Chief Information Security Officer position available in
Information Technology Services.
The Chief Information Security Officer (CISO) is responsible for
establishing and maintaining the information security program to
ensure that information assets and associated technology,
applications, systems, infrastructure and processes are adequately
protected in the digital ecosystem in which we operate. The CISO is
responsible for identifying, evaluating and reporting on legal and
regulatory, IT, and cybersecurity risk to information assets, while
supporting and advancing business objectives.
The CISO reports to the Chief Information Officer (CIO), is a
member of the ITS leadership team and serves a key role in
university leadership, working closely with senior administration,
academic leaders, and the campus community. The CISO is an advocate
for the Institution's total information security needs and is
responsible for the development and delivery of a comprehensive
information security strategy to optimize the security posture of
The CISO position requires a visionary leader with sound knowledge
of the college environment and a working knowledge of cybersecurity
technologies covering the college network as well as the broader
digital ecosystem. The CISO will proactively work with business
units and ecosystem partners to implement practices that meet
agreed-on policies and standards for information security. He or
she should understand IT and must oversee a variety of
cybersecurity and risk management activities related to IT to
ensure the achievement of business outcomes where the business
process is dependent on technology. The CISO will be responsible
for implementing and running the enterprise information security
program. The CISO should understand and articulate the impact of
cybersecurity on (digital) business, and be able to communicate
this to the senior stakeholders. A key element of the CISO's role
is working with executive management to determine acceptable levels
of risk for the organization.
The CISO leads the development and implementation of a security
program that leverages collaborations and campus-wide resources,
facilitates information security governance, advises senior
leadership on security direction and resource investments, and
designs appropriate policies to manage information security risk.
The complexity of this position requires a leadership approach that
is engaging, imaginative, and collaborative, with a sophisticated
ability to work with other leaders to set the best balance between
security strategies and other priorities at the campus level.
Characteristic Duties and Responsibilities
1. Lead the information security function across the
company to ensure consistent and high-quality information security
management in support of the business goals. Responsible for the
strategic leadership of the college’s information security
2. Provide guidance and counsel to the CIO and key members of
the college leadership team, working closely with senior
administration, academic leaders, and the campus community in
defining objectives for information security, while building
relationships and goodwill.
3. Promote collaborative, empowered working environments
across campus, removing barriers and realizing possibilities.
4. Facilitate an information security governance structure
through the implementation of a hierarchical governance program,
including the formation of an information security steering
committee or advisory board.
5. Lead information security planning processes to establish
an inclusive and comprehensive information security program for the
entire institution in support of academic and administrative
information systems and technology.
6. Establish annual and long-range security and compliance
goals, define security strategies, metrics, reporting mechanisms
and program services; and create maturity models and a roadmap for
continual program improvements.
7. Determine the information security approach and
operating model in consultation with stakeholders and aligned with
the risk management approach and compliance monitoring of
non-digital risk areas.
8. Provide regular reporting on the current status of the
information security program to enterprise risk teams and the
executive management team as part of a strategic enterprise risk
management program, thus supporting business outcomes.
9. Manage the budget for the information security
function, monitoring and reporting discrepancies. Strategy and
10. Develop an information security vision and strategy that is
aligned to the college priorities and enables and facilitates the
college’s business objectives, and ensures senior stakeholder
buy-in and mandate.
11. Develop, implement and monitor a strategic, comprehensive
information security program to ensure appropriate levels of
confidentiality, integrity, availability, safety, privacy and
recovery of information assets owned, controlled or/and processed
by the college.
12. Develop and enhance an up-to-date information security
management framework based on the following: National Institute of
Standards and Technology (NIST).
13. Create and manage a unified and flexible control framework
to integrate and normalize the wide variety and ever-changing
requirements resulting from global laws, standards and
14. Develop and maintain a document framework of continuously
up-to-date information security policies, standards and guidelines.
Oversee the approval and publication of these information security
policies and practices.
15. Create a framework for roles and responsibilities with
regard to information ownership, classification, accountability and
protection of information assets.
16. Work closely with IT leaders, technical experts, deans and
administrative leaders across campus on a wide variety of security
issues that require an in-depth understanding of the IT environment
in their units.
17. Create the necessary internal networks among the information
security team and line-of-business executives, compliance &
audit, physical security, legal and HR management teams to ensure
alignment as required.
18. Build and nurture external networks consisting of industry
peers, ecosystem partners, vendors and other relevant parties to
address common trends, findings, incidents and cybersecurity
19. Liaise with external agencies, such as law enforcement and
other advisory bodies, as necessary, to ensure that the
organization maintains a strong security posture and is kept
well-abreast of the relevant threats identified by these
20. Create education and awareness programs and advise operating
units at all levels on security issues, best practices, and
21. Pursue security initiatives to address unique needs in
protecting identity theft, mobile social media security and online
22. Lead the development and implementation of effective and
reasonable policies and practices to secure protected and sensitive
data and ensure information security and compliance with relevant
legislation and legal interpretation.
23. Define and facilitate the processes for information security
risk and for legal and regulatory assessments.
24. Monitor the external threat environment for emerging
threats, and advise relevant stakeholders on the appropriate
courses of action.
25. Develop and oversee effective disaster recovery policies and
standards to align with the college business continuity management
(BCM) program goals, with the realization that components
supporting primary business processes may be outside the corporate
perimeter. Coordinate the development of implementation of incident
response plans and procedures to ensure that business-critical
services are recovered in the event of a security event; provide
direction, support and in-house consulting in these areas.
26. Facilitate and support the development of asset inventories,
including information assets in cloud services and in other parties
in the organization's ecosystem.
27. Monitor security incidents and act as primary control point
during significant information security incidents. Convene a
Security Incident Response Team (SIRT) as needed, or requested, in
addressing and investigating security incidents that arise.
28. Convene Ad Hoc Security Committee as appropriate and provide
leadership for breach response and notification actions for the
29. Provide leadership, direction and guidance in assessing and
evaluating information security risks and monitor compliance with
security standards and appropriate policies.
30. Examine impacts of new technologies on the college’s overall
information security. Establish processes to review implementation
of new technologies to ensure security compliance.
31. Coordinate and track all information technology and security
related audits including scope of audits, colleges/units involved,
timelines, auditing agencies and outcomes.
32. Work with auditors as appropriate to keep audit focus in
scope, maintain excellent relationships with audit entities and
provide a consistent perspective that continually puts the
institution in its best light. Provide guidance, evaluation and
advocacy on audit responses.
Knowledge, Skills, Abilities and
* Excellent written and verbal communication skills,
interpersonal and collaborative skills, and the ability to
communicate information security and risk-related concepts to
technical and nontechnical audiences at various hierarchical
levels, ranging from senior executives to technical
* Strategic leader and builder of both vision and bridges,
and able to energize the appropriate teams in the organization.
* Sound knowledge of business management and a working
knowledge of information security risk management and cybersecurity
* Up-to-date knowledge of methodologies and trends in both
higher education and IT.
* Proven track record and experience in developing
information security policies and procedures, as well as
successfully executing programs that meet the objectives of
excellence in a dynamic business environment.
* Poise and ability to act calmly and competently in
high-pressure, high-stress situations.
* Must be a critical thinker, with strong problem-solving
skills Knowledge and understanding of relevant legal and regulatory
requirements, such as: Federal Education Rights and Privacy Act
(FERPA), Health Insurance Portability and Accountability Act
(HIPAA) and Payment Card Industry/Data Security Standard (PCI).
* Excellent analytical skills, the ability to manage
multiple projects under strict timelines, as well as the ability to
work well in a demanding, dynamic environment and meet overall
* Project management skills: scheduling and resource
* Ability to lead and motivate the information security
team to achieve tactical and strategic goals, even when only
"dotted line" reporting lines exist.
* A master of influencing entities and decisions in
situations where no formal reporting structures exist, but
achieving the desirable outcome is vital.
* Degree in business administration or a
technology-related field, or equivalent work- or education-related
* Professional security management certification is
desirable, such as Certified Information Systems Security
Professional (CISSP), Certified Information Security Manager
(CISM), Certified Information Systems Auditor (CISA) or other
* Knowledge of common information security management
frameworks, such as ISO/IEC 27001, ITIL, COBIT as well as those
from NIST, including 800-53 and Cybersecurity Framework.
* Excellent stakeholder management skills.
* High level of personal integrity, as well as the ability
to professionally handle confidential matters and show an
appropriate level of judgment and maturity.
* High degree of initiative, dependability and ability to
work with little supervision while being resilient to change.
* Additional background investigations or probes may be
conducted as part of hiring process.
Bachelor's Degree from a regionally accredited institution and
seven (7) to ten (10) years of related experience in a combination
of risk management, information security and IT roles.