Chief Information Security Officer

About The Position

Requirements

• Bachelor’s degree in computer science, information technology, engineering, cybersecurity, or a related field.
• Minimum of 10 years of progressive cybersecurity experience, including the design and operation of security architectures for large, complex enterprise environments.
• At least 5 years in a senior leadership role (Director level or above) accountable for cybersecurity strategy, operations, personnel, and budget.
• Demonstrated experience leading enterprise incident response and communicating with executive leadership during cyber incidents.
• Working knowledge of network security architecture sufficient to provide technical direction and to partner credibly with networking and infrastructure leaders.
• Strong understanding of cybersecurity laws, regulations, and frameworks relevant to higher education and research.
• Excellent written and verbal communication skills, including the ability to translate technical risk into business and academic terms.
• Industry certifications such as CISSP, CISM, CISA, CRISC, or equivalent.
• Cybersecurity Frameworks
• Technical Infrastructure Architecture and Design
• Risk Management
• Regulatory Compliance and Controls
• Threat Intelligence and Emerging Technologies
• Strategic Leadership
• Budget and Team Management
• Communication and Collaboration

Nice To Haves

• Master’s degree in cybersecurity, information technology, business, public administration, or a Juris Doctor (J.D.).
• Cybersecurity leadership experience in an R1 research university, academic medical center, or comparable public-sector environment.
• Direct experience with research security requirements (NSPM-33, CUI/CMMC, export controls) and federally sponsored research data security.
• Experience collaborating with data governance and AI governance functions, including secure adoption of generative AI.

Responsibilities

• Set and execute the enterprise information security strategy, aligning cybersecurity priorities with the academic, research, and business mission of USNH and UNH.
• Serve as a member of the CIO’s leadership team, contributing to enterprise IT direction, governance, and resource allocation.
• Build and sustain trusted relationships with senior leaders across academic affairs, the office of research, finance, HR, general counsel, internal audit, the medical and clinical enterprise, and external partners (federal sponsors, peer institutions, REN-ISAC, EDUCAUSE, law enforcement).
• Communicate complex cyber risk topics clearly to the Board, executive leadership, faculty governance, and the broader campus community; serve as a public-facing voice on cybersecurity matters when appropriate.
• Foster a security-aware culture through training, awareness campaigns, and partnership with academic units rather than top-down enforcement.
• Define security requirements, standards, and architecture principles for the campus, research, and cloud network environments.
• Partner with Networking Services on the design and implementation of network segmentation, zero trust network access (ZTNA), micro-segmentation for sensitive research enclaves, secure remote access, and protections for IoT, OT, and lab/instrumentation networks.
• Lead network-focused threat detection, monitoring, vulnerability management, intrusion detection/prevention, and incident response in collaboration with network engineering teams.
• Jointly evaluate and approve network technologies, vendors, and changes that have material security implications.
• Coordinate on protection of research computing networks, HPC environments, and federated/Internet2 connections.
• Lead the institution’s response to evolving research security requirements, including NSPM-33, controlled unclassified information (CUI), CMMC, export controls (EAR/ITAR), and sponsor-specific data security plans.
• Partner with SPA and RCC to operate secure research enclaves and reference architectures that enable faculty to pursue funded research without friction while meeting federal and sponsor obligations.
• Partner with the Office of Sponsored Research, Research Computing, and faculty PIs on data security plans, DMPs, and secure data sharing across institutions.
• Maintain compliance programs spanning HIPAA (clinical and human-subjects research), FERPA, GLBA, PCI DSS, GDPR, and state privacy laws.
• Partner with IT executives responsible for data and analytics, data trustees, and data governance committees to ensure data classification, handling, retention, and access standards are operationalized with appropriate technical controls.
• Co-develop policies and controls for sensitive data across the data lifecycle: identification, ingestion, storage, sharing, analytics, and disposal, particularly for research, student, health, HR, and financial data.
• Collaborate with academic and administrative AI initiatives to establish a secure and responsible AI program: model and data risk assessments, secure use of generative AI and LLMs by faculty, students, and staff, third-party AI vendor review, protection of training data and model artifacts, and guardrails against prompt injection, data leakage, and shadow AI.
• Contribute cybersecurity perspective to AI governance bodies, ethics committees, and academic policy discussions on responsible AI use in teaching, research, and operations.
• Ensure that data governance, AI governance, and cybersecurity controls are mutually reinforcing rather than siloed.
• Direct Information Security Risk Management (ISRM), Cloud Security Architecture, Identity and Access Management (IAM), and Secure Engineering functions, including their development, operations, support, maintenance, and financial management.
• Oversee the security operations center (SOC), threat intelligence, vulnerability management, endpoint security, email security.
• Provide 24x7 incident detection and response capabilities.
• Lead enterprise identity strategy, including SSO, MFA, privileged access management, federated identity (InCommon), and identity governance.
• Provide thought leadership on secure cloud adoption (IaaS, PaaS, SaaS), cloud security posture management, secure DevSecOps, and risk-balanced use of public cloud and third-party services.
• Lead enterprise incident response, including tabletop exercises, ransomware preparedness, breach communications, and coordination with legal counsel, communications, insurance carriers, and law enforcement.
• Maintain and mature the institution’s cybersecurity framework alignment (NIST CSF, NIST 800-53, ISO 27001) and third-party/vendor risk management program.
• Oversee security design and operations for industrial controls systems (SCADA, PLC) associated with core campus physical infrastructure.
• Recruit, develop, and retain a high-performing cybersecurity team in a competitive talent market.
• Develop and manage the cybersecurity budget; ensure sound financial stewardship, prioritization, and transparent reporting.
• Establish and maintain effective working relationships with staff, peer institutions, vendors, auditors, and regulators.
• Plan, implement, and sustain enterprise-class, mission-critical security systems and services.

Benefits

• USNH Employee Benefits