EP Wealth Advisors (EPWA) is a wealth management advisory firm with over $42.2 billion as of December 31, 2025, serving predominately high net worth individuals. EPWA fosters an inclusive environment that offers opportunities for our associates to learn, grow and enhance their skills to take on new challenges to progress in their professional careers.
Job Summary:
The Chief Information Security Officer (CISO) is the senior leader accountable for EP Wealthβs enterprise Information Security program, responsible for setting strategy, building and operating a risk-based security function, and ensuring protection of EPβs clients, advisors, and associates.
We are seeking a hands-on, cloud-native Chief Information Security Officer to lead EPβs enterprise information security program as the firm scales. This player-coach will both set security strategy and risk appetite at the Executive/Board level and roll up their sleeves to design and deliver technical controls, processes and measurable outcomes - strengthening identity and access management, endpoint and cloud security, detection & response, data protection, third-party/custodial risk management, and security governance. With a relentless focus on client trust and operational resilience, the CISO will partner closely with Technology, Legal, Compliance, Risk and Business leadership to enable growth while protecting clients and staff, meeting regulatory obligations, modernizing controls and tooling, and ensuring production readiness for cloud, SaaS and data platforms (e.g., Snowflake, Salesforce, Agentforce) and AI initiatives.
Key Responsibilities:
Strategy, Governance, and Risk Leadership
- Define and execute a multi-year Information Security strategy and roadmap aligned with EPβs business priorities, regulatory requirements, and risk appetite.
- Mature security governance: policies, standards, exception management, risk decision frameworks and formal production gates.
- Lead enterprise risk assessments, threat modeling, remediation prioritization, and executive/Board reporting on security posture and program progress.
- Translate security risk into business terms and recommend prioritized investments.
Cloud-Native Security & Architecture
- Lead security architecture and engineering decisions across our cloud environment, with a strong emphasis on:
- Zero Trust principles
- Strong Authentication / MFA, privileged access management (PAM)
- Device trust and conditional access
- Partner with Product & Technology leadership to embed security into architecture reviews, platform selection, and modernization initiatives
- Implement CSPM, runtime protection, IaC scanning, network segmentation, and automated compliance checks for cloud workloads.
Security Operations, Monitoring, and Incident Response
- Oversee security operations including threat intelligence, monitoring, detection, investigation, and response (internal team and/or managed partners)
- Maintain and regularly exercise an Incident Response (IR) program, including playbooks, tabletop exercises, executive communications, and coordination with Legal and external counsel
- Ensure high-confidence processes for evidence handling, third-party coordination, and post-incident lessons learned
Securing Agentic AI & Data
- Lead the security aspects of data protection: classification, encryption, DLP, secure sharing, retention, and data loss prevention controls.
- Define security guardrails for agentic workers and production AI: data minimization, secure feature stores, model access controls, inference governance, model explainability and drift detection.
- Partner with Data & Engineering to secure MLOps pipelines, model registries, and production inference. Ensure safe prompt/data handling and auditability for agents.
Security Culture, Awareness, and Training
- Drive an enterprise security awareness program tailored to EPβs environment (advisor-facing, client-facing, corporate staff).
- Promote a culture of βsecure by default,β emphasizing practical behaviors that reduce social engineering risk.
Third-Party and Vendor Risk Management
- Transform and direct program to evaluate and monitor third parties (SaaS, vendors, custodians, and key partners) including:
- Security questionnaires, attestations (SOC 2/ISO), and contract security requirements
- Ongoing monitoring and periodic reassessments
Secure Development and Technology Enablement
- Partner with Engineering/IT to mature secure engineering practices, such as:
- Security requirements in the SDLC
- Vulnerability management and remediation SLAs
- Configuration baselines, hardening standards, and security testing
Team Leadership and Program Operations
- Build, lead, and mentor a high-performing security team and partner ecosystem
- Establish KPIs and program metrics that drive measurable improvement (e.g., phishing resilience, MFA coverage, patch SLAs, EDR coverage)
- Manage budget and vendor relationships to ensure efficient, effective security coverage
