Chief Information Security Officer

EP Wealth Advisors (EPWA) is a wealth management advisory firm with over $42.2 billion as of December 31, 2025, serving predominately high net worth individuals. EPWA fosters an inclusive environment that offers opportunities for our associates to learn, grow and enhance their skills to take on new challenges to progress in their professional careers.

Job Summary:

The Chief Information Security Officer (CISO) is the senior leader accountable for EP Wealth’s enterprise Information Security program, responsible for setting strategy, building and operating a risk-based security function, and ensuring protection of EP’s clients, advisors, and associates.

We are seeking a hands-on, cloud-native Chief Information Security Officer to lead EP’s enterprise information security program as the firm scales. This player-coach will both set security strategy and risk appetite at the Executive/Board level and roll up their sleeves to design and deliver technical controls, processes and measurable outcomes - strengthening identity and access management, endpoint and cloud security, detection & response, data protection, third-party/custodial risk management, and security governance. With a relentless focus on client trust and operational resilience, the CISO will partner closely with Technology, Legal, Compliance, Risk and Business leadership to enable growth while protecting clients and staff, meeting regulatory obligations, modernizing controls and tooling, and ensuring production readiness for cloud, SaaS and data platforms (e.g., Snowflake, Salesforce, Agentforce) and AI initiatives.

Key Responsibilities:

Strategy, Governance, and Risk Leadership

• Define and execute a multi-year Information Security strategy and roadmap aligned with EP’s business priorities, regulatory requirements, and risk appetite.
• Mature security governance: policies, standards, exception management, risk decision frameworks and formal production gates.
• Lead enterprise risk assessments, threat modeling, remediation prioritization, and executive/Board reporting on security posture and program progress.
• Translate security risk into business terms and recommend prioritized investments.

Cloud-Native Security & Architecture

• Lead security architecture and engineering decisions across our cloud environment, with a strong emphasis on:
• Zero Trust principles
• Strong Authentication / MFA, privileged access management (PAM)
• Device trust and conditional access
• Partner with Product & Technology leadership to embed security into architecture reviews, platform selection, and modernization initiatives
• Implement CSPM, runtime protection, IaC scanning, network segmentation, and automated compliance checks for cloud workloads.

Security Operations, Monitoring, and Incident Response

• Oversee security operations including threat intelligence, monitoring, detection, investigation, and response (internal team and/or managed partners)
• Maintain and regularly exercise an Incident Response (IR) program, including playbooks, tabletop exercises, executive communications, and coordination with Legal and external counsel
• Ensure high-confidence processes for evidence handling, third-party coordination, and post-incident lessons learned

Securing Agentic AI & Data

• Lead the security aspects of data protection: classification, encryption, DLP, secure sharing, retention, and data loss prevention controls.
• Define security guardrails for agentic workers and production AI: data minimization, secure feature stores, model access controls, inference governance, model explainability and drift detection.
• Partner with Data & Engineering to secure MLOps pipelines, model registries, and production inference. Ensure safe prompt/data handling and auditability for agents.

Security Culture, Awareness, and Training

• Drive an enterprise security awareness program tailored to EP’s environment (advisor-facing, client-facing, corporate staff).
• Promote a culture of “secure by default,” emphasizing practical behaviors that reduce social engineering risk.

Third-Party and Vendor Risk Management

• Transform and direct program to evaluate and monitor third parties (SaaS, vendors, custodians, and key partners) including:
• Security questionnaires, attestations (SOC 2/ISO), and contract security requirements
• Ongoing monitoring and periodic reassessments

Secure Development and Technology Enablement

• Partner with Engineering/IT to mature secure engineering practices, such as:
• Security requirements in the SDLC
• Vulnerability management and remediation SLAs
• Configuration baselines, hardening standards, and security testing

Team Leadership and Program Operations

• Build, lead, and mentor a high-performing security team and partner ecosystem
• Establish KPIs and program metrics that drive measurable improvement (e.g., phishing resilience, MFA coverage, patch SLAs, EDR coverage)
• Manage budget and vendor relationships to ensure efficient, effective security coverage

Required

• Bachelor’s degree in Information Security, Computer Science, Engineering, or related field (or equivalent experience)
• 10+ years of progressive experience in cybersecurity, including leadership of enterprise security programs
• Demonstrated experience leading incident response and managing stakeholders through high-pressure events
• Strong understanding of security controls and frameworks relevant to a regulated environment
• Proven ability to influence at the executive level and communicate technical risk in clear business terms

Preferred

• Experience in wealth management, RIA, financial services, or similarly regulated industries
• Experience with cloud security (Microsoft ecosystems and modern SaaS environments), identity security, and endpoint security at scale
• Relevant certifications (one or more): CISSP, CISM, CCSP, GIAC (GSEC/GCIH/GCIA), or similar
• Track record of building and maturing security programs in growth environments (M&A integration, platform standardization, and modernization)

EPWA is an equal opportunity employer. Prospective employees will receive consideration without discrimination because of race, creed, color, sex, gender, gender expression, gender identity, sexual orientation, age, religion, national origin, ancestry, mental disability, physical disability, medical condition, genetic information, marital status, military and veteran status, or any other basis protected by law.

#LI-Remote