Chief Information Security Officer

Hi, we're Ondo Finance. Our mission is to provide institutional-grade, blockchain-enabled investment products and services. We have both a technology arm that develops decentralized finance technology, and an asset management arm that creates and manages tokenized funds. We were the first company to tokenize exposure to US Treasuries, and have since expanded into several other assets. We are also focused on incubating protocols that can support both tokenized real-world assets and traditional crypto.

Founded by folks from Goldman Sachs Digital Assets Team, we’re backed by some of the best investors in the world including Founders Fund, Coinbase Ventures, Pantera Capital, Tiger Global, and more. We are currently the leaders in the space in terms of AUM and are well capitalized to continue to grow the firm. We're fully remote, with team members across the U.S.

Bolstered Reputation for World-Class InfoSec Program (size/stage/industry adjusted). 

Stakeholders who investigate our InfoSec program — whether customers, auditors, regulators, shareholders, or internal stakeholders — are consistently impressed with the quality, thoroughness, robustness, compliance, and efficiency of the program that it bolsters our reputation and brand. We are considered a thought leader in the emerging area of InfoSec related to blockchain / defi / on-chain finance.

No Major Problems / Never Been Hacked. 

There are no significant security-related snafus that materially impact either the client experience or Ondo’s reputation, both within the US and internationally. The company’s systems and software, including smart contracts, cloud systems and databases, have been secured and defended from hacking, malware, DDoS, internal and external fraud, manipulation and abuse, data breaches and thefts, and other security threats.

Increased Competitiveness. 

Senior leaders agree that our InfoSec program has been a key differentiator in our ability to win deals and partnerships. We have obtained industry-standard certifications (e.g. SOC2) validating the robustness and completeness of our program to external parties.

Clear, Timely, and Accessible Communication. 

Relevant security information is consistently and accurately communicated on time to all relevant parties as needed. InfoSec reporting is easily accessible to internal stakeholders, clear, up-to-date, and visually pleasing. Internally, the InfoSec function’s priorities and activities and well understood by the appropriate members of other teams.

Effective, Efficient, and Secure Information in Operations. 

The InfoSec components of our business continuity plans are robust and consistently up to date. Security permissions are thoughtful, appropriately balance efficiency and security, are approved by our security committee, and are up-to-date. There is consistency between our InfoSec-related operational checklists, internal policies, what is required by law and/or regulation, and what we actually do every day.

Strong Stakeholder Effectiveness. 

The interface and relationships between InfoSec team and stakeholders - including outside service providers as well as other Ondo teams - is effective and harmonious. Internal personnel are educated and up-to-date on all InfoSec information relevant to them for their role, well understand and appreciate the role that InfoSec plays, understand (and comply with) what obligations they have to work with the InfoSec team when and do so effectively.

Security Policy Drafting, Enforcement, Monitoring, and Reporting. 

This should include requirements related to certifications like SOC 1/2/3, GDPR, CCPA, FISMA, etc.

Partner and Vendor Security Assessment. 

Lead and coordinate the security-related parts of the vendor risk assessments. Develop processes that balance thoroughness with speed, resource intensiveness, and practicality.

Partner and Client Diligence - Security Matters. 

Lead and coordinate the response to client or partner diligence questionnaires / questions on security matters.

Internal Security Risk Management Assessment and Scoring. 

Help the Risk Team establish the security portion of the risk management frameworks and related risk scoring systems to evaluate and prioritize security risks, then lead the security portion of regular internal risk assessments.

Permissions / Access Security. 

Own the setting, monitoring, and enforcement of internal access to systems, information, files and data. Own the setting, monitoring, and enforcement of service provider permissions (e.g. Coinbase, bank accounts, brokerage accounts, multisigs). Segregate data and access as needed.

Security Monitoring and Reporting. 

Continuously monitor internal operations and external environments, including the blockchain, for emerging security risks. Regularly prepare and present to senior management, highlighting relevant security risk exposures and trends. In collaboration with Compliance and Risk, own the setting and tuning of monitoring parameters.

Client & Regulator Communications. 

As needed, support client and partner discussions on matters of security and assist with security-related responses / communication with any regulatory organizations.

Business Continuity Planning. 

Provide expert input into the security-related elements of business continuity plans and policies, including backups and redundancy.

Process Development, Management, and Improvement. 

Work closely with product, engineering, compliance, risk and other teams to provide security-related inputs into operational processes and risk management, and update procedures as necessary, including change management. When things go wrong, as appropriate conduct root-cause analysis and make process changes.

Data Security and Redundancy. 

Ensure data is secure, such security meets relevant compliance regimes and security standards, and is sufficiently redundant in the case of primary data loss.

Financial System Security. 

Ensure proper security and access controls are in place for financial accounts, particularly ones that interface with the blockchain.

Blockchain, Software and Infrastructure Security. 

Implement checks and balances on new code and infrastructure deployment. Oversee regular security/health monitoring and pentesting of web apps. Manage VPNs and firewalls. Evaluate technologies for managing security, on- and off-chain. Manage/coordinate software audits, including smart contracts.

Training. 

Help in the development/deployment of security related training company-wide, including phishing and social engineering.

•In-depth knowledge of cybersecurity principles, industry standards, frameworks, and best practices (e.g., ISO 27001, NIST Cybersecurity Framework).

•Strong understanding of risk management methodologies and the ability to assess and prioritize risks effectively.

•Proficient in incident response, including handling and resolving security incidents, conducting investigations, and implementing appropriate remedial actions.

•Excellent knowledge of network security technologies, protocols, and tools.

•Strong knowledge of relevant laws, regulations, and industry standards. Familiarity with specific regulatory requirements related to information security, such as GDPR, CCPA, PCI-DSS, etc.

•Strong leadership and managerial skills, with the ability to build and motivate a small but high-performing information security team.

•Excellent communication and presentation skills, with the ability to effectively convey complex security concepts to technical and non-technical stakeholders.

•Ability to analyze and interpret security logs, reports, and other security-related data to identify trends and patterns.

•Familiarity with security technologies, such as SIEM, IDS/IPS, DLP, endpoint protection, etc.

•Strong problem-solving and critical-thinking skills, with the ability to make sound decisions under pressure.

•Bachelor's degree in computer science, information security, or a related field. A master's degree is preferred.

•Minimum of 10 years of experience in information security, with at least 5 years in a leadership role.

•Proven track record of successfully implementing and managing information security programs in complex organizations, ideally in financial services, cryptocurrency, or other regulated industry environment.

•Experience conducting risk assessments, vulnerability assessments, and penetration testing.

•Experience in developing and implementing security policies, standards, procedures, and guidelines.

•Demonstrated ability to collaborate and build effective relationships with internal and external stakeholders.

•Experience with cloud service providers (AWS, Azure, etc.), and a strong understanding of cloud security.

•Experience in scaling Infosec capabilities at a venture-funded startup a plus.

•Professional certifications such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), or Certified Ethical Hacker (CEH) are highly desirable.

•Competitive compensation including salary, future token rights, and/or equity (according to your preferences) — we're well-funded and believe that great talent deserves great compensation

•Full benefits (medical, vision, and dental) and flexible vacation policy (PTO)

•Small remote-first team across many countries — you'll be an early team member helping shape our vision, culture, and design practices

•A+ colleagues — our team includes alumni from Goldman Sachs Digital Assets, Facebook, DeFi protocols like BadgerDAO, private equity funds, hedge funds, and various VC-backed startups

•Best-in-class investors — we are proud to be backed by leading crypto experts (incl. founders of Aave, Quantstamp, and Anchorage) and funds (incl. Pantera, Genesis, DCG, Coin Fund, and CMS)