IT Risk Officer, Sr

Job Locations US-MN-Lake Elmo
Category/Function
Information Technology
Position Type
Regular Full-Time
Requisition ID
2026-20293
Workplace Type
On Site

Overview

Old National Bank has been serving clients and communities since 1834. With over $70 billion in total assets, we are a regional powerhouse deeply rooted in the communities we serve. As a trusted partner, we thrive on helping our clients achieve their goals and dreams, and we are committed to social responsibility and investing in our communities through volunteering and charitable giving. 

 

We continually seek highly motivated and talented individuals as our people are critical to our success. In return, we offer competitive compensation with our salary and incentive program, in addition to medical, dental, and vision insurance.  401K, continuing education opportunities and an employee assistance program are also included in our benefit suite. Old National also offers a variety of Impact Network Groups led by team members who are passionate about driving engagement, creating awareness of diverse backgrounds and experiences, and building inclusion across the organization.  We offer a unique opportunity to join a growing, community and client-focused company that is firmly rooted in its core values.

Responsibilities

Position Summary

 

The IT Risk Officer, Sr — Cybersecurity serves as the primary first-line risk professional for Old National Bank’s cybersecurity and information security operational domains. This senior-level role is the IT Risk Office’s subject matter expert and 1LOD owner for five (5) Tier 1 Assessable Units encompassing Security Operations, Identity and Access Management, Data Protection, Vulnerability Management, and Threat Intelligence. The role is a direct response to the bank’s recent organizational change moving the Information Security and Cyber Security Operations function into the IT organization, creating an immediate requirement for dedicated first-line risk coverage across these domains.

This role operates at the intersection of technical security operations and enterprise risk governance. The IT Risk Officer, Sr — Cybersecurity must be equally fluent in the language of security practitioners and the language of risk committees, translating technical control performance into risk-rated assessments that drive leadership decisions. The position works daily with the CISO organization, Security Operations Center, Identity and Access Management team, and Data Protection engineering functions while simultaneously managing relationships with Internal Audit, Enterprise Risk Management, and regulatory examiners. In addition to leading day-to-day risk oversight, this role serves as a strategic partner to the CISO, collaborating to define, evolve, and execute the enterprise cybersecurity risk strategy — ensuring the bank's security posture is proactively aligned to its risk appetite, business objectives, and evolving threat landscape.

The urgency of this hire reflects the current risk landscape. The IT Risk Officer, Sr — Cybersecurity will serve as the linchpin of the bank’s ability to demonstrate credible first-line oversight to its regulators, auditors, and board.

 

Salary Range

 

The salary range for this position is $98,400/yr - $199,000/yr plus bonus. The base salary indicated for this position reflects the compensation range applicable to all levels of the role across the United States. Actual salary offers within this range may vary based on a number of factors, including the specific responsibilities of the position, the candidate’s relevant skills and professional experience, educational qualifications, and geographic location

 

Key Accountabilities

  • Cybersecurity Risk Strategy & CISO Partnership: Partner directly with the CISO to shape and refine the enterprise cybersecurity risk strategy, ensuring alignment between first-line risk oversight priorities and the security program roadmap. Translate risk assessment findings, threat intelligence, and regulatory expectations into strategic recommendations that inform investment decisions, capability prioritization, and program maturity targets. Provide the CISO with a risk-informed perspective on emerging initiatives (e.g., cloud migration, AI adoption, M&A integration) to enable proactive risk positioning rather than reactive remediation. Co-develop the multi-year cybersecurity risk appetite framework, including thresholds, escalation triggers, and board-reportable risk narratives. Represent the IT Risk Office in cybersecurity strategy forums and steering committees, ensuring risk considerations are embedded in strategic decision-making at the earliest stages.
  • Cybersecurity Risk Assessment & RCSA Execution: Lead comprehensive Risk and Control Self-Assessments (RCSAs) for all five assigned cybersecurity AUs. Conduct targeted risk assessments of security operations, identity governance, data protection, and vulnerability management programs as needed. Evaluate control design and operating effectiveness across the cybersecurity control environment, with particular focus on PCI DSS compliance requirements, IAM access governance, and NIST CSF alignment. Identify control gaps and risk exposures, document findings, and develop risk-rated remediation recommendations in collaboration with domain owners.
  • Issue Management & Remediation Oversight: Take oversight ownership of the open cybersecurity-related issues in the eGRC system. Establish structured remediation tracking, prioritization criteria, and escalation pathways for High and Moderate risk items. Partner with Security Operations, IAM, and Vulnerability Management teams to drive remediation velocity against SLA expectations. Manage OCC regulatory recommendations in cybersecurity domains through completion, ensuring documentation of evidence sufficient for examiner validation. Support PCI remediation program oversight, coordinating across network segmentation, access control, encryption, and monitoring workstreams.
  • Regulatory & Audit Engagement: Serve as the IT Risk Office’s primary point of contact for all cybersecurity-related regulatory examinations, audit engagements, and second-line assessments. Support OCC and FFIEC examinations by providing control evidence, facilitating documentation requests, and preparing IT leadership for examiner discussions. Maintain awareness of emerging regulatory guidance on cybersecurity, AI risk, and third-party technology risk from OCC, FFIEC, and NIST. Translate examination findings into structured remediation plans with clear ownership and milestone tracking.
  • Risk Governance, Monitoring & Reporting: Develop, maintain, and report on cybersecurity-domain Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) that provide meaningful visibility into the health of the cybersecurity control environment. Contribute domain-specific content to executive and board-level risk reporting, the quarterly ISTRM Risk Profile report, and risk appetite monitoring. Monitor the bank’s NIST CSF 2.0 maturity profile across Identify, Protect, Detect, Respond, and Recover domains, tracking progress toward target maturity. Provide credible challenge to cybersecurity program metrics and escalate emerging risk themes.
  • Emerging Technology Risk & Threat Intelligence Integration: Monitor the evolving cybersecurity threat landscape, with particular focus on AI-accelerated attack vectors, adversarial use of generative AI, and the quantum computing cryptographic migration timeline. Partner wit Threat Management team to ensure threat intelligence findings are translated into actionable risk management activities. Assess the cyber risk implications of the bank’s AWS cloud migration, including cloud-native security controls, identity federation, and cloud configuration governance.
  • Team Leadership & Talent Development: Provide day-to-day direction, coaching, and development for two direct reports: a Cybersecurity Risk Analyst and a Vulnerability Management Risk Lead. Define workload allocation, analytical standards, and quality expectations for the sub-team. Mentor team members in risk assessment methodology, regulatory awareness, and professional development. Model the IT Risk Office’s culture of rigor, proactivity, and collaborative partnership with business and technology stakeholders.

 

Key Competencies for Position

  • Technical Credibility & Risk Judgment — Brings genuine cybersecurity depth; can assess control design and effectiveness, not just document process narratives
  • Regulatory Fluency — Understands what examiners look for and can prepare the organization accordingly; has sat in exam rooms and knows how to navigate them
  • Influence Without Authority — Drives remediation velocity through partnership with security teams who do not report to this role
  • Precision & Thoroughness — Produces documentation, evidence packages, and risk assessments that withstand examiner scrutiny
  • Strategic Awareness — Understands how the cybersecurity risk profile connects to the bank’s strategic objectives and communicates accordingly
  • Team Leadership — Develops analysts and junior professionals; models the professional standards expected of the IT Risk Office

 

Qualifications and Education Requirements

  • Experience: Minimum 6–8 years in cybersecurity, IT risk management, or information security governance, with at least 3 years in a financial services environment. Demonstrated experience managing cybersecurity risk assessments, audit engagements, and regulatory examinations. Prior exposure to IAM program governance, PCI DSS compliance, and vulnerability management oversight strongly preferred.
  • Frameworks & Regulations: Deep understanding of NIST CSF 2.0; FFIEC Cybersecurity Assessment Tool; PCI DSS v4.0; CIS Critical Security Controls; and OCC Heightened Standards as they apply to information security. Familiarity with GLBA Safeguards Rule and emerging AI risk frameworks.
  • Technical Proficiency: Fluency with GRC platforms (Archer, ServiceNow IRM, or equivalent); SIEM tooling (Splunk, Microsoft Sentinel); IAM platforms (SailPoint ISC, Entra/Active Directory); cloud security frameworks (AWS Security Hub, AWS Config, CIS AWS Benchmark); and vulnerability management tools (Tenable, Qualys, or equivalent). Understanding of DLP, encryption standards, and network segmentation principles.
  • Analytical & Problem-Solving Skills: Ability to assess complex cybersecurity environments, quantify risk exposure, and prioritize remediation efforts based on business impact, regulatory urgency, and exploitability. Experience developing KRI frameworks and dashboard reporting from operational security data. Comfort working with large issue datasets and translating findings into executive-ready narratives.
  • Communication & Influence: Exceptional written and verbal communication. Ability to translate highly technical cybersecurity findings into business-risk language for executive and board audiences. Demonstrated ability to influence security teams, technology leaders, and assurance partners through insight and credibility rather than positional authority. Experience presenting to risk committees, senior leadership, and external examiners.
  • Education: Bachelor’s degree in Information Security, Computer Science, Information Systems, or related discipline required. Advanced degree a plus. One or more of the following certifications strongly preferred: CISSP, CISM, CISA, CRISC.

 

Key Measures of Success/Key Deliverables:

  • Cybersecurity KRI’s and thresholds are reviewed, validated against industry standards, and updated/refined as appropriate in first six months of hire.
  • Cybersecurity eGRC issue closure rate shows meaningful quarterly improvement against SLA targets within two quarters of hire. All open OCC cybersecurity regulatory recommendations have documented remediation plans and milestone tracking within 90 days of hire.
  • Completion of comprehensive RCSAs for assigned cyber units by end of Q2 2027.
  • IAM strategic initiative (SailPoint ISC) moves from 0% to active remediation roadmap with documented risk acceptance or mitigation milestones
  • IT Risk Office is recognized by Internal Audit and regulators as providing credible, value-added first-line cybersecurity risk oversight.

Old National is proud to be an equal opportunity employer focused on fostering an inclusive workplace and committed to hiring a workforce comprised of diverse backgrounds, cultures and thinking styles. 

 

As such, all qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, protected veteran status, status as a qualified individual with disability, sexual orientation, gender identity or any other characteristic protected by law. 

 

We do not accept resumes from external staffing agencies or independent recruiters for any of our openings unless we have an agreement signed by the Director of Talent Acquisition, SVP, to fill a specific position.

 

Our culture is firmly rooted in our core values.

We are optimistic. We are collaborative. We are inclusive. We are agile. We are ethical.

We are Old National Bank.  Join our team!

Options

<p style="margin: 0px;">Sorry the share function is not working properly at this moment. Please refresh the page and try again later.</p>
Share on your newsfeed