Chief Information Security Officer

About The Position

Requirements

• 7 to 10 years of relevant experience
• Five years in a significant leadership role
• 5-7 years prior experience in cybersecurity and risk
• Knowledge and understanding of relevant legal and regulatory requirements
• Knowledge of common information security management frameworks such as NIST
• Demonstrated Legal IT contract knowledge
• Strong communication and relationship management skills
• Sound knowledge of business management and a working knowledge of cyber risk management and cyber technologies
• Experience in financial analysis, forecasting, and reporting
• Bachelor's Degree Required

Nice To Haves

• Certified Information Systems Security Profession Certification desired

Responsibilities

• Facilitates a cybersecurity governance structure through the implementation of a hierarchical governance program, including the formation of a cybersecurity steering committee or advisory board
• Provides regular reporting on the current status of the cybersecurity program to enterprise risk teams, senior business leaders and the board of directors as part of a strategic enterprise risk management program, thus supporting business outcomes
• Develops, socializes and coordinates approval and implementation of security policies
• Works with the vendor management office to ensure that cybersecurity requirements are included in contracts by liaising with vendor management and procurement organizations
• Directs the creation of a targeted cybersecurity awareness training program for all employees, contractors and approved system users, and establishes metrics to measure the effectiveness of this security training program for the different audiences
• Understands and interacts with related disciplines, either directly or through committees, to ensure the consistent application of policies and standards across all technology projects, systems and services, including privacy, risk management, compliance and business continuity management
• Advises on the cyber risk posture of the organization, including the mandatory application of controls
• Embeds Cyber Judgement across a centralized or decentralized or distributed decision making model
• Owns the security champion program to mobilize employees in all locations
• Leads the cybersecurity function across the company to ensure consistent and high-quality information security management in support of the business goals
• Determines the cybersecurity approach and operating model in consultation with stakeholders and aligned with the risk management approach and compliance monitoring of non-digital risk areas
• Manages the budget for the cybersecurity function, monitoring and reporting discrepancies
• Manages an effective cybersecurity organization, consisting of direct reports and dotted line reports (such as individuals in business continuity and IT operations). This includes hiring (and conducting background checks), training, staff development, performance management and annual performance reviews
• Develops a cybersecurity vision and strategy that is aligned to organizational priorities and enables and facilitates the organization's business objectives, and ensures senior stakeholder buy-in and mandate
• Develops, implements and monitors a strategic, comprehensive cybersecurity program to ensure appropriate levels of confidentiality, integrity, availability of information assets owned, controlled or/and processed by the organization as well as the meeting of safety, privacy, reliability and resilience requirements as needed
• Advises on the identification of non-IT managed IT services in use ("citizen IT") and on facilitating a corporate IT onboarding program to bring these services into the scope of the IT function, and apply standard controls and rigor to these services; where this is not possible, ensures that risk is reduced to the appropriate levels and ownership of this cybersecurity risk is clear
• Works effectively with business units to facilitate cybersecurity risk assessment and risk management processes, and empowers them to make the right decisions that fall within the risk appetite of their organization
• Enhances the security posture by adopting a cybersecurity framework that is applicable to the organization: NIST
• Creates and manages a unified and flexible, risk-based control framework to integrate and normalize the wide variety and ever-changing requirements resulting from global laws, standards and regulations
• Develops and owns a document framework of continuously up-to-date cybersecurity policies, standards and guidelines
• Oversees the approval and publication of these cybersecurity policies and practices
• Creates a framework for roles and responsibilities with regard to information ownership, classification, accountability and protection of information assets
• Facilitates a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitates appropriate resource allocation, and increases the maturity of the cybersecurity, and reviews it with stakeholders at the executive and board level
• Provides input for the IT section of the company's code of conduct
• Creates the necessary internal networks among the cybersecurity team and line-of-business executives, corporate compliance, audit, physical security, legal and HR management teams to ensure alignment as required
• Builds and nurtures external networks consisting of industry peers, ecosystem partners, vendors and other relevant parties to address common trends, findings, incidents and cybersecurity risks
• Liaises with external agencies, such as law enforcement and other advisory bodies, as necessary, to ensure that the organization maintains a strong security posture and is kept well-abreast of the relevant threats identified by these agencies
• Liaises with the enterprise architecture team to build alignment between the security and enterprise (reference) architectures, thus ensuring that cybersecurity requirements are implicit in these architectures and security is built in by design
• Collaborates and liaises with the privacy officer to ensure that privacy requirements are included where applicable
• Defines and facilitates the processes for cybersecurity risk and for legal and regulatory assessments, including the reporting and oversight of treatment efforts to address negative findings
• Ensures that security is embedded in the project delivery process by providing the appropriate cybersecurity policies, practices and guidelines
• Manages and contains cybersecurity incidents and events to protect corporate IT assets, intellectual property, regulated data and the company's reputation
• Monitors the external threat environment for emerging threats, and advises relevant stakeholders on the appropriate courses of action
• Develops and oversees effective resilience policies and standards to align with the enterprise resilience program goals, with the realization that components supporting primary business processes may be outside the corporate perimeter
• Coordinates the development of implementation of incident response plans and procedures to ensure that business-critical services are recovered in the event of a security event; provides direction, support and in-house consulting in these areas
• Facilitates and supports the development of asset inventories, including information assets in cloud services and in other parties in the organization's ecosystem

Benefits

• competitive rates and compensation programs
• comprehensive benefits program, including health, dental, vision, life, disability, and retirement
• attractive working conditions
• opportunities for career growth through professional development