Director, Information Security

WilmerHale is a leading, full-service international law firm with 1,000 lawyers located throughout 12 offices in the United States, Europe and Asia. Our lawyers work at the intersection of government, technology and business, and we remain committed to our guiding principles of providing quality, excellent legal and client services; developing diversity among our lawyers and staff and cultivating an environment that promotes an ambitious spirit, collaboration and collegiality by drawing on the extraordinary talents and dynamic experience of our lawyers. Our goal is to reflect the diversity of our clients and the communities in which we practice.

What You Will Be Doing

The Director, Information Security is responsible for directing IS strategy and activities related to information security. The Director provides leadership and direction to a team responsible for developing and implementing an overall enterprise security strategy, program, and architecture that minimizes information related loss and meets client and regulatory requirements. Develops, monitors and enforces firm-wide information security policies to ensure that appropriate access to, and the confidentiality of firm, client and private information is maintained. Conducts information risk assessments as an integral part of business planning involving General Counsel, internal experts and business owners as required. Serves as a liaison to firm clients in all matters of information security including completion of client audits and review of RFPs and outside counsel guidelines. Leads and coordinates the firm's tactical and operational response to information security incidents. Identifies and reports on information security incidents to firm management. Manages organizational risk by ensuring the protection of the enterprise infrastructure with a layered system of technical defenses including firewalls, intrusion detection and prevention, antivirus, and content monitoring. Provides risk review and approval of changes to systems, applications and facilities. Leads the evaluation and recommendation of security products, services and/or procedures to enhance productivity and effectiveness. Leads risk assessments of firm vendors and solution providers. Oversees and conducts security awareness programs and provides education on security policies and practices.

Ensures that staff members are providing quality service to internal members/departments of the Firm as well as external clients and vendors by displaying professionalism via electronic and print correspondence, over the telephone and in-person and by encouraging an atmosphere that rewards a "can do" attitude.

About The Role

• Manages Information Security staff, including scheduling, performance evaluation, salary recommendation and related personnel actions.
• Identifies areas of risk to firm, client and private information and leads risk assessments to determine appropriate remediation, serving as a liaison to General Counsel in this regard.
• Works directly with firm clients to address information security concerns and complete written and in-house security audits, negotiating and implementing requested security training and technical measures.
• Works with the business to review Outside Counsel Guidelines and Requests for Proposal, confirming the firm's ability to meet requirements and requesting changes as warranted.
• Directs firm activities and resources to achieve and maintain compliance with information security standards such as state and federal privacy laws, ISO 27002/1, and General Data Protection Regulation.
• Leads and coordinates the firm's operational response to information security incidents that threaten firm, client and private information, directing forensics and organizing communications. Identifies and reports on information security incidents to firm management.
• Approves changes to firm systems, applications and policies that may affect the security of firm, client and private information. Serves as the internal auditor for information security processes.
• Works closely with senior leaders, line-of-business managers, the IT organization, and others to establish an effective security governance framework, support the delegation of authority, manage budgets, ensure effective enterprise risk management and support the establishment of measurable controls.
• Serves as an internal information security consultant to the Department and Firm. Advises the department with current information about information security technologies and related regulatory issues.
• Develops a strategic vision for the security program; organizes resources for effective security policies, practices and processes; and develops an annual security plan. Identifies enterprise systems, processes, and information resources that require security protections.
• Identifies areas where existing security architecture requires change or development. Ensures local security standards align with international and national standards. Stays up to date with Security (legal requirements, policy and technology) developments in the commercial world and especially in the area of the law so that the firm remains at the forefront of any security related developments affecting the firm and the firm's clients.
• Monitors multiple logs across diverse platforms to uncover specific activities as they occur from platform to platform. Analyzes security analysis reports for security vulnerabilities and recommends feasible and appropriate options. Reports on significant trends and vulnerabilities.
• Develops, maintains, publishes, and communicates enterprise-wide security standards, procedures and guidelines. Ensures that adherence to those standards is monitored and enforced.
• Oversees the security infrastructure; for example identity and access management, firewalls, antivirus and intrusion detection system/intrusion prevention system. Monitors internal control systems to ensure that appropriate information access levels and security clearances are maintained. Monitors the security infrastructure for policy violations or security events, conducts security engineering, assists with resolution of escalated incidents and participates in problem management activities.
• Improves security awareness and instills a risk-aware culture in the organization, ensuring that personnel fully understand the risk implications of their IT assets.
• Measures and reports on the effectiveness and efficiency of security activities and capabilities. Manages, monitors, and matures security processes (for example, identity and access management; and threat and vulnerability management).
• Oversees IT security within the system development lifecycle, change management, production systems support and technology-enabled projects (user administration, security logging, secure process flow, security best practices).
• Develops and leads information security projects, adhering to budgets, project plans, and business objectives.
• Negotiates security-related software licensing and support agreements.
• Oversees security reviews of potential new firm technology tools as part of the broader due diligence process.
• Assumes additional responsibilities as assigned.

What You Will Bring/Your Qualifications

• Strategic thinking and planning abilities required.
• Analytical thinking:
  • Able to breakdown raw information and undefined problems into specific, workable components that in-turn clearly identify the issues at hand.
  • Makes logical conclusions, anticipates obstacles and considers different approaches that are relevant to the decision making process.
• Demonstrated team player with ability to effectively meet challenges, influence and drive consensus within the team.
• Enterprise business knowledge:
  • Solicits information on enterprise direction, goals and industry competitive environment to determine how own function can add value to the organization and to customers.
  • Makes decisions and recommendations clearly linked to the organization's strategy and financial goals, reflecting an awareness of external dynamics.
• Risk management:
  • Identifies risks and obstacles to plans. Defines scarcity and conflicts of resource needs, and potential constraints.
  • Investigates risks within various project elements, assesses impact, and develops contingency plans to address major risks.
• Deep knowledge of security issues, techniques, and implications across all existing computer platforms required.
• Deep knowledge of networking, databases and systems operations is required.
• Proven leadership skills are required.
• Collaboration and influence skills are required.
• Proven interpersonal and communication skills. Strong ability to communicate clearly and succinctly with firm leadership, lawyers and business professionals, as well as external clients.
• Demonstrated ability to prioritize tasks and effectively manage multiple responsibilities in a dynamic environment.
• Demonstrated problem solving abilities, analytical skills, and proven ability to meet challenging deadlines required.
• Strong work ethic; excellent use of discretion and judgment.
• Excellent written communication skills.
• Ability to work under pressure and multi-task on various assignments; Detail orientation is a must.

Education

• Bachelor's Degree in Computer Science, Cybersecurity, Management or related work experience.
• CISSP or other major security certification preferred.

Experience:

• Minimum of 10 years' work experience managing information security in a large and complex environment; or other equivalent combination of education and experience that provides the required knowledge and skills.
• Strong experience managing an Information Security team, to include demonstrated experience communicating with senior stakeholders.

This job description is intended to describe the general nature and level of the work being performed by employees in the position. It is not intended to be a complete list of all responsibilities, duties, and skills for positions. The firm reserves the right at all times, in its sole discretion, to add or subtract duties and responsibilities, as it deems necessary.

WilmerHale is an Equal Opportunity Employer. All qualified applicants will receive consideration without regard to race, color, religion, gender, sexual orientation, gender identity, national origin or ancestry, age, disability or veteran status, or other protected status.

#L1-MB1

#L1-Hybrid