The Director of Information Security Reporting is responsible for establishing and maintaining the information security program to ensure information assets and associated technology, applications, systems infrastructure, and processes are adequately protected.
The DIS is responsible for identifying, evaluating, and reporting on legal and regulatory, IT, and cybersecurity risk to information assets (data, networks, applications, and people), while supporting and advancing business objectives. The DIS must be knowledgeable about both internal and external business environments and ensure governance of information systems are maintained fully functional and secure mode.
The DIS will create and own the security policy, setting the tone for the security program and practices. He/she will be accountable for the content of the security policy and will have a collaborative approach with internal business compliance groups. The DIS will identify applicable regulations and the status of regulatory compliance on the practice of information security. The DIS will reveal and quantify third-party exposure and will employ protections accordingly. A vast array of functions, processes, and procedures to measure maturity of the cybersecurity and risk management is expected, and it is critical to provide a clear understanding of security goals and risk management objectives. A function of the position is to continually measure and manage cyber risk and establish and cultivate a risk management program.
Facilitate an information security governance structure
Provide regular reporting on the current status of the information security program to senior business leaders as part of a strategic enterprise risk management program
Create and manage a targeted information security awareness training program for all employees and contractors and establish metrics to measure the effectiveness of this security training program
Provide clear risk mitigating directives for projects with components in IT, including mandatory application controls
Determine the information security approach and operating model in consultation with stakeholders and aligned with the risk management approach
Develop, implement, and monitor a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy, and recovery of information assets owned, controlled and/or processed by the organization
Develop and enhance an up-to-date information security management framework
Develop and maintain a document framework of continuously up-to-date information security policies, standards, and guidelines
Create a framework of roles and responsibilities with regard to information ownership, classification, accountability, and protection of information assets
Coordinate with the architecture team to build alignment between the security and enterprise architectures to ensure those information security requirements are implicit in IT architectures and security is built in by design
Manage and contain information security incidents and events that protect corporate IT assets, intellectual property, regulated data, and the company’s reputation
Monitor the external threat environment for emerging threats, and advise relevant stakeholders on the appropriate courses of action
Develop and oversee effective disaster recovery policies and standards
Coordinate the development of implementation of incident response plans and procedures to ensure that business-critical services are recovered in the event of a security event; provide direction, support, and in-house consulting in these areas
Other Skills and Characteristics:
Must be authorized to work in the U.S.
Will be required to complete a background investigation
Bachelor’s degree in computer science, information systems, computer engineering, or related field of study, or equivalent experience
10+ years of experience in a combination of risk management, information security, Enterprise application software development and support.
Strong knowledge of business management and a working knowledge of information security risk management and cybersecurity technologies
Strong knowledge of information security best practices, standards, and frameworks, such as ISO/IEC 27000, NIST 800-53, and PCI DSS
Proven track record and experience in developing information security policies and procedures, as well as successfully executing programs that meet the objectives of excellence in a dynamic business environment
Knowledge of business IT ecosystems, SaaS, IaaS, PaaS, cloud computing, APIs, open data, open systems.
Excellent written, verbal, communication, and presentation skills
Highly collaborative and supportive of business and our ideas and strategies
Remote Work Available
EOE Minority/Female/Protected Veteran/Disability