Chief Information Security Officer (CISO)

Chief Information Security Officer (CISO)

Reporting to the CIO, the Chief Information Security Officer (CISO) is a key role on the

leadership team of the IT department. This position is responsible for the security

of data and information assets. This role has purview over the operational day-to-day measures used to secure data, applications and infrastructure. This role also owns the strategic

initiatives undertaken to continually enhance information security posture.

The CISO will be responsible and accountable for the successful implementation of

well-defined security related projects, and the operational practices related to

information security.

Description of Duties and Tasks

1. Leading and successfully completing projects aimed at improving

security posture with minimal supervision. Success means full scope of work

completed on time, within budget and aligned with established acceptance criteria.

2. Building out and maintaining an information security team that is able to satisfy the

cybersecurity needs

3. Mitigating risks associated with data breaches and data leaks.

4. Establishing, maintaining and continuously testing infrastructure aimed at

operational recovery from outages related to cybersecurity incidents.

5. Continual testing of the environment for security vulnerabilities.

6. Staying current on risks and trends in the world of cybersecurity and reporting on

such to the leadership team.

7. Providing overall day-to-day direction to a team of information security

professionals and 3rd party providers.

8. Contributing to the development of the technology roadmap.

9. Partnering with peers, both within and outside of the IT department to accomplish

shared goals.

10. Defining goals for the teams reporting to the CISO based on the goals of the

broader IT organization.

11. Ensuring team goals are met and work is successfully completed (teams are meeting

established operational targets)

12. Defining the operating model for the information security team using the ITIL

framework and ITSM tools.

13. Reporting data in various formats showing the performance of the information

security team and making recommendations for changes/improvements as needed

to enhance performance.

14. Providing leadership and coaching for InfoSec team members as needed.

15. Establishing and managing relationships with 3rd party product and service

providers as needed to accomplish defined goals.

16. Acting as technical sponsor for all projects within your areas of responsibility.

17. Ensuring information security project requirements, scope, budgets and timelines

are well-defined.

18. Ensuring security projects are well-managed and are being executed as per

established expectations.

19. Administrative aspects of people management for the InfoSec team including, but

not limited to absence approval, performance management, hiring and termination.

20. Managing the operating budget for the InfoSec team as well as budgets for

cybersecurity related projects.

21. Establishing and/or maturing formal standards and practices in the following areas:

a. Identity & Access Management (IAM)

b. Secure data capture

c. Secure data storage, transfer and retrieval

d. Data security policy development, training and risk management

22. Other related duties as assigned.

Knowledge

● Strong working knowledge of various data security frameworks, including NIST, ISO

and SOC.

● Working knowledge of a wide range of technologies and best practices in securing

them, including working knowledge of key concepts in:

a. Database encryption

b. Integration security

c. Server security and patch management

d. Firewalls and network security

e. Application security

f. Mitigating common infrastructure vulnerabilities

● Expert knowledge of the key concepts in user and identity access management.

● Working knowledge of security governance risk and compliance (GRC).

● Working knowledge of the concepts of data privacy regulations, including FERPA

requirements or similar regulated data classifications.

● Knowledge of best practices in security training and awareness.

● Strong knowledge of tools and techniques for data security and data recovery.

● Working knowledge of technology budget planning and budget management

concepts is critical.

● Knowledge of standard accounting practices.

● Knowledge of formal PMI-based project management practices.

● Knowledge of ITIL-based IT Service Management (ITSM) concepts.

Skills

● Extremely strong people management skills are required

● Demonstrated expertise in IT project planning, development and implementation.

Must be able to own multiple initiatives as a project sponsor and see them through

to completion.

● Highly skilled at vulnerability assessment, testing and reporting.

● Managing external partners in the completion of project work as well as outsourced

operational work.

● Strong business and financial acumen.

● Demonstrated expertise is various aspects of data security including access

management, data obfuscation and data breach avoidance.

● Excellent analytical, conceptual thinking and strategic planning skills.

● Influencing skill, including the ability to show the business value of technical

initiatives or extrapolate conceptual technical solutions for business problems such

that non-technical audiences can see that value.

● Must be a self-starter who can not only operate with minimal direction, but who

can also bring new ideas to the table and successfully lead and complete approved

initiatives with minimal supervision.

● Maintaining an established work schedule.

● Effectively using interpersonal and communications skills.

● Effectively using organizational and planning skills with attention to detail and

follow-through.

● Maintaining confidentiality of work-related information and materials.

● Establishing and maintaining effective working relationships, including the ability to

coordinate the work of others.

Required Work Experience

● 7+ years of experience in Information Security roles of progressively increasing

responsibility.

● 4+ years of related work experience leading a Cybersecurity organization.

● 3+ years experience in a technology leadership role where both project and

operational budgeting was a key component of the job.

Required Education

● Bachelor's degree

● Experience cannot be substituted for required, applicable educational level.