Overview
General Summary: The Director of Information Security and Compliance is responsible for providing strategic and operational leadership for the company’s security management of data, technology, processes, and risks, coordinating alignment across the enterprise, including the Information Technology department and operational business units. The role establishes and sustains a cyber risk strategy fit with business objectives, implementing a framework that integrates governance and risk compliance controls, requirements, oversight, and validation into Information Technology operations and underscores vigilance across business units. Accordingly, the position, led from depth of technical expertise in holistic enterprise architecture and technologies across security disciplines, is responsible for developing and championing the structure, methods, tools, and metrics for managing cyber risk, ensuring effective and evolving technological defenses, monitors, reporting, and operational processes, including anchoring incident management. Applying wield of wide and deep technical, procedural leadership, and executive persuasion, the role ensures continuous activation and refinement of the implemented comprehensive framework and tactics against clearly defined thresholds that manage information security, privacy, and technology risks across the enterprise’s business units, network, data, intellectual property, and cloud and federated services from unauthorized breach, disclosure, or loss. The role ensures the security program is appropriately funded/budgeted and is measured/reported for efficacy and for legal/regulatory compliance.
Reports to: Chief Information Officer
Essential Duties and Responsibilities:
- Leads the development of the Information Security strategy, its operational model, and technical tooling from clearly demonstrated technological prowess spanning across all security domains and all layers of enterprise architecture. Validates the strategy and tactics’ adoption, through technical credibility and persuasion, with appropriate stakeholders across business units and reports efficacy in fashion relatable to audiences of all levels. Monitors progress of the Information Security Strategy and activates evolution on regular basis.
- Leads the architecting, development, and implementation of technical/engineered services and the shaping and implementation of operational processes. Provides guidance and oversight of defensive, monitoring, compliance, and reporting tools.
- Obtains input from functional partners and external experts into provided thought-leadership toward galvanizing the design, development, and adoption of the conceived and implemented strategy and tactics, including continuously evolved security tools and procedures in a best-practice mindset fit for the enterprise. Accountable for periodically updating the strategy, tactics, and tools.
- Establishes and monitors budget for implementation of the security operations function.
- Establishes key Information Security reporting metrics.
- Recommends risk avoidance strategies, risk mitigation actions and controls to the enterprise and affiliated business units.
- Establishes and manages a formal process to create, review, and update Information Security Policies and Standards with various stakeholders, including HR and Legal.
- Monitors changes in laws and regulations in coordination with Legal that may affect the enterprise and affiliated business units’ Information Security.
- Manages policy and standards exceptions processes.
- Tracks and reports on policy and standard exceptions.
- Consults, answers questions, and provides clarity to Information Security Policies and Standards.
- Establish and sustain organization-wide security technology standards, governance procedures, and performance metrics/monitors to ensure continuous preparation and management of cyber security threats, protecting the company’s information assets.
- Direct the assessment of business and technology risks to ensure they are appropriately identified, evaluated, and profiled for mitigation.
- Identify, select, tailor, and implement underlying security processes, leveraging existing frameworks such as NIST, CIS, IS27001, and COBIT as appropriate, to mitigate persistent threats and meet Information Security objectives adopted by the organization.
- Provide management oversight to all activities related to technology compliance with audit requirements such as PCI and SOX, ensuring that technology best practices are being followed for Information Security.
- Establish monitoring and compliance tools to complement implemented safeguard processes.
- Establish formal Preparedness/Incident/Data Breach Response plans and sub-teams, chairing constructs and leading activities as outlined.
- Develop a best practice disaster recovery program to ensure technology availability and operations continuity following an interruption in service caused by a system outage or declared disaster.
- While an individual contributor role to begin, shapes the business case for and constructs of a evolved security operations team over time. Over the course of time, attract, recruit, and retain members of an information security team, executing management functions, such as salary administration, succession planning, and performance management toward progressive development of skills, capabilities, and culture of teamwork. Develop out-year roadmap/plans for addressing future cyber threats and future strategic initiatives.
- Develop communication strategies for informing employees of cyber security initiatives.
- Continually seek and consider innovative solutions to business problems spurred by security risks and apply as relevant in support of the organization’s mission.
- Build and maintain effective relationships across company business units toward maintaining awareness and alignment of business and information security objectives.
Required Skills and Competencies:
- Roots in a development, infrastructure, or architecture capacity, applied knowledge of the components across enterprise architecture, and wield of end-to-end IT operations, particularly in a “Plan”, “Build”, “Run” model driven by enterprise release management. Depth in technological and procedural aspects related to information security management, attained via experience in a progressively widened domain.
- Understanding of information security risk assessment and risk management procedures/methodologies, proven through leading implementation in previous role. Track record of developing and implementing comprehensive strategic response and recovery strategies, plans, and procedures.
- Depth in:
- IT Governance Risk and Compliance (GRC), Cyber Risk Reporting
- Establishment of Key Risk and Key Performance Indicators, Incident Readiness and Incident Recovery
- Information security technologies, markets, and vendors including firewall, intrusion detection, assessment tools, encryption, certificate authority, web, and application development
- Audit and assessment methodologies, procedures and best practices that relate to information networks, systems, and applications
- Applicable practices and laws relating to data privacy and protection.
- Application security, database technologies used to store enterprise information, directory services, financial information, and information systems auditing
- Applying current and emerging security technologies to solve business problems.
- Cloud platforms, particularly Microsoft Azure
- Experience shaping strategy and roadmaps and leading activation development. Shaping experience should include NPV-based business case framing/justification for investments.
- Ability to correlate enterprise risk with appropriate administrative, physical and technical security controls
- Strong knowledge of industry and regulatory requirements (i.e., PCI, SOX, Safe Harbor)
- Require one of the following certifications: CISSP, CISM, CISA or industry equivalent
- Familiarity with GDPR
- Excellent problem solving and root cause analysis skills
- Strong verbal and written communication skills, especially in the areas of presentation and interaction with people at all levels across an organization; contributor and executive -level persuasion skills via development relationship across strata, including executives, law enforcement, legal, and HR
- Experience outling organizational structure against operational framework in manner that drives clear accountability and sustained efficacy through development and succession planning
- Experience leading information security teams through proven technical and operational knowledge and inspiring/raising capability through mentorship and individual development; ability to lead through influence, cultivating strong, positive team relations throughout the organization to align interests, collaborate, and achieve results
- Track record successfully managing programs involving cross-functional people, both internal and external, demonstrating complex project/vendor/change management skills; experience shaping and leading a cross-functional Information Security Steering Committee or similar construct
- Agile, versatile, flexible and the ability to work with constantly changing priorities.
Qualifications
Experience and Education:
- 15 years of progressive experience in Information Technology across “Plan”, “Build”, “Run” components; minimum 10 years of IT management/leadership experience with 5 years in a role with information security responsibility.
- Bachelor of Science Degree in Engineering Technology, Computer Science, or related/equivalent.
- Advanced degree in technology (computer science/engineering or related field) preferred.
- Some level of six sigma qualification desirable.
- Formal Information Security Management certification: CompTIA Security , CISSP, CISM, CISA, and/or CEH.
- CISO experience preferred