|Date Posted||April 13, 2019|
The Vice President, Information Security Officer is responsible for providing strategic and operational leadership for the company’s security management of data, technology, processes, and risks, coordinating alignment across the global enterprise, including the Information Technology department and operational business units. The role establishes and sustains a cyber risk strategy fit with business objectives, implementing a framework that integrates governance and risk compliance controls, requirements, oversight, and validation into Information Technology operations and underscores vigilance across business units in the global enteprise. Accordingly, the position, led from depth of technical expertise in holistic enterprise architecture and technologies across security disciplines, is responsible for developing and championing the structure, methods, tools, and metrics for managing cyber risk, ensuring effective and evolving technological defenses, monitors, reporting, and operational processes, including anchoring incident management. The position directs resources, internal staff and external/outsourced agents, that support the components of the strategic cyber security framework, ensuring sustained capability, development, and performance. Applying wield of wide and deep technical, procedural leadership, and executive persuasion, the role ensures the Information Security team and program continuously refines and activates the development and delivery of the implemented comprehensive framework and tactics against clearly defined thresholds that manage information security, privacy, and technology risks across the enterprise’s multiple global business units, its global network, its cloud and federated services, and its data and intellectual property from unauthorized breach, disclosure, or loss. The role ensures the security program fits inside an Enterprise Risk Management framework in partnership with the corporate Internal Audit function, is appropriately funded/budgeted, and is measured/reported for efficacy and for legal/regulatory compliance at all levels in the enterprise, including the Board of Directors. This position reports to EVP, CIO.
Essential Duties and Responsibilities:
- Leads the development of the Information Security strategy, its operational model, and technical tooling from clearly demonstrated technological prowess spanning across all security domains and all layers of enterprise architecture in a global, multi-datacenter business. Validates the strategy and tactics’ adoption, through technical credibility and executive persuasion, with appropriate stakeholders across business units and reports efficacy in fashion relatable to audiences of all levels, including the Board of Directors. Monitors progress of the Information Security Strategy and activates evolution on regular basis.
- Leads the architecting, development, and implementation of technical/engineered services and the shaping and implementation of operational processes. Provides guidance and oversight of defensive, monitoring, compliance, and reporting tools. Strategically and tactically leads the security operations center per the outlined and continuously evolved enterprise security program.
- Obtains input from Business Segments, Corporate Security, Legal, Internal Audit, Board of Directors, IT colleagues, and external experts into provided thought-leadership toward galvanizing the design, development, and adoption of the conceived and implemented strategy and tactics, including continuously evolved security tools and procedures in a best-practice mindset fit for the enterprise. Accountable for periodically updating the strategy, tactics, and tools.
- Establishes and monitors budget for implementation of the security operations function.
- Establishes key Information Security reporting metrics.
- Recommends risk avoidance strategies, risk mitigation actions and controls to the enterprise and affiliated business units.
- Establishes and manages a formal process to create, review, and update Information Security Policies and Standards with various stakeholders, including Corporate Security (physical security), HR, and Legal.
- Monitors changes in laws and regulations in coordination with Legal that may affect the global enterprise and affiliated business units’ Information Security.
- Manages policy and standards exceptions processes.
- Tracks and reports on policy and standard exceptions.
- Consults, answers questions, and provides clarity to Business Segment security and IT on Information Security Policies and Standards.
- Establish and sustain organization-wide security technology standards, governance procedures, and performance metrics/monitors to ensure continuous preparation and management of cyber security threats, protecting the company’s information assets.
- Direct the assessment of business and technology risks to ensure they are appropriately identified, evaluated, and profiled for mitigation.
- Identify, select, tailor, and implement underlying security processes, leveraging existing frameworks such as NIST, IS27001, and COBIT as appropriate, to mitigate persistent threats and meet Information Security objectives adopted by the organization.
- Provide management oversight to all activities related to technology compliance with audit requirements such as PCI and SOX, ensuring that technology best practices are being followed for Information Security.
- Establish monitoring and compliance tools to complement implemented safeguard processes.
- Oversee cross-functional Information Security Steering Team, facilitating active agenda to foster continuous evolution of company standards, awareness, preparation, and incident management related to threats.
- Establish formal Preparedness/Incident/Data Breach Response plans and sub-teams, chairing constructs and leading activities as outlined.
- Develop a best practice disaster recovery program, in collaboration with IT Infrastructure/Operations and business operations colleagues, to ensure technology availability and IT operations continuity following an interruption in service caused by a system outage or declared disaster.
- Shapes, motivates, and leads a high-performance security operations team; attracts, recruits, and retains key members of the organization. Execute management functions, such as performance management, salary administration, succession planning, and workload balancing; coach and mentor resources toward progressive development of skills, capabilities, and culture of teamwork.
- Develop communication strategies for informing employees of cyber security initiatives.
- Develop out-year resource plans for addressing future cyber threats and future strategic initiatives.
- Continually seek and consider innovative solutions to business problems spurred by security risks and apply as relevant in support of the organization’s mission.
- Build and maintain effective relationships across company business units toward maintaining awareness and alignment of business and information security objectives.
Required Skills and Competencies:
- Roots in a development, infrastructure, or architecture capacity, applied knowledge of the components across enterprise architecture, and wield of end-to-end IT operations, particularly in a “Plan”, “Build”, “Run” model driven by enterprise release management. Depth in technological and procedural aspects related to information security management, attained via experience in a progressively widened domain.
- Understanding of information security risk assessment and risk management procedures/methodologies, proven through leading implementation in previous role, ideally in a global enterprise with multiple data centers, including Cloud. Track record of developing and implementing comprehensive strategic response and recovery strategies, plans, and procedures.
- Depth in:
- IT Governance Risk and Compliance (GRC), Cyber Risk Reporting
- Establishment of Key Risk and Key Performance Indicators, Incident Readiness and Incident Recovery
- Information security technologies, markets, and vendors including firewall, intrusion detection, assessment tools, encryption, certificate authority, web, and application development
- Audit and assessment methodologies, procedures and best practices that relate to information networks, systems, and applications
- Applicable practices and laws relating to data privacy and protection.
- Application security, database technologies used to store enterprise information, directory services, financial information, and information systems auditing
- Applying current and emerging security technologies to solve business problems.
- Cloud platforms, such as Azure and Google Cloud Platform
- Experience shaping strategy and roadmaps and leading activation development. Shaping experience should include NPV-based business case framing/justification for investments.
- Ability to correlate enterprise risk with appropriate administrative, physical and technical security controls
- Strong knowledge of industry and regulatory requirements (i.e., PCI, SOX, Safe Harbor)
- Require one of the following certifications: CISSP, CISM, CISA or industry equivalent
- Familiarity with GDPR
- Excellent problem solving and root cause analysis skills
- Strong verbal and written communication skills, especially in the areas of presentation and interaction with people at all levels across an organization; contributor and executive -level persuasion skills via development relationship across strata, including C-suite, Board, law enforcement, legal, and internal audit
- Experience outling organizational structure against operational framework in manner that drives clear accountability and sustained efficacy through development and succession planning
- Experience leading information security teams through proven technical and operational knowledge and inspiring/raising capability through mentorship and individual development; ability to lead through influence, cultivating strong, positive team relations throughout the organization to align interests, collaborate, and achieve results
- Track record successfully managing programs involving cross-functional people, both internal and external, demonstrating complex project/vendor/change management skills; experience shaping and leading a cross-functional Information Security Steering Committee or similar construct
- Agile, versatile, flexible and the ability to work with constantly changing priorities.
Experience and Education:
- 15+ years of progressive experience in Information Technology across “Plan”, “Build”, “Run” components; minimum 10 years of IT management/leadership experience with 5+ years in a role with information security responsibility.
- Bachelor of Science Degree in Engineering Technology, Computer Science, or related/equivalent.
- Advanced degree in technology (computer science/engineering or related field) preferred.
- Some level of six sigma qualification desirable.
- Formal Information Security Management certification: CompTIA Security+, CISSP, CISM, CISA, and/or CEH.
- CISO experience preferred