Acumen Technology is a security-first Managed Service Provider (MSP) founded in 2016, serving financial institutions, healthcare organizations, and other businesses that take IT and cybersecurity seriously. With more than 25 years of leadership experience in financial services technology, Acumen’s deepest roots are in community banks, credit unions, and regulated financial institutions, while also supporting clients in professional services, healthcare, and construction.
Acumen is SOC 2 Type II certified, FFIEC-aligned, and has been recognized on the Inc. 5000, CRN MSP 500/50, and Nashville Business Journal’s Best Places to Work lists. Our vCISO practice provides hands-on security leadership to organizations that need more than guidance—they need execution.
Being part of the Acumen team means more than just great work. It includes weekly in-office lunches, memorable company events, a comprehensive benefits package, and, most importantly, training in the fine art of holding entire conversations using nothing but GIFs.
ROLE
This is a hands-on practitioner role. You will meet with clients, assess their security posture, and then do the work - drafting the policy, completing the risk assessment, building the remediation plan, and delivering it back to the client in a finished, usable form.
The right candidate thrives on the full cycle: client meeting → assessment → heads-down execution → polished deliverable back in the client’s hands
You will manage a portfolio of clients that is predominantly financial institutions - community banks, credit unions, and financial services firms make up approximately 80% of the practice. The remainder includes clients in professional services, healthcare, and construction.
On any given week, you might:
- Spend a morning walking a community bank through their pre-exam request list, then spend the afternoon drafting their written response findings.
- Design and facilitate a tabletop exercise for a bank's leadership team simulating a ransomware event, then write up the after-action report and deliver it within the week
- Review vendor SOC 2 reports that came in for a client, assess the findings, and produce a risk summary the bank's risk committee can act on
- Rewrite a client's outdated Acceptable Use Policy and Information Security Policy to align with current FFIEC guidance and have both ready for board approval
- Lead a SOC 2 readiness check-in with a professional services client, update their evidence tracker, and coordinate with their external auditor on outstanding items
KEY RESPONSIBILITIES
Bank Exam & Audit Support
- Serve as the primary point of contact for clients preparing for FDIC, OCC, NCUA, and state banking regulator IT examinations, owning the preparation process from start to finish
- Organize and package audit requested items, complete pre-exam readiness checklists, and produce written summaries of control effectiveness that clients can hand directly to examiners
- Review third-party audit findings and examination results, then draft formal written responses, corrective action plans, and remediation timelines on the client's behalf
- Track open findings and recommendations to closure, producing status updates and evidence packages at each milestone
- Maintain current knowledge of FFIEC IT Examination Handbook updates and translate regulatory changes into specific, actionable steps for each client
- Document client check-ins using Microsoft Planner or a similar task management tool, ensuring all action items, deliverables, and blockers are clearly captured, assigned, and tracked through resolution.
SOC 2 Readiness
- Lead clients through SOC 2 Type I and Type II readiness assessments including scoping, gap analysis, control testing, and evidence collection
- Produce formal gap analysis reports with prioritized remediation roadmaps in finished, client-ready form
- Build and maintain client control evidence libraries and audit packages, keeping documentation current between audit cycles
- Coordinate with external auditors on the client's behalf and serve as the primary point of contact throughout the audit process
Tabletop Exercises
- Design, facilitate, and debrief tabletop exercises for community bank clients covering security incident response, business continuity, and disaster recovery scenarios
- Develop realistic, client-specific exercise scenarios based on current threat intelligence and regulatory expectations for financial institutions
- Produce written after-action reports documenting exercise findings, gaps identified, and recommended improvements, delivered to the client within an agreed turnaround
- Update client incident response, business continuity, and disaster recovery plans based on exercise outcomes
Third-Party & Vendor Risk
- Review third-party vendor audit reports (SOC 2, penetration tests, security assessments) on behalf of clients and produce written summaries of findings and risk exposure
- Draft formal vendor risk assessment responses and management memos that clients can file, present to examiners, or include in board reporting
- Maintain client vendor inventories and assessment schedules, tracking due dates and ensuring assessments are completed on time
Security Policy Development
- Draft, update, and maintain client information security policies, standards, and procedures written in plain language, tailored to each client's environment, and ready to adopt without further editing
- Conduct periodic policy reviews against current FFIEC guidance, NIST CSF, and SOC 2 requirements and produce updated versions that reflect any gaps or regulatory changes
- Manage client policy libraries to ensure all documents are versioned, reviewed on schedule, and accessible for audit purposes
Ongoing Client Engagement
- Meet regularly with client stakeholders to review program status, prioritize the work queue, and present completed deliverables
- Manage a multi-client portfolio with disciplined task tracking, clear timelines, and consistent follow-through on every commitment made in a client meeting
- Serve as an advisory resource during client security incidents, providing written guidance on containment, notification obligations, and regulatory reporting requirements