Chief Information Security Officer (CISO)

At Swyfft, we're reshaping the way home insurance and commercial package products are priced and bound. We've created an insurance experience that's smart, instant, and designed to deliver unparalleled customer service.

Our focus on lightning-fast quotes and seamless claims servicing is powered by cutting-edge technology and an Agent and Customer-centric approach that sets us apart in the industry.

Joining Swyfft means becoming part of a dynamic team of forward-thinkers who thrive on moving fast and delivering exceptional products. We pride ourselves on fostering an environment where creativity and positive energy thrive.

As we continue to grow and expand, we're on the lookout for experienced professionals like you to join us in transforming the insurance landscape. If you're passionate about leveraging technology to provide the best customer service experience and are ready to be a part of our journey, we welcome you to explore opportunities at Swyfft!

About the Position:

We're looking for a CISO who can do two things exceptionally well: build and run a robust security compliance program AND do hands-on technical security work. This isn't a role where you'll spend 100% of your time on PowerPoint and vendor questionnaires (though there will be some of that). You'll be reviewing architecture, working with our development team on secure design, and making real technical decisions.

The immediate challenge: We're transitioning from a limited exemption to full NYDFS (23 NYCRR 500) compliance, with our first full certification due April 2026. You'll be building our compliance program while also establishing long-term security practices that actually make us more secure, not just check regulatory boxes.

The Reality of Year 1

We want to be transparent: The first year will be challenging. You'll be:

Building the TPSP governance program from scratch (we have a lot of vendors)

Getting us ready for our first full NYDFS certification (April 2026)

Overseeing MFA implementation across thousands of users

Documenting and formalizing security practices we're already doing

It's going to be a mix of rewarding technical work and necessary compliance grinding. After Year 1, the job shifts more toward proactive security work, architecture reviews, and continuous improvement.

If you want a CISO role where you only do compliance paperwork, this isn't it. If you want a role where you only do technical security with zero regulatory work, this also isn't it. But if you want to build a security program that's both compliant AND actually makes the company more secure - and you want to stay technical while doing it - this might be perfect.

*This position is a 100% remote U.S. based opportunity that can be based in one of the following states only: AL, AZ, FL, GA, KY, LA, MA, MO, NC, NJ, NY, OH, OR, PA, SC, TX, UT, VA, WA, WI.

Some travel for day-to-day work, team meetings, and training will be required.

Key Responsibilities: (What you'll be asked to do)

Security Program & Compliance (40-50% in Year 1, 30% ongoing)

Own Swyfft's cybersecurity program end-to-end, including NYDFS compliance

Build and manage our Third-Party Service Provider (TPSP) security governance program (vendor inventory, risk assessments, security questionnaires, ongoing monitoring)

Conduct annual risk assessments and coordinate penetration testing

Create and maintain security policies, incident response plans, and business continuity documentation

Prepare annual board reporting and regulatory certifications

Manage security awareness training program

Coordinate incident reporting to NYDFS when required (72-hour notification window)

Technical Security Work (50-60% in Year 1, 70% ongoing)

Oversee implementation of multi-factor authentication (MFA) across our web platform (currently in planning phase)

Review and improve security architecture for our C#/.NET applications and infrastructure

Work directly with engineering teams on secure development practices and code review for security issues

Manage vulnerability assessments and coordinate remediation with engineering

Design and implement security controls and monitoring capabilities

Evaluate and implement security tooling (SIEM, vulnerability scanning, etc.)

Respond to security incidents and conduct post-incident analysis

Review API security, authentication/authorization patterns, and data protection controls

The Successful Candidate: (What we're looking for)

Pragmatic security mindset: You understand the balance between security and business needs

Self-starter: You can build a program from the ground up with limited hand-holding

Technical credibility: Engineers respect your technical opinions and will listen to your guidance

Efficient with compliance work: You can motor through vendor questionnaires and policy documentation without it consuming your life

Clear communicator: You can explain security risks and recommendations to non-security people without drowning them in jargon

Comfortable with ambiguity: We're building this program - you won't have a playbook to follow

Strongly Preferred

Specific experience with NYDFS 23 NYCRR 500 compliance

Background in financial services or insurance industry

Experience implementing authentication systems (OAuth, SAML, MFA)

CISSP, CISM, or similar security certification

Experience with cloud infrastructure security (AWS, Azure, or GCP)

 Some Requirements:

7-10+ years in information security with a mix of technical and compliance work

Experience with regulatory compliance programs (NYDFS, SOC 2, PCI-DSS, HIPAA, or similar frameworks)

Strong technical background - you should be comfortable reviewing C# code, understanding web application architecture, and discussing database security

Proven track record building security programs, not just maintaining existing ones

Experience working with remote/distributed engineering teams

Excellent written and verbal communication skills (you'll be explaining security decisions to both engineers and executives)

Education:

A Bachelor’s degree in Computer Science, Computer Engineering, or equivalent work experience is required.

Computer Skills:

You don't need to be a full-stack developer, but you should be able to:

Read and understand C# and Typescript code well enough to spot security issues

Review system architecture diagrams and identify security concerns

Understand web application security (OWASP Top 10, authentication flows, API security)

Work with SQL databases and understand data protection requirements

Evaluate security tools and integrate them into development workflows

We’re a MS Office environment (Outlook, Word, Excel, Powerpoint)

Experience using video and chat technology (MSTeams & Slack)

Other:

Reliable high-speed internet connectivity required.

Designated quiet work from home space.

The typical base pay range for this role across the U.S. is: $200,000.00 - $220,000.00 per year + benefits.

There is a different range applicable to specific work locations. This salary range is a good-faith estimate of what Swyfft may pay for this position at the time of posting. Actual compensation may vary based on skills, qualifications, and experience. The range reflects annual compensation (as applicable) and does not include bonuses or other incentives that the company may choose to pay at its sole discretion.

In addition to base compensation Swyfft offers a comprehensive benefit package.

We Have a Great Benefits Package!

Medical, Dental, and Vision

Short- and Long-Term Disability (Company Paid)

Voluntary Long-Term Disability

Employee Life & AD&D (Company Paid)

Voluntary Employee, Spouse, and Child Life & AD&D

Healthcare, Dependent Care and Transit FSA, and Healthcare Savings Account (HSA)

401K with a generous matching contribution and no vesting schedule 

20 days of PTO annually (prorated based on hire date)

Company Paid Holidays and 2 “Choose Your Own Holidays”

It is the policy of Swyfft to provide equal employment opportunities to all employees and applicants for employment without regard to race, religion, color, ethnic origin, gender, gender identity, age, marital status, veteran status, sexual orientation, disability, or any other basis prohibited by applicable federal, state, or local law. EOE/AA/M/D/V/F.

If you require accommodations during the application or interview, please contact Human Resources at [email protected], and we will make every effort to accommodate your needs.

Please Note: Swyfft is not accepting 3rd party agency resumes for this position, please do not forward resumes to our careers email address or Swyfft employees. Swyfft will not be responsible for any fees related to unsolicited resumes.