|Date Posted||January 15, 2020|
The primary purpose of this position is to assume accountability for the strategic leadership of the company's information security program. This role will provide guidance and counsel to the CIO and members of the company's Executive Leadership Team, working closely with senior business & technology leaders to define the vision, strategies and goals for information security. In addition, the role will work with senior leadership to determine acceptable levels of risk for the organization. The role will be responsible for the definition and execution of the roadmap required to establish, implement, maintain and improve security, audit and compliance posture. Together with senior leadership, the incumbent will play a significant role in instilling an appropriate information risk and security conscious attitude and mindset into the culture. The role will also mentor and implement professional development plans for the Information Security team members.
Accountabilities & Responsibilities:
- Policy, Compliance and Audit
- Lead the development and implementation of effective policies and practices to secure protected and sensitive data and ensure information security and compliance with relevant legislation and legal interpretation.
- Lead efforts to internally assess, evaluate and make recommendations to management regarding the adequacy of the security controls for the company's information and technology systems.
- Establish programs to identify, classify and properly protect data in all areas of the company (data classification).
- Work with internal audit, external auditors, clients, prospective clients and outside consultants on required security assessments, audits and eDiscovery
- Work with technology, business and compliance leadership to build cohesive security and compliance programs for the corporation effectively addressing statutory and regulatory requirements.
- Develop a strategy for dealing with increasing number of audits, compliance checks and external assessment processes for internal/external auditors, PCI, SOX, HIPAA, GDPR and DFARS.
- Outreach, Education and Training
- Work closely with IT leaders and business on a variety of security issues that require an in-depth understanding of the technology supporting their operations
- Create education and awareness programs and advise business units at all levels on security issues, best practices, and vulnerabilities.
- Work across Information Technology and Business Units to build awareness and a sense of common purpose around security.
- Pursue employee security initiatives to address unique needs in protecting identity theft, mobile social media security and online reputation program.
- Risk Management and Incident Response
- Keep abreast of security incidents and act as primary control point during significant information security incidents. Convene a Security Incident Response Team (SIRT) as needed, or requested, in addressing and investigating security incidences that arise.
- Establish and convene an Ad Hoc Security Committee as appropriate and provide leadership for breach response and notification actions for the Corporation.
- Develop, implement and administer technical security standards, as well as a suite of security services and tools to address and mitigate security risk
- Provide leadership, direction and guidance in assessing and evaluating information security risks and monitor compliance with security standards and appropriate policies.
- Examine impacts of new technologies on the company's overall information security. Establish processes to review implementation of new technologies to ensure security compliance.
- Security Operations
- Manage all security delivery tools including anti-virus, endpoint encryption, IDS / IPS, DLP, traffic filtering, event monitoring and correlation
- Manage Identity and Access management. This includes the provisioning of systems access and segregations of duties across all platforms
- Manage endpoint security including group policy and anti-virus.
- Monitor internal control systems ensuring appropriate access levels are maintained.
- Education & Experience:
- Bachelor's Degree in computer science, information systems or business administration
- 10+ years IT experience
- 7-10 years' experience establishing and managing IT security / security teams, particularly in a manufacturing / operational setting
- CISSP is required
- CISA and CISM preferred
- Knowledge & Skills:
- Good working knowledge of NIST, PCI, SOX, HIPAA, GDPR, DFARS, and ISO principles, concepts and practices
- Strong interpersonal skills and excellent organizational skills
- Self-motivated, able to lead a team independently
- Detail oriented, able to multitask and meet deadlines
- Ability to identify/assess business process and IT risks
- Ability to work collaboratively across teams and manage relationships across multiple areas of the business including Audit, Compliance, and other executive stakeholders
- Ability to effectively lead change and motivate cross-functional interdisciplinary teams to achieve tactical and strategic goals
- Sound judgment & ability to effectively balance information risk controls with business productivity and growth
- Ability to communicate technical information to diverse audiences that include senior management including current and emerging digital security trends and directions
- Broad knowledge of current and emerging information technology industry trends and directions including common information security management frameworks