Chief Information Security Officer

CSBS Corporate, 1300 I Street NW, Washington, District Of Columbia, United States of America Req #238

Thursday, April 11, 2024

This position is responsible for providing vision, leadership, oversight, and management of CSBS cyber security policies, procedures, and practices. He/she directs, coordinates, plans, and organizes security activities throughout CSBS. Responsible for managing information security risks that affect the organization-wide strategic objectives through ongoing risk assessment. The Chief Information Security Officer (CISO) acts as the focal point for all communications related to security, both with internal staff and third parties, and works with a wide variety of people from different internal organizational units, bringing them together to manifest controls that reflect workable compromises as well as proactive responses to current and future information security risks compliant with relevant laws and regulations. The CISO also provides thought leadership in conjunction with his/her engagement in industry and government forums, and collaboration with state and federal cyber security experts and practitioners. Guidance, direction, and authority for information security activities are centralized for the entire CSBS organization with the CISO.

To perform this job successfully, an individual must be able to perform each essential duty and responsibility satisfactorily. Reasonable accommodations may be made to enable an individual with disabilities to perform the essential functions. Other duties may be assigned to meet business needs.

• Member of the Senior Leadership Team (SLT) – The SLT is a group of peers with individual leadership roles at CSBS and a commitment to working across business units to achieve organizational goals.SLT members collaborate to ensure priorities and resources are aligned to successfully implement CSBS strategies. They are responsible for delivering on those strategies while also demonstrating our values to reinforce a positive and collaborative CSBS culture.
• People Manager – At CSBS, people managers lead and engage staff to maximize organizational performance. Understanding and implementing the organization’s strategies, people managers lead their teams through change with a focus on CSBS’ mission and vision and a commitment to our VIBE. People managers actively participate in the growth and development of their teams – delegating responsibility effectively and providing timely and actionable feedback on performance. Responsible for planning and organizing their team’s activity, people managers are also responsible for creating a positive employee experience while developing high-performing and innovative teams.
• Develop an information security vision and strategy that is aligned to organizational priorities and enables and facilitates the organization's business objectives, and ensures senior stakeholder buy-in and mandate.
• Develop and maintain the CSBS strategic security program and plan, taking into consideration business, fiduciary, and legal requirements, risk (likelihood and impact), and criticality; and building consensus among stakeholders. Monitor the effectiveness of the information security program and make recommendations for improvements.
• Develop and enhance an up-to-date information security management framework based on the National Institution of Standards and Technology Cyber Security Framework.
• Develop, maintain, and enforce CSBS’ cyber security policies and practices designed to protect sensitive corporate assets, ensure data privacy, and comply with laws and regulations, including the Federal Information Security Management Act (FISMA), Payment Card Industry (PCI) and the Criminal Justice Information System (CJIS) and other applicable -security laws.
• Maintain familiarity with AICPA System and Organization Control Reports such as SOC for Cybersecurity. Conduct periodic audits and assessments to ensure that the company is meeting its obligations under these regulations.
• Create a framework for roles and responsibilities with regard to information ownership, classification, accountability, and protection of information assets.
• Manage contractors and outsourcers providing technology services to CSBS, including managed security services, infrastructure engineering, operations, desktop support, and software development. Ensure compliance with the appropriate policies, laws, and regulations.
• Create a risk-based process for the assessment and mitigation of any information security risk at CSBS consisting of supply chain partners, vendors, consumers, and any other third parties.
• Work effectively with business units to facilitate information security risk assessment and risk management processes and empower them to own and accept the level of risk they deem appropriate for their specific risk appetite.
• Develop, maintain, and enforce CSBS security policies and procedures, for example:
• Identification of sensitive data and policies/practices regarding the identification of sensitive data as well as practices for information labeling, handling, and storage.
• Personnel security, including role-appropriate pre-employment background checks and security awareness training, ensuring necessary and appropriate content and compliance with requirements for each employee to take the training as well as the frequency of updated training.
• Network, infrastructure, and application security.
• Ensure technology solutions adhere to appropriate security practices and meet security requirements, including Software-as-a Service (SaaS) contracts, Infrastructure-as-a-Service (IaaS) contracts, Platform-as-a-Service (PaaS) contracts, and customized software development solutions.
• Provide guidance and make recommendations to CSBS management and the Board of Directors with regard to the security characteristics (i.e., advantages and disadvantages) of various technologies and business practices.
• Ensure contracts with third parties contain appropriate security language, including data privacy and protection language required by state and federal laws. Develop, maintain, and manage a third-party security assessment program for key vendor relationships and third-party providers.
• Manage the CSBS incident response plan. Perform incident response planning, including developing, maintaining, and enforcing the CSBS incident response plan in addition to managing security incidents if/when they occur. This would include coordinating incidents, if applicable, with associated third-party providers and, if applicable, multiple regulatory organizations and stakeholders.
• Coordinate, provide leadership and management for security related audits and inspections. Interface as the primary contact with state and federal regulators and third- party contractors with regard to CSBS’ security posture and practices.
• Collaborate and liaise with the Chief Privacy Officer to ensure that data privacy requirements are included where applicable.
• Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, increase the maturity of the information security, and review it with stakeholders at the executive and board levels.
• Brief leadership and the Board of Directors annually, and as needed, on the security risk posture of the organization.
• Manage the information security budget, ensuring that resources are allocated appropriately to address the most critical risks. This includes identifying and prioritizing security initiatives and working with other leaders in the company to secure funding for these initiatives.

• Provide thought leadership to industry and government forums related to cyber security practices, issues, and challenges in the financial services industry, such as the Executive Leadership of Cybersecurity. Collaborate with industry and government security officials on security-related issues and initiatives, including national security issues impacting the financial services sector.
• Monitor industry trends for changes in physical and cyber security threats and implement planning, policy, and procedure changes in response.
• Contribute to industry and government forums that develop industry guidance and regulations regarding security practices.
• Prepare and present security related briefings for senior CSBS and industry executives as well as state and government regulators.

To perform this job successfully, an individual should possess the knowledge, skills, and abilities listed and meet the amount of education, training and/or work experience required.

Education and Experience

• Master’s degree in technology related discipline or a bachelor’s degree with master’s equivalent work experience in information security, privacy, or compliance.
• Industry Security Certification such as a valid and current CISSP, CISA or CISM certification is desired. Additional certification in CAP (FISMA), PCI QSA, ITIL, CSA CCSK (Cloud) or ISO 27001 is desired, but is optional.
• Minimum of 10 years of experience in security is required. Experiencein the role of a Chief Information Security Officer (CISO)/Chief Security Officer (CSO) of an organization with a significant “footprint” in the financial services industry preferred.
• At least 8 years of experience in managing information security programs in accordance with the Federal Information Security Management Act (44 U.S.C. 3544), guidance and standards from the National Institute of Standards and Technology (NIST) and the Federal Information Processing Standards (FIPS).
• Minimum eight (8) years of management experience.

• Knowledge of, and experience with, current physical and logical security issues and best practices in datacenter infrastructure, networks, end-user computing and applications.
• Knowledge of the cloud computing industry, including Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS), including the security and privacy issues associated with using cloud infrastructure.
• Ability to work calmly during stressful circumstances.
• Strong interpersonal skills and communication skills. Ability to communicate at the executive level, including CXO level personnel as well as the CSBS Board of Directors and the SRR Board of Managers.
• Strong planning and task management skills.
• Strong vendor management skills. Ability to manage and assure successful delivery from outsourced third-party security and infrastructure providers.
• Ability to work in collaboration with a variety of stakeholders to identify and discuss issues.
• Ability to work in fast fast-paced environment managing multiple projects driven by multiple deadlines.

• Must be eligible to obtain or currently possess a U.S. Government clearance at the Public Trust (NACI) moderate level or higher.
• Must be an authorized United States citizen.
• Due to the nature of CSBS’s business in support of state financial services supervision, all CSBS employees have the potential of interacting with confidential information related to the supervision of financial services companies (“Confidential Supervisory Information”). As a result, in addition to general business conflicts of interest, all CSBS employees are expected to disclose conflicts of interest in financial services companies on at least an annual basis and to proactively avoid such conflicts.
• Protect the confidentiality, integrity, and availability of CSBS information and information systems in accordance with CSBS policies and procedures.

Values Instilled Behaviors for Excellence

Member/ Customer Service

• Builds and values relationships.
• Prioritizes work.
• Advocates and advances member's goals.

Teamwork

• Gives credit to others.
• Has a “pitch in” attitude.
• Learns from successes and setbacks.

Respect/Trust

• Listens and learns from others.
• Speaks the truth even when uncomfortable.
• Honors the expertise of others.
• Recognizes the contributions of others.
• Consults and communicates effectively.
• Desires to make others successful.

Ownership/Engagement

• Perseveres through adversity.
• Experiments and takes risks.
• Plans ahead and is forward-thinking.

Core Leadership Competencies

Achievement Oriented Thinking

• Focuses on prioritization – what must your team really accomplish and by when.
• Achieves goals of strategic plan.

Change Management

• Leads and enables change by demonstrating engagement, enthusiasm, advocacy and support for the change which includes being a first adopter.
• Participates throughout the lifecycle of the change.
• Builds a sponsor coalition to drive change success.
• Communicates directly with employees and facilitates open discussions about the change
• Understands and manages resistance to ensure adoption.
• Manages own emotions productively to stay in role.
• Handles emotionally charged situations productively and with empathy.
• Asks for and openly accepts feedback; looks for opportunities to grow.
• Conducts conversations courageously - hitting difficult issues head-on with an eye on maintaining relationships.
• CSBS Corporate, 1300 I Street NW, Washington, District Of Columbia, United States of America