Chief Information Security Officer

Chief Information Security Officer position available in Information Technology Services.

​

General Function

The Chief Information Security Officer (CISO) is responsible for establishing and maintaining the information security program to ensure that information assets and associated technology, applications, systems, infrastructure and processes are adequately protected in the digital ecosystem in which we operate. The CISO is responsible for identifying, evaluating and reporting on legal and regulatory, IT, and cybersecurity risk to information assets, while supporting and advancing business objectives.

The CISO reports to the Chief Information Officer (CIO), is a member of the ITS leadership team and serves a key role in university leadership, working closely with senior administration, academic leaders, and the campus community. The CISO is an advocate for the Institution's total information security needs and is responsible for the development and delivery of a comprehensive information security strategy to optimize the security posture of the college.

​

The CISO position requires a visionary leader with sound knowledge of the college environment and a working knowledge of cybersecurity technologies covering the college network as well as the broader digital ecosystem. The CISO will proactively work with business units and ecosystem partners to implement practices that meet agreed-on policies and standards for information security. He or she should understand IT and must oversee a variety of cybersecurity and risk management activities related to IT to ensure the achievement of business outcomes where the business process is dependent on technology. The CISO will be responsible for implementing and running the enterprise information security program. The CISO should understand and articulate the impact of cybersecurity on (digital) business, and be able to communicate this to the senior stakeholders. A key element of the CISO's role is working with executive management to determine acceptable levels of risk for the organization.

​

The CISO leads the development and implementation of a security program that leverages collaborations and campus-wide resources, facilitates information security governance, advises senior leadership on security direction and resource investments, and designs appropriate policies to manage information security risk. The complexity of this position requires a leadership approach that is engaging, imaginative, and collaborative, with a sophisticated ability to work with other leaders to set the best balance between security strategies and other priorities at the campus level.
 

Characteristic Duties and Responsibilities

1.  Lead the information security function across the company to ensure consistent and high-quality information security management in support of the business goals. Responsible for the strategic leadership of the college’s information security program.

2.  Provide guidance and counsel to the CIO and key members of the college leadership team, working closely with senior administration, academic leaders, and the campus community in defining objectives for information security, while building relationships and goodwill.

3.  Promote collaborative, empowered working environments across campus, removing barriers and realizing possibilities.

4.  Facilitate an information security governance structure through the implementation of a hierarchical governance program, including the formation of an information security steering committee or advisory board.

5.  Lead information security planning processes to establish an inclusive and comprehensive information security program for the entire institution in support of academic and administrative information systems and technology.

6.  Establish annual and long-range security and compliance goals, define security strategies, metrics, reporting mechanisms and program services; and create maturity models and a roadmap for continual program improvements. 

​

7.  Determine the information security approach and operating model in consultation with stakeholders and aligned with the risk management approach and compliance monitoring of non-digital risk areas.

​

8.  Provide regular reporting on the current status of the information security program to enterprise risk teams and the executive management team as part of a strategic enterprise risk management program, thus supporting business outcomes.

​

9.  Manage the budget for the information security function, monitoring and reporting discrepancies. Strategy and Frameworks.

​

10. Develop an information security vision and strategy that is aligned to the college priorities and enables and facilitates the college’s business objectives, and ensures senior stakeholder buy-in and mandate. 

​

11. Develop, implement and monitor a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy and recovery of information assets owned, controlled or/and processed by the college.

​

12. Develop and enhance an up-to-date information security management framework based on the following: National Institute of Standards and Technology (NIST).

​

13. Create and manage a unified and flexible control framework to integrate and normalize the wide variety and ever-changing requirements resulting from global laws, standards and regulations.

​

14. Develop and maintain a document framework of continuously up-to-date information security policies, standards and guidelines. Oversee the approval and publication of these information security policies and practices.

​

15. Create a framework for roles and responsibilities with regard to information ownership, classification, accountability and protection of information assets.

​

16. Work closely with IT leaders, technical experts, deans and administrative leaders across campus on a wide variety of security issues that require an in-depth understanding of the IT environment in their units.

​

17. Create the necessary internal networks among the information security team and line-of-business executives, compliance & audit, physical security, legal and HR management teams to ensure alignment as required.

​

18. Build and nurture external networks consisting of industry peers, ecosystem partners, vendors and other relevant parties to address common trends, findings, incidents and cybersecurity risks.

​

19. Liaise with external agencies, such as law enforcement and other advisory bodies, as necessary, to ensure that the organization maintains a strong security posture and is kept well-abreast of the relevant threats identified by these agencies.

​

20. Create education and awareness programs and advise operating units at all levels on security issues, best practices, and vulnerabilities.

​

21. Pursue security initiatives to address unique needs in protecting identity theft, mobile social media security and online reputation program.

​

22. Lead the development and implementation of effective and reasonable policies and practices to secure protected and sensitive data and ensure information security and compliance with relevant legislation and legal interpretation.

​

23. Define and facilitate the processes for information security risk and for legal and regulatory assessments.

​

24. Monitor the external threat environment for emerging threats, and advise relevant stakeholders on the appropriate courses of action.

​

25. Develop and oversee effective disaster recovery policies and standards to align with the college business continuity management (BCM) program goals, with the realization that components supporting primary business processes may be outside the corporate perimeter. Coordinate the development of implementation of incident response plans and procedures to ensure that business-critical services are recovered in the event of a security event; provide direction, support and in-house consulting in these areas.

​

26. Facilitate and support the development of asset inventories, including information assets in cloud services and in other parties in the organization's ecosystem.

​

27. Monitor security incidents and act as primary control point during significant information security incidents. Convene a Security Incident Response Team (SIRT) as needed, or requested, in addressing and investigating security incidents that arise.

​

28. Convene Ad Hoc Security Committee as appropriate and provide leadership for breach response and notification actions for the college.

​

29. Provide leadership, direction and guidance in assessing and evaluating information security risks and monitor compliance with security standards and appropriate policies.

​

30. Examine impacts of new technologies on the college’s overall information security. Establish processes to review implementation of new technologies to ensure security compliance.

​

31. Coordinate and track all information technology and security related audits including scope of audits, colleges/units involved, timelines, auditing agencies and outcomes.

​

32. Work with auditors as appropriate to keep audit focus in scope, maintain excellent relationships with audit entities and provide a consistent perspective that continually puts the institution in its best light. Provide guidance, evaluation and advocacy on audit responses.

​

Knowledge, Skills, Abilities and Characteristics

*  Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate information security and risk-related concepts to technical and nontechnical audiences at various hierarchical levels, ranging from senior executives to technical specialists.

​

*  Strategic leader and builder of both vision and bridges, and able to energize the appropriate teams in the organization.

​

*  Sound knowledge of business management and a working knowledge of information security risk management and cybersecurity technologies.

​

*  Up-to-date knowledge of methodologies and trends in both higher education and IT.

​

*  Proven track record and experience in developing information security policies and procedures, as well as successfully executing programs that meet the objectives of excellence in a dynamic business environment.

​

*  Poise and ability to act calmly and competently in high-pressure, high-stress situations.

​

*  Must be a critical thinker, with strong problem-solving skills Knowledge and understanding of relevant legal and regulatory requirements, such as: Federal Education Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry/Data Security Standard (PCI).

​

*  Excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives.

​

*  Project management skills: scheduling and resource management.

​

*  Ability to lead and motivate the information security team to achieve tactical and strategic goals, even when only "dotted line" reporting lines exist.

​

*  A master of influencing entities and decisions in situations where no formal reporting structures exist, but achieving the desirable outcome is vital.

​

*  Degree in business administration or a technology-related field, or equivalent work- or education-related experience.

​

*  Professional security management certification is desirable, such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or other similar credentials.

​

*  Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT as well as those from NIST, including 800-53 and Cybersecurity Framework.

​

*  Excellent stakeholder management skills.

​

*  High level of personal integrity, as well as the ability to professionally handle confidential matters and show an appropriate level of judgment and maturity.

​

*  High degree of initiative, dependability and ability to work with little supervision while being resilient to change.

​

*  Additional background investigations or probes may be conducted as part of hiring process.

 

 

Minimum Requirements

Bachelor's Degree from a regionally accredited institution and seven (7) to ten (10) years of related experience in a combination of risk management, information security and IT roles.