CISO - Chief Information Security Officer

This position is responsible for providing vision, leadership, oversight, and management of CSBS cyber security policies, procedures, and practices. Responsible for managing information security risks that affect the organization-wide strategic objectives through ongoing risk assessment. The Chief Information Security Officer (CISO) acts as the focal point for all communications related to security, both with internal staff and third parties, and works with a wide variety of people from different internal organizational units, bringing them together to manifest controls that reflect workable compromises as well as proactive responses to current and future information security risks compliant with relevant laws and regulations. The CISO also provides thought leadership in conjunction with his/her engagement in industry and government forums, and collaboration with state and federal cyber security experts and practitioners. Guidance, direction, and authority for information security activities are centralized for the entire CSBS organization with the CISO.
Reasonable accommodations may be made to enable an individual with disabilities to perform the essential functions. Member of the Senior Leadership Team (SLT) – The SLT is a group of peers with individual leadership roles at CSBS and a commitment to working across business units to achieve organizational goals.People Manager – At CSBS, people managers lead and engage staff to maximize organizational performance. People managers actively participate in the growth and development of their teams – delegating responsibility effectively and providing timely and actionable feedback on performance. Responsible for planning and organizing their team’s activity, people managers are also responsible for creating a positive employee experience while developing high-performing and innovative teams.
Develop an information security vision and strategy that is aligned to organizational priorities and enables and facilitates the organization's business objectives, and ensures senior stakeholder buy-in and mandate.
Develop and maintain the CSBS strategic security program and plan, taking into consideration business, fiduciary, and legal requirements, risk (likelihood and impact), and criticality; and building consensus among stakeholders. Monitor the effectiveness of the information security program and make recommendations for improvements.
Develop and enhance an up-to-date information security management framework based on the National Institution of Standards and Technology Cyber Security Framework.
Develop, maintain, and enforce CSBS’ cyber security policies and practices designed to protect sensitive corporate assets, ensure data privacy, and comply with laws and regulations, including the Federal Information Security Management Act (FISMA), Payment Card Industry (PCI) and the Criminal Justice Information System (CJIS) and other applicable -security laws.
Maintain familiarity with AICPA System and Organization Control Reports such as SOC for Cybersecurity. Create a framework for roles and responsibilities with regard to information ownership, classification, accountability, and protection of information assets.
Manage contractors and outsourcers providing technology services to CSBS, including managed security services, infrastructure engineering, operations, desktop support, and software development. Ensure compliance with the appropriate policies, laws, and regulations.
Create a risk-based process for the assessment and mitigation of any information security risk at CSBS consisting of supply chain partners, vendors, consumers, and any other third parties.
Work effectively with business units to facilitate information security risk assessment and risk management processes and empower them to own and accept the level of risk they deem appropriate for their specific risk appetite.
Develop, maintain, and enforce CSBS security policies and procedures, for example:
Identification of sensitive data and policies/practices regarding the identification of sensitive data as well as practices for information labeling, handling, and storage.
Personnel security, including role-appropriate pre-employment background checks and security awareness training, ensuring necessary and appropriate content and compliance with requirements for each employee to take the training as well as the frequency of updated training.
Network, infrastructure, and application security.
Ensure technology solutions adhere to appropriate security practices and meet security requirements, including Software-as-a Service (SaaS) contracts, Infrastructure-as-a-Service (IaaS) contracts, Platform-as-a-Service (PaaS) contracts, and customized software development solutions.
Ensure contracts with third parties contain appropriate security language, including data privacy and protection language required by state and federal laws. Perform incident response planning, including developing, maintaining, and enforcing the CSBS incident response plan in addition to managing security incidents if/when they occur. This would include coordinating incidents, if applicable, with associated third-party providers and, if applicable, multiple regulatory organizations and stakeholders.
Coordinate, provide leadership and management for security related audits and inspections. Interface as the primary contact with state and federal regulators and third- party contractors with regard to CSBS’ security posture and practices.
Collaborate and liaise with the Chief Privacy Officer to ensure that data privacy requirements are included where applicable.
Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, increase the maturity of the information security, and review it with stakeholders at the executive and board levels.
Brief leadership and the Board of Directors annually, and as needed, on the security risk posture of the organization.
Manage the information security budget, ensuring that resources are allocated appropriately to address the most critical risks. Provide thought leadership to industry and government forums related to cyber security practices, issues, and challenges in the financial services industry, such as the Executive Leadership of Cybersecurity. Collaborate with industry and government security officials on security-related issues and initiatives, including national security issues impacting the financial services sector.
Monitor industry trends for changes in physical and cyber security threats and implement planning, policy, and procedure changes in response.
Prepare and present security related briefings for senior CSBS and industry executives as well as state and government regulators.
To perform this job successfully, an individual should possess the knowledge, skills, and abilities listed and meet the amount of education, training and/or work experience required.
Master’s degree in technology related discipline or a bachelor’s degree with master’s equivalent work experience in information security, privacy, or compliance.
Additional certification in CAP (FISMA), PCI QSA, ITIL, CSA CCSK (Cloud) or ISO 27001 is desired, but is optional.
Experiencein the role of a Chief Information Security Officer (CISO)/Chief Security Officer (CSO) of an organization with a significant “footprint” in the financial services industry preferred.
At least 8 years of experience in managing information security programs in accordance with the Federal Information Security Management Act (44 U.Knowledge of, and experience with, current physical and logical security issues and best practices in datacenter infrastructure, networks, end-user computing and applications.
Knowledge of the cloud computing industry, including Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS), including the security and privacy issues associated with using cloud infrastructure.
Ability to communicate at the executive level, including CXO level personnel as well as the CSBS Board of Directors and the SRR Board of Managers.
Strong planning and task management skills.
Ability to manage and assure successful delivery from outsourced third-party security and infrastructure providers.
Ability to work in fast fast-paced environment managing multiple projects driven by multiple deadlines.
Due to the nature of CSBS’s business in support of state financial services supervision, all CSBS employees have the potential of interacting with confidential information related to the supervision of financial services companies (“Confidential Supervisory Information”). As a result, in addition to general business conflicts of interest, all CSBS employees are expected to disclose conflicts of interest in financial services companies on at least an annual basis and to proactively avoid such conflicts.
Protect the confidentiality, integrity, and availability of CSBS information and information systems in accordance with CSBS policies and procedures.
Member/ Customer Service
Gives credit to others.
Consults and communicates effectively.
Experiments and takes risks.