Sr. Director, IT Security

Florida Crystals is a leading domestic sugar producer and North America's first fully integrated cane sugar company, guiding our sugar from farm to table. We are America's first and only producer of certified organic sugar, grown and harvested in the United States. Our renewable energy facility is the largest of its kind in North America and provides clean energy that powers our sugar operations, which helps us reduce our use of fossil fuels. Florida Crystals also sustainably farms rice, sweet corn and other vegetables in rotation with our sugarcane. Our rice mill is the only rice mill in Florida.

OVERVIEW

The Sr. Director of IT Security & Compliance is responsible for establishing and maintaining a corporate-wide information security management program to ensure that information assets are adequately protected. This position is responsible for identifying, evaluating and reporting on information security risks in a manner that meets compliance and regulatory requirements, and aligns with and supports the risk posture of the enterprise. The position requires a leader with sound knowledge of business management and a working knowledge of information security technologies. The Director of IT Security & Compliance will proactively work with business units and functions to implement practices that meet defined policies and standards for information security. He or she will also oversee a variety of IT-related risk management activities.

The Sr. Director of IT Security & Compliance serves as the process owner of all assurance activities related to the availability, integrity and confidentiality of customer, business partner, employee and business information in compliance with the organization's information security policies. A key element of the role is working with executive management to determine acceptable levels of risk for the organization. The Director of IT Security & Compliance must be highly knowledgeable about the business environment and ensure that information systems are maintained in a fully functional, secure mode.

The Sr. Director of IT Security & Compliance is a leader who is a consensus builder, and an integrator of people and processes. While the Director of IT Security & Compliance is the leader of the security program, he or she must also be able to coordinate disparate drivers, constraints and personalities, while maintaining objectivity and a strong understanding that security is just one of the business's activities. It cannot be undertaken at the expense of the enterprise's ability to deliver on its goals and objectives. Ultimately, the Director of IT Security & Compliance is a business leader, and should have a track record of competency in the field of information security or risk management, with six to eight years of relevant experience, including 1 to 2 years in a significant leadership role.

DETAILED ROLES & RESPONSIBILITIES

Strategic Leadership & People Development

• Maintain and mature the Information Security & Compliance (ISC) program across the enterprise, delivering continuous improvement with company Information Protection and Data Privacy Policies and relevant regulations, and for delivering information security solutions to protect the confidentiality, integrity and availability of company information.
• Monitor, maintain and improve the strategic, comprehensive enterprise information security and IT risk management program to ensure that the correct levels of coverage in NIST principles of identify, protect, detect, respond and recover.
• Manage the enterprise's information security organization, consisting of direct reports and indirect reports (such as individuals in business continuity and IT operations). This includes hiring, training, staff development, performance management and annual performance reviews.
• Report regularly to executive leadership teams on all matters concerning to the ISC program implementation within the enterprise and ensuring alignment with goals, deliverables, and outcomes.
• Monitor the external threat environment for emerging threats, and advise relevant stakeholders on the appropriate courses of action.
• Liaise with external agencies, such as law enforcement and other advisory bodies as necessary, to ensure that the organization maintains a strong security posture.
• Work directly with the business units and functions to facilitate IT risk assessment and risk management processes, and work with stakeholders throughout the enterprise on identifying acceptable levels of residual risk.
• Provide regular reporting on the current status of the information security program to enterprise risk teams and key performance indicators, senior business leaders as part of a strategic enterprise risk management program.
• Provide regular reporting that will be presented to the board of directors by the VP, Strategy Architecture & Security or the VP CIO.
• Sustain constructive and productive relationships with internal audit and the external auditors. Liaise among the information security team and corporate compliance, audit, legal and HR management teams as required.
• Provide strong and well balanced advisory service to IT colleagues and business unit/functional personnel, regarding IT security and effective internal controls.
• Represent the IT security & Compliance function on selected project groups, to provide advice and assistance that is in line with FCC IT security policy, systems development life cycle and best practice.
• Coordinate the use of external resources involved in the information security program, including, but not limited to, interviewing, negotiating contracts and fees, and managing external resources.
• Understand and interact with related disciplines through committees to ensure the consistent application of policies and standards across all technology projects, systems and services, including, but not limited to, privacy, risk management, compliance and business continuity management.
• Develop and manage information security budgets, and monitor them for variances.
• Liaise with the enterprise architecture team to ensure alignment between the security and enterprise architectures, thus coordinating the strategic planning implicit in these architectures.
• Coordinate information security and risk management projects with resources from the IT organization and business unit/functional teams.

Information Risk and Privacy Governance

• Maintain, evolve and implement FCC/ASR privacy policies and procedures in coordination with appropriate members of the organization, especially legal counsel, but also the information security team, risk management officer and the compliance officer.
• Define and facilitate the information security risk assessment process, including the reporting and oversight of treatment efforts to address negative findings.
• Facilitate information security governance through the existing governance program, including the information security steering committee.
• Maintain and improve the risk-based process for vendor risk management, including the assessment and treatment for risks that may result from partners, consultants and other service providers.
• Devise and update policies and procedures for customers, employees and privacy incident responses.
• Create a framework for roles and responsibilities with regard to information ownership, classification, accountability and protection.
• Work - in particular with legal counsel, but also with business units/functions and management - to ensure the organization has and maintains the appropriate privacy and confidentiality consent, authorization forms, and information notices.
• Work with procurement, vendor management and the legal department to ensure that third-party suppliers' contracts and operating-level agreements meet privacy requirements.
• Depending on the jurisdiction, receive notifications of personal data processing from business units, and/or notify data protection authorities of such processing.
• Together with legal, lead the enterprise's response to privacy-related emergencies and other potentially damaging events.
• Partner with the Director of Infrastructure Architecture to develop and oversee effective disaster recovery policies and standards to align with enterprise business continuity management program goals. Coordinate the development of implementation plans and procedures to ensure that business-critical services are recovered in the event of a security event. Provide direction, support and in-house consulting in these areas.
• Support the litigation group in privacy-related litigation.
• Communicate with the public concerning privacy issues (for example, answering consumer questions about the enterprise's data retention practices).
• Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increase the maturity of the security.

Identity and Access Management

• Maintain, evolve, and implement FCC/ASR processes and procedures related to identity and access management including but not limited to SAP, Active Directory, Exchange, and other applications.
• Lead the strategic direction of the utilization of Sailpoint in Identity Administration
• Lead the strategic direction for Single Sign On technologies.
• Management and oversight of the security administrators of SAP, Active Directory, Exchange, and other applications
• Lead the strategic direction of compliance with segregation of duties requirements.
• Improve monitoring in SIEM and automated responses with ReliaQuest's Greymatter for FCC/ASR active directory environments.

Information Security and Privacy Compliance Monitoring

• Develop, maintain and publish up-to-date information security policies, standards and guidelines. Oversee the approval, training, and dissemination of security policies and practices.
• Responsible for delivering continuous improvement in compliance with IT security policy and relevant legislation or regulations and for delivering information security solutions to protect the integrity, confidentiality and confidentiality of FCC/ASR data.
• Ensure that business units/functions, technology teams and third parties follow FCC/ASR privacy program, meet privacy policy requirements and address privacy concerns.
• Collaborate with and assist business units/functions and technology areas to develop corrective action plans for identified privacy compliance issues.
• Monitor U.S.-EU Safe Harbor compliance. Manage the annual U.S.-EU Safe Harbor certification process.
• Continuously monitor the status and effectiveness of privacy controls across service offerings, ensuring that privacy-related key risk indicators are effectively monitored to prevent an unacceptable impact on business objectives and reputation.
• Manage security incidents and events to protect corporate IT assets, including intellectual property, regulated data and the company's reputation.

Information Risk and Privacy Impact Assessments

• Championing a risk-related approach to IT security and controls, by means of effective communication, contributing to training, and any other initiatives that may be devised from time to time within the compliance function.
• Determine the enterprise's specific privacy-related requirements and potential vulnerabilities.
• Participate in new business initiatives and product development activities to identify and escalate privacy considerations.
• Manage the privacy impact assessment process, which is a process to review the privacy impacts of various company initiatives.
• Conduct regular privacy assessments to ensure that FCC/ASR privacy policies are being adhered to.
• Create and manage a unified and flexible control framework to integrate and normalize the wide variety and ever-changing requirements resulting from global laws, standards and regulations.
• Ensure that security programs are in compliance with relevant laws, regulations and policies to minimize or eliminate risk and audit findings.

Personal Data Inventory and Usage

• Support the creation of an inventory that documents how FCC/ASR collects, shares and uses personal data.
• Continually update and re-evaluate the extent to which customer and employee information is collected and shared internally and externally.
• Maintain FCC/ASR registry of data stores and processes that affect personal information from employees and customers.

Information Technology

• Serve as the internal advisor to the IT department and the information security department to interpret privacy-policy-related questions.
• Provide strategic risk guidance for IT projects, including the evaluation and recommendation of technical controls.
• Ensure that data security practices - in particular, logging, monitoring and auditing practices - are not in conflict with privacy requirements.
• Work closely with the technology teams to anticipate potential privacy problems embedded in the use of emerging technologies.
• Work to integrate controls within specific HR and CRM business and IT processes.
• Keeping up to date with best practice and market developments in IT Security & SAP Security.

Awareness and Training

• Improve the security awareness and culture.
• Conduct or oversee privacy awareness training and orientation for all employees - in particular, application developers, HR and marketing.
• Create and manage information security and risk management awareness testing and training programs for all employees, contractors and approved system users.
• Identify trends in privacy and regulatory requirements and compliance enforcement, and plan for changes.
• Develop new and innovative strategies for addressing privacy and regulatory standards and requirements within new computing paradigms (such as cloud or mobile computing).
• Work with third-party stakeholders (including business partners, suppliers, service providers and IT product vendors) to ensure that they clearly understand and comply with FCC/ASR basic privacy requirements.

WORK EXPERIENCES

• Proven experience managing and developing people - internal and external. Ability to lead and motivate cross-functional, interdisciplinary teams to achieve tactical and strategic goals. Proactive, pragmatic, leader. An excellent manager, with a proven track record of managing large teams across geographies and cultures.
• Solid experience in project and budget management. Project management skills: financial/budget management, scheduling and resource management. A proven ability to obtain funding for strategic priorities. Strong systems aptitude; demonstrated project management and planning skills; balances strategic skills with tactical execution skills.
• Proven audit experience, dealing with risk committees and corporate security.
• A proven ability to work constructively with colleagues to help prevent operational security problems and to help set matters right when problems arise.
• Strong analytical and problem resolution skills. Exceptional business judgment, with the ability to think strategically and give practical advice by balancing business needs with legal risks.
• Proven interpersonal collaborative skills: two-way communications skills (oral and written), ability to build relationships, influence others, work with a diverse internal stakeholder base and the ability to communicate security and risk-related concepts to technical and nontechnical audiences (e.g. Executive Leadership).
• Strong business acumen and risk management skills. Ability to understand technical security risks and articulate these risks in easy-to-understand business language which accurately shows the true degree of business of risk and impact.
• Ability to handle multiple demands, shifting priorities, and ambiguous situations. Exhibit excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives.
• Knowledge of the privacy aspects of the product development life cycle, data handling and asset classification, and knowledge of the role of a privacy professional in ensuring that customer data is properly managed.
• Interest in national and international privacy developments, constitutional privacy guarantees, international privacy guidelines, privacy by design, privacy accountability and minimal disclosure.
• Ability to articulate the importance of customer privacy. Comfort with promoting privacy up and down the management chain, including audiences who have varying levels of familiarity with the topic.
• Knowledge of software development life cycles (SDLCs) is beneficial.
• Proven track record and experience in developing information security policies and procedures, as well as successfully executing programs that meet the objectives of excellence in a dynamic environment.
• Excellent background and experience in information security.
• Strong vendor management skills, experience in dealing with near/off shore resources. Experience with contract and vendor negotiations.
• Has the ability to interface with, and gain the respect of, stakeholders at all levels and functions of the company.
• Is an energetic self-starter and confident, with strong interpersonal skills.
• Has good judgment, a sense of urgency and demonstrated commitment to high standards of ethics, regulatory compliance, customer service and business integrity.
• High level of personal integrity, as well as the ability to professionally handle confidential matters, and show an appropriate level of judgment and maturity.
• High degree of initiative, dependability and ability to work with little supervision.
• Poise and ability to act calmly and competently in high-pressure, high-stress situations.
• Must be a critical thinker, with strong problem-solving skills.
• Passionate about FCC/ASR, responsive, straightforward and customer oriented.
• Five years of experience in privacy, data protection, security, risk management or compliance, preferably in food and beverages industry.
• Experience working in a heavily regulated and/or audited environment.
• Working knowledge of state, federal and international privacy laws, regulations and industry best practices.
• Experience in auditing frameworks and international standards, such as NIST, ISO 27001, PCI DSS, BS 10012, SAS 70, COBIT and ITIL. Experience as an auditor is a plus.
• Knowledge of U.S. laws and regulations, such as HIPAA, Gramm-Leach-Bliley Act and U.S. state breach notification laws.
• General knowledge of the EU Data Protection Directive, the EU E-Privacy Directive and their national implementations (for example, the U.K.'s Data Protection Act, Germany's BDSG and Spain's LOPD).

EDUCATION REQUIREMENTS

• Bachelor's degree in business administration, law, finance, accounting, computer science or a related discipline is required.
• Advanced degree in law (J.D.), business (M.B.A.), information science (MIS), accounting, information security or a related field is preferred.
• The ideal candidate will have a combination of a legal or business degree with a technical or computer science degree.
• 6+ years of experience in Audit, Information Security, Legal, Compliance, Data Privacy or other related areas. Minimum of 8 years of experience in a combination of risk management, information security and IT jobs. At least one must be in a senior leadership role. Employment history must demonstrate increasing levels of responsibility.
• International experience preferred. Sound experience in working in a large global company within IS/Technology; Willingness to travel to determine and influence nondomestic privacy requirements. Ability to travel 10% of the time, domestic and international.

LOCATION OF ROLE

• West Palm Beach

We are an equal opportunity employer. We do not discriminate on the basis of race, color, creed, religion, gender, sexual orientation, gender identity, age, national origin, disability, veteran status or any other category protected under federal, state, or local law. All employment is decided on the basis of qualifications, merit, and business need.

---