ABOUT US Coastal is at the forefront of modern banking, combining strong financial infrastructure with cutting-edge Banking-as-a-Service (BaaS) and fintech enablement strategies. We support not only individuals with their personal banking needs; we also empower businesses by integrating modern banking technology that drives growth, flexibility, and innovation.
At Coastal, we think and move like entrepreneurs; focused on impact, speed, and continuous improvement. We believe in working smart, collaborating deeply, and building solutions that unlock real potential. If you're someone who thrives in a fast-moving environment, loves solving complex problems, and wants to help shape the future of banking, we'd love to meet you.
Check out our video here !
Requirements
OVERVIEW The Cybersecurity Risk & Controls Engineer owns the day-to-day health of Coastal's Security Program. You will define and maintain our enterprise control baseline aligned to the CRI Profile and FFIEC IT Examination Handbooks, work with control owners to implement automated and policy-aligned control processes, drive the Security Program Calendar to ensure time-bound and cyclical controls occur on schedule, perform and automate internal control testing, and drive continuous control monitoring across cloud, identity, network, endpoint, data, and application domains. This role blends hands-on technical capability with classic GRC rigor. You'll partner with Security Engineering, IT, Business Lines, Risk, Internal Audit, and Compliance to translate regulatory expectations into auditable, automated, and durable controls that reduce risk and enable the business.
RESPONSIBILITIES TO INCLUDE - Control Baseline & Governance
- Define, document, and maintain the enterprise control library mapped to the CRI Profile and FFIEC IT Examination Handbooks, aligning with GLBA, SOX, and PCI-DSS where applicable.
- Author and maintain control narratives, RACI, evidence requirements, testing procedures, and control objectives. Manage associated control versioning and approvals.
- Work with technical control owners to implement processes and automations appropriately aligned to written controls, policies, and standards.
- Security Program Operations
- Own the Security Program Calendar to ensure cyclical controls occur on schedule (e.g., user access reviews, network security reviews, vulnerability & configuration scanning, DR/BCP tests, incident response tabletop exercises, vendor re-assessments, policy reviews).
- Track status, remove blockers, and escalate risk of slippage for proper operation of both cyclical/scheduled and continuously operating controls. Maintain related reporting and KRIs/KPIs (on-time completion, pass rate, repeat findings).
- Capture and curate complete, audit-ready evidence with chain of custody using an automation-first approach.
- Internal Control Testing, Continuous Monitoring, & Automation
- Plan and execute Test of Design (TOD) and Test of Operating Effectiveness (TOE): walkthroughs, sampling, re-performance, and result documentation with clear workpapers.
- Partner with Security Engineering and IT to embed "policy as code" and guardrails (e.g., identity, configuration, network segmentation, logging/monitoring). Own implementation of policy-as-code and other proactive automations wherever possible.
- Automate evidence collection and control testing via APIs/queries/scripts (e.g., Azure/Microsoft 365/Entra, Okta, Intune, GitHub, CI/CD, endpoint protection, vulnerability management, ticketing/GRC platforms).
- Implement quality checks for completeness, accuracy, and timeliness of evidence.
- Risk Assessment & Issues Management
- Perform targeted cyber/IT risk assessments (technology changes, third parties, products) and recommend compensating controls with clear residual-risk statements.
- Log, track, and validate remediation of issues and control gaps. Verify sustainable fixes and prevent recurrences by updating baselines, standards, and automation.
- Regulatory Exams, Audits & Reviews
- Coordinate, prepare, and run responses to Internal Audit activities, regulatory examinations, independent audits, and customer/partner due diligence.
- Produce concise, defensible narratives, control maps, and evidence packages. Coordinate requests and brief stakeholders.
- Metrics, Reporting & Enablement
- Publish program health dashboards, KRIs/KPIs, and control maturity assessments to Enterprise Risk Management and management and risk committees.
- Coach control owners on expectations, testing methods, and evidence hygiene.
- Promote a culture of control excellence and continuous improvement.
- Operational Support
- Assist in root-cause analysis for control failures and security events; drive durable corrective actions into standards, IaC/policy-as-code, and Security Program Operations.
- Maintain clear documentation (runbooks, playbooks, standards, FAQs) and contribute to security awareness content.
QUALIFICATIONS - Demonstrated ability to operationalize FFIEC IT Handbooks and the CRI Profile into practical, auditable controls and testing procedures.
- Hands-on skill implementing proactive controls and automating control testing/evidence collection using APIs, various languages (Python, TypeScript, Bash, and/or PowerShell), and data pipelines/dashboards.
- Familiarity with Azure/Microsoft 365/Entra, Okta, Windows/Linux, networks, CI/CD, vulnerability management, EDR, logging/SIEM, and data protection.
- Experience with GRC platforms and workflow/ticketing systems.
- Strong understanding of FFIEC IT Examination Handbooks, NIST CSF, NIST SP 800-53, GLBA, SOX, and PCI DSS and ability to map and rationalize overlapping requirements.
- Excellent written/oral communication with proven ability to influence cross-functional teams and present to management and auditors.
- Bias for automation and measurable outcomes; comfortable in fast-moving, high-accountability settings.
EDUCATION/EXPERIENCE - 8+ years in Cybersecurity Risk, Governance, Compliance, Security Operations, and/or risk engineering. Experience in regulated industries, especially financial services, strongly preferred.
- Bachelor's degree in Information Systems, Computer Science, Cybersecurity, or related field; equivalent experience considered.
- Certifications preferred: CRISC, CISA, CISSP, CISM, CCSK/CCSP, AZ-500 (or comparable).
HOW YOU'LL THRIVE AT COASTAL - Be the Best - Communicate effectively, pay close attention to detail, and prioritize your personal development.
- Be Relentless - Thrive in a goal-oriented environment exercising both patience and persistence. Advocate for our customers and team members and strive to promote the Coastal Difference.
- Be Un-Bankey - Be a forward thinker with a creative mindset. Build long-lasting relationships promoting the Coastal Difference, built on a foundation of integrity, honesty, and trust.
- Embrace Gray Thinking - Use sound judgment while decision-making and problem-solving. Think outside the box.
- Stay Flexible - Organize and strategize effectively while always being prepared to adapt on the fly. Seek efficiencies for Coastal to work smarter, not harder.
- Take Care of Each Other - Understand what it means to be a true team player and have your teammate's back. Practice self-awareness and build your emotional intelligence.
BEING YOU AT COASTAL Coastal Community Bank is an equal opportunity employer. We are committed to providing a workplace free from discrimination and harassment. All employment decisions are based on merit, qualifications, and business needs. We do not discriminate on the basis of race, color, religion, sex, national origin, age, disability, veteran status, or any other protected status under applicable laws.?
BENEFITS WE OFFER We're proud to offer a comprehensive benefits package designed to support your health, financial well-being, and work-life balance. Check out our benefits on our careers site! Our offerings include:
- Medical Coverage: Choose from three competitive medical plans to find the coverage that best fits your needs and lifestyle.
- Health Savings Account (HSA): Available with eligible medical plans, offering tax advantages and employer contributions.
- Flexible Spending Accounts (FSA): Options for healthcare and dependent care expenses to help you save on out-of-pocket costs.
- Dental and Vision Insurance: Plans to keep you and your family smiling and seeing clearly.
- Life Insurance: Company-paid basic life insurance with options to purchase additional coverage for yourself and your dependents.
- Long-Term (LTD)/Short-Term Disability (STD): Income protection in the event of a long-term illness or injury.
- Supplemental Benefits: Including Hospital Indemnity, Accident Insurance, and Critical Illness coverage to provide extra financial support when you need it most.
- 401(k) Retirement Plan: A competitive retirement savings plan with company matching to help you plan for the future.
- Paid Time Off: Generous vacation and sick leave policies to support your time away from work.
- Holidays: Enjoy 11 paid holidays throughout the year.
PHYSICAL DEMANDS The physical demands described below are required to perform the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions. While performing the duties of this job, the employee must be able to:
- Sit for extended periods of time.
- Stand for extended periods of time.
- Perform repetitive finger, hand, and arm movement.
- Use electronic office equipment such as a computer keyboard, mouse, ten key, telephone, etc.
- View and read computer screens for extended periods.
- Occasionally stoop, kneel, crouch, or crawl.
- Occasionally lift or move up to 10 pounds.
OTHER DUTIES Please note this job description is not designed to cover or contain a comprehensive listing of activities, duties, or responsibilities that are required of the employee for this job. Duties, responsibilities and activities may change at any time with or without notice.
Never miss an opportunity! Create an alert based on the job you applied for.
