Deputy Chief Information Security Officer, Information Technology

About The Position

Requirements

• Bachelor's or master's degree, including demonstrated coursework in computer science, cybersecurity or a related field
• 12+ years of experience in cybersecurity, with significant leadership experience and a track record of progressive responsibility
• Demonstrated experience operating as a senior leader or second-in-command within an information security organization, with the ability to deputize for a CISO
• CISSP certification is required
• Experience managing security across hybrid on-premises and public-cloud environments (AWS and Azure), including identity and access management
• Experience operating a security program against recognized control frameworks such as the NIST Cybersecurity Framework (CSF) and SOC 2
• Strong knowledge of cybersecurity technologies and tools
• Experience with cybersecurity compliance regulations
• Experience managing and developing cybersecurity teams
• Experience developing a holistic program around cybersecurity, including engagement with business stakeholders
• Experience participating in third-party (vendor) risk management
• Experience supporting client-facing security due diligence (e.g., client and consultant security questionnaires, DDQs and RFPs)
• Experience with disaster recovery and operational resilience for technology services
• Strong communication and interpersonal skills, including the ability to communicate technical concepts to non-technical stakeholders and to present to senior leadership and committees

Nice To Haves

• Additional certifications such as CISM and CISA
• Familiarity with AI governance and risk frameworks (e.g., NIST AI Risk Management Framework) and emerging AI security credentials such as ISACA’s Advanced in AI Security Management (AAISM)
• Experience driving an automation-first approach to cybersecurity operations to strengthen operational resilience and keep pace with an accelerating threat landscape preferred
• Experience in financial services or another regulated industry preferred
• Experience reporting to or presenting to executives, risk committees or boards preferred

Responsibilities

• Partner with the CISO to develop NISA's enterprise cybersecurity strategy and roadmap, and integrate it with the enterprise technology strategy
• Hold enterprise-wide accountability for NISA's information security program — its design, implementation and day-to-day operation
• Coordinate the development and maintenance of cybersecurity policies, procedures and standards to protect the organization’s assets and information
• Oversee regular risk assessments and vulnerability scans to identify potential threats and vulnerabilities
• Manage cybersecurity incident response activities and lead investigations into security incidents
• Lead, mentor and develop the cybersecurity team; assess and strengthen the team’s skills and capabilities, including augmenting and upskilling existing personnel
• Participate in the firm’s third-party (vendor) risk management program, assessing and monitoring the security posture of vendors and service providers
• Support client-facing security due diligence, including responses to client and consultant security questionnaires, due diligence questionnaires (DDQs) and requests for proposal (RFPs)
• Manage security across NISA’s hybrid on-premises and public-cloud environment (AWS and Azure), including identity and access management (IAM) as an evolving area of the program
• Work with internal teams and external vendors to select, implement and manage security technologies and tools, including firewalls, intrusion detection and prevention systems and security information and event management (SIEM) systems
• Maintain the security program against recognized control frameworks, including the NIST Cybersecurity Framework (CSF) and SOC 2
• Develop, implement and refine security controls and guardrails for the firm’s adoption of artificial intelligence (AI) — an evolving area the Deputy CISO will be expected to manage as it matures.
• Ensure compliance with relevant cybersecurity regulations, including the firm’s obligations as an SEC-registered investment adviser and applicable DOL regulations
• Develop and deliver cybersecurity training and awareness programs to educate employees on best practices for information security
• Support disaster recovery (DR) capabilities for critical technology services and contribute to the firm’s operational resilience, partnering with the risk function, which owns business continuity planning
• Collaborate across the firm, including with the technology solutions team, to embed security into projects and day-to-day operations
• Present to executive and board-level risk and governance committees, explaining NISA’s cybersecurity and technology risks and the controls in place to manage them
• Participate in security audits and assessments to ensure compliance with industry standards and regulations

Benefits

• health, dental, vision and life insurance options
• paid time off
• a competitive retirement plan
• onsite cafeteria
• fitness center
• a health and wellness program
• an educational assistance program