaries of findings and risk exposure
• Draft formal vendor risk assessment responses and management memos that clients can file, present to examiners, or include in board reporting
• Maintain client vendor inventories and assessment schedules, tracking due dates and ensuring assessments are completed on time

Security Policy Development

• Draft, update, and maintain client information security policies, standards, and procedures written in plain language, tailored to each client's environment, and ready to adopt without further editing
• Conduct periodic policy reviews against current FFIEC guidance, NIST CSF, and SOC 2 requirements and produce updated versions that reflect any gaps or regulatory changes
• Manage client policy libraries to ensure all documents are versioned, reviewed on schedule, and accessible for audit purposes

Ongoing Client Engagement

• Meet regularly with client stakeholders to review program status, prioritize the work queue, and present completed deliverables
• Manage a multi-client portfolio with disciplined task tracking, clear timelines, and consistent follow-through on every commitment made in a client meeting
• Serve as an advisory resource during client security incidents, providing written guidance on containment, notification obligations, and regulatory reporting requirements

• 3+ years of information security experience with a strong emphasis on hands-on program execution — risk assessments, policy writing, audit preparation, and control documentation
• Deep, working knowledge of the FFIEC IT Examination Handbook requirements, including the new tools available to replace the retired Cybersecurity Assessment Tool (CAT)
• Direct experience completing SOC 2 readiness assessments and producing formal gap analysis and remediation documentation
• Demonstrated ability to author professional-grade security deliverables - policies, risk assessments, remediation plans, board summaries - independently and to a high standard
• Strong written communication skills; comfortable producing polished, client-facing documents without editorial support
• Proven ability to manage multiple client engagements simultaneously with discipline, reliability, and follow-through
• Active CISSP, CISM, CRISC, or equivalent certification
• Direct experience preparing financial institutions for FDIC, OCC, or NCUA IT examinations and responding to regulatory findings
• Familiarity with GRC platforms commonly used in financial services (e.g., Ncontracts, LogicManager, or similar)
• Working knowledge of HIPAA security rule requirements for healthcare clients and general compliance frameworks applicable to professional services environments
• Experience with Microsoft 365 security controls as deployed in community bank and small-to-mid-market business environments
• Background in an MSP, consulting firm, or multi-client security advisory practice

WHAT SUCCESS LOOKS LIKE

In your first 90 days:

• Own and deliver at least two client engagements end-to-end — from intake meeting to finished deliverable — with high client satisfaction
• Demonstrate consistent follow-through: every commitment made in a client meeting has a deliverable behind it
• Establish your working rhythm and task management system for managing a multi-client portfolio

Within 12 months:

• Carry a full client portfolio with strong retention and client satisfaction scores
• Have guided at least one client through a table top exercise, 3rd party audit, a regulatory examination, or SOC 2 audit with documented, positive outcomes
• Be the person clients call not just for advice, but because they know something finished will come back to them

• 100% employer paid health insurance (medical and dental) and first $1,000 of qualified medical expenses covered
• Company Matching 401k
• Flexible hyrbid schedule
• Fun working environment and culture with regular activities both for employees and their families

• Family vacation bonus at 5th year

WHY ACUMEN TECHNOLOGY

• Security-first MSP founded in 2016, led by co-founders with 20+ years of financial services technology experience, not a feature bolted onto an IT company
• Established credibility in financial services and community banking across the Nashville region and beyond
• SOC 2 Type II certified, FFIEC-aligned, Inc. 5000 and CRN MSP 500/501 recognized
• A real client portfolio ready for you - not a build-it-from-scratch assignment
• A Leadership Team that is accessible, decisive, and invested in the success of this role