Chief Information Security Officer

Founded in 2018, Bakkt, Inc. is a regulated financial technology company building infrastructure for the future of finance. Bakkt's platform serves financial institutions, fintechs, and consumer finance products — providing the compliance, security, and scale required to deliver trusted financial services at a global level. Through its core business pillars, Bakkt powers institutional-grade trading capabilities, AI-enabled programmable finance, and cross-border payment infrastructure.

Bakkt is seeking a strategic, Chief Information Security Officer (CISO) to lead our global information security posture and serve as our designated officer for regulatory cybersecurity compliance. This role is designed for an innovative leader who thrives at the intersection of modern engineering velocity and institutional-grade risk management.

• Designated Regulatory Authority: Serve as the designated CISO responsible for Bakkt's cybersecurity program in accordance with NYDFS Part 500 requirements. Oversee comprehensive annual risk assessments and manage our annual certification of compliance process.
• SEC & Public Market Readiness: Lead our organizational process for determining the materiality of cybersecurity incidents. Oversee the timely preparation of all required disclosures and filings in accordance with public market regulations and governance standards.
• Board Stewardship: Provide quarterly Material Security Risk briefings to the Audit Committee of the Board, translating complex infrastructure threats into actionable business risk metrics.
• Global Expansion Support: Maintain and evolve our security controls to support international settlement expansion, aligning with global mandates as required (e.g., EU DORA, UK FCA, GDPR).
• AI Governance & Stablecoin Infrastructure
• Agentic AI Security: Establish the governance and security framework for autonomous AI agents, ensuring programmable money movement is resilient against prompt injection, model poisoning, and unauthorized agentic transactions.
• Stablecoin Settlement Defense: Oversee the security of our end-to-end stablecoin lifecycle, ensuring the cryptographic integrity of minting/burning protocols and the security of reserve management interfaces.
• Identity-First (Zero Trust) Architecture: Architect a comprehensive security model that applies consistent rigor to both human and non-human identities, implementing modern phishing-resistant authentication and zero-trust principles across the enterprise.
• Continuous Compliance: Transition our operations from manual GRC to Continuous Controls Monitoring (CCM), ensuring audit evidence is generated in real-time through Policy-as-Code.
• Security Engineering & DevSecOps
• Seamless Security (Shift Left): Foster an internal culture where security is built-in from the start. Replace manual gatekeeping with automated guardrails integrated into our development pipeline, allowing engineers to ship securely without losing speed.
• Smart Risk Management: Move beyond unprioritized vulnerability lists. Implement a threat-modeling process that prioritizes fixes based on real-world business impact, ensuring engineering teams focus on the risks that actually threaten our environment.

• Incident Response & Tabletops: Own the global Incident Response and Business Continuity plans. Lead high-stakes tabletop exercises simulating systemic financial failures and AI-driven fraud.
• Third-Party Risk Management (TPRM): Manage the security lifecycle of critical banking and ICT partners, moving beyond point-in-time assessments to continuous, data-driven vendor monitoring.
• Talent Development: Lead, develop, and motivate a high-performing team of security subject matter experts in our distributed, remote-first environment.Ideal Candidate Profile

• The Standard: CISSP required, or a demonstrably equivalent executive credential (CISM, CCISO, or CISA).
• Financial & Public Co. Pedigree: 12+ years in Information Security, with significant experience operating within a NYDFS-regulated or SEC-reporting public company environment.
• Infrastructure Depth: Proven success leading security in distributed, cloud-driven (AWS/GCP) environments. Direct experience with stablecoin protocols or AI-driven financial tools is a strong advantage.
• Preferred Education: Master’s degree (Cybersecurity, MIS, or MBA) and/or senior-level professional designations like GSLC or equivalent executive cybersecurity leadership training.
• Leadership & Soft Skills
• Strategic & Lateral Thinker: Ability to look at complex regulatory frameworks not as obstacles, but as tools for building robust, continuous process improvement.
• Operational Resolve: Capable of leading difficult, high-stakes conversations where business velocity and regulatory safety intersect.
• Agile Leadership: Proven ability to lead through ambiguity and rapid change. You are a decisive leader who can pivot strategies in real-time based on shifting market conditions while maintaining team focus on high-priority outcomes.
• Collaborative Culture Builder: A sophisticated, modern approach to managing and motivating technical subject matter experts in a remote-first, high-growth environment.

Bakkt is devoted to having diversity in its workforce and is proud to be an equal opportunity employer. Bakkt does not make any employment decisions based on race, color, religion, sex, national origin, veteran status, disability, age, sexual orientation, gender identity or any other characteristic protected by law. Must successfully pass a post-offer background check and drug screen. 

California Candidate Privacy Notice
Before submitting your application, please review Bakkt's California Candidate Privacy Notice and Notice at Collection, which explains how Bakkt collects, uses, retains, and discloses applicant and candidate personal information during the recruiting process. The notice is available here: https://bakkt.com/candidate-privacy/