Director of Information Security & Assurance

Seneca Resorts•Niagara Falls, NY

49d

About The Position

The Director of Information Security & Assurance (ISA) is responsible for establishing and maintaining an enterprise-wide information security program to support the confidentiality, integrity and availability of Seneca Gaming Corporation's information assets. The Director of ISA collaborates and consults with IT management and business units to develop appropriate security controls. The Director leads the development of information security policies, procedures, and best practices and works with internal and external teams to implement and promote compliance with those procedures, best practices and/or regulatory compliance requirements. The Director of ISA is responsible for the development of an information security & assurance strategy within the context of a risk-based approach. This position is responsible for identifying, evaluating and reporting on information security risks in a manner that meets compliance and regulatory requirements. This position requires a visionary leader with strong leadership skills, business acumen and technology. The Director of ISA will work proactively with business units to implement practices that meet defined policies and standards for information security lead IT risk management activities. The Director will report directly to the CIO and provide guidance for all Information Technology Security and Assurance concerns. The Director will also have an indirect reporting relationship to the SGC Audit Committee for audit compliance services.

Requirements

Must be 18 years of age or older upon employment.
Bachelor's Degree in an Information Technology related field.
Minimum of ten (10) years of experience in an Information Technology management role with a combination of information technology and demonstrable information security and assurance responsibilities.
Minimum of five (5) years in Information Technology project management, systems design and integration and experience leading project teams using formal project management methodologies
A level of pertinent security/risk-focused certification, e.g. Security+, CISSP, CISM, CISA, CRISC.
An equivalent combination of education and/or experience may be substituted for the above requirements.
A deep understanding of and extensive experience with implementing network operating systems, systems design and enterprise architecture, systems development lifecycle (SDLC), project management methodology, asset management, access control systems, network communication protocols and topology, security engineering, public key infrastructure and identity and access management concepts.
Experience with security/risk-specific program/program component development, e.g. information security governance & continuous improvement, security awareness, vulnerability management, data protection, endpoint protection, identity & access management, cryptography & key management, business continuity/disaster recovery, incident response.
Direct experience with IT-based audit processes.
Excellent written and verbal communication skills; interpersonal and collaborative skills; and the ability to communicate security and risk-related concepts to technical and nontechnical audiences.
Must be a critical thinker with strong problem-solving skills.
Knowledge of technological trends and developments in the area of information assurance and risk management.
Ability to lead and motivate cross-functional, interdisciplinary teams to achieve tactical and strategic goals.
Knowledge of security and control frameworks, such as CIS, NIST, NIGC MICS, PCI DSS, COBIT, and ITIL.
Experience with contract and vendor negotiations.
High level of personal integrity and ethical standards and the ability to professionally handle confidential matters and exemplify the appropriate level of judgment and maturity.
High degree of initiative, dependability and ability to work with little supervision.
Must possess and maintain a valid driver's license and be able to substantiate a safe driving record within the parameters acceptable to our liability insurance carrier.
Must possess excellent communication skills: listening, writing, speaking, and interpersonal skills.
Must have the ability to speak effectively to the public, employees, customers and vendors.
Must have the ability to deal effectively and interact well with the customers, vendors and employees.
Must have the ability to resolve problems/conflicts in a diplomatic and tactful manner.

Responsibilities

Works in close partnership with VP of Information Technology / CIO to ensure coordinated and effective information security operations across all systems and platforms.
Works closely and collaborates with Technical Services, Systems, Network, Operations, Applications and Support teams to ensure alignment between the information security and the enterprise information technology architecture, thus coordinating the strategic planning implicit in these architectures.
Leads and oversees the daily operations of the information security & assurance department and develops programs and best practices on information security domains such as access control, telecommunications and network security, risk analysis and security governance, security architecture, cryptography, operational security, application security, and business continuity/disaster recovery.
Together with the CIO, develops, implements, and monitors, a strategic, comprehensive enterprise information security and risk management program to ensure the integrity, confidentiality and availability of information owned, controlled or processed by the organization.
Manages the enterprise's security organization, consisting of direct reports and indirect reports and leads all hiring, training, staff development, performance management and annual compensation reviews.
Identifies legal, regulatory, organizational and other requirements and provides recommendations for managing the risk of non-compliance. Identifies gaps between current and desired risk levels.
Develops and communicates organizational information security policies and standards.
Leads the development of and provides management oversight for the information security operating and capital budgets and monitors for variances.
Creates and manages information assurance and risk management awareness training programs for all employees and approved system users.
Acts as the liaison between Internal Audit, Legal, Human Resources and Compliance Departments providing leadership and oversight for audit and information assurance activities.
Works directly with the business units to analyze information security risks and recommends appropriate risk treatment options to manage risk to acceptable levels.
Provides subject matter expertise to executive management on a broad range of information security standards and best practices, such as CIS, NIST, NIGC MICS, PCI DSS, COBIT, ITIL.
Provides strategic and tactical security guidance for all IT projects, including the evaluation and recommendation of technical controls.
Creates and facilitates the information assurance risk assessment process, including reporting and oversight of remediation efforts to address negative findings.
Collaborates on the development of a secure information technology infrastructure that provides reliable, resilient, responsive and secure enterprise information technology services.
Manages security incidents and events to protect corporate IT assets, including intellectual property, fixed assets and the company's reputation.
Coordinates the use of external resources involved in the information assurance program, including, but not limited to, interviewing, negotiating contracts and fees, and managing external resources.
Assists in the development of effective disaster recovery policies and procedures.
Develops business-relevant metrics to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation and increase the maturity of the security program.