Chief Information Security Officer @ Gemological Institute of America

Gemological Institute of America Established in 1931, GIA is an independent nonprofit that protects the gem and jewelry buying public through research, education and laboratory services. View all jobs at Gemological Institute of America

The Company: GIA is the worlds foremost authority in gemology. GIA is a global organization with headquarters located in Carlsbad, CA. GIA in Carlsbad boasts a 17-acre ocean view campus that accommodates approximately 800 of its 3,000 total employees worldwide. It offers many competitive health benefits that promotes the well-being of its employees as well as that of the environment. Discover more about GIA's innovative history by clicking here .

What to expect:

Hybrid role (3 days on-site) at our Carlsbad, CA headquarters

We offer competitive medical, dental & vision

Matching 401-K plans up to 8%, no vesting required

Paid vacation, sick and holidays, tuition assistance, commuter benefits

JOB OVERVIEW

The Chief Information Security Officer (CISO) is primarily responsible for establishing, implementing, monitoring, and enforcing the Institute's information security governance, standards, and policies. The incumbent will develop strategic direction and oversee the day-to-day execution of operational information security initiatives at GIA. The CISO will report to the Chief Information & Technology Officer (CITO) and collaborate closely with the other Executives and Managers within the organization to ensure the integration and efficacy of security initiatives.The CISO will provide quarterly reports to the Audit and Risk Committee of the Board of Governors.

Secure access to information assets is critical to achieve business objectives. The CISO is responsible for establishing and maintaining information security capabilities that ensure that information assets and associated technology, applications, systems, infrastructure, and processes are adequately protected in the digital ecosystem in which we operate. The CISO ensures that information systems are maintained in a fully functional and secure mode and are compliant with legal, regulatory, and contractual obligations. The CISO is responsible for identifying, evaluating, and reporting on legal, regulatory, IT, and cybersecurity risks to information assets while supporting and advancing business objectives. A key element of the CISO's role is working with executive management to determine acceptable levels of risk for the organization and resulting information security requirements.

The CISO proactively works with business units and ecosystem partners to implement practices that meet agreed-on policies and standards for information security and improve organizational awareness and understanding of operational information security risks and practical mitigations. The ideal candidate should have a strong knowledge of IT and be capable of overseeing various cybersecurity and risk management activities. This role is crucial for ensuring technology-dependent business processes achieve their desired outcomes. The CISO will work closely with the CITO and the IT organization to achieve these goals.

KEY ACCOUNTABILITIES AND RESPONSIBILITIES

Establish Vision, Strategy, and Governance

Develop an information security vision and strategy aligned with organizational priorities to enable and facilitate the organization's business objectives. Ensure buy-in and mandate from the board, CITO, executive team, and enterprise risk committee.

Facilitate an information security governance structure by implementing a governance program in alignment with the Enterprise Risk Management Committee.

As part of a strategic enterprise risk management program, provide regular reporting on the current status of the information security program to the Enterprise Risk Committee and the Audit and Risk Committee of the Board of Governors, thus supporting business outcomes.

Establish, implement, and monitor policies, standards, systems, and controls to ensure appropriate confidentiality, integrity, availability, safety, privacy, and recovery of information assets owned, managed, and processed by the organization.

Ensure the relevance of vision and strategy through continued knowledge acquisition. Build and nurture external networks consisting of industry peers, ecosystem partners, vendors, and other relevant parties to address common trends, findings, incidents, and cybersecurity risks.

Lead the Organization

Lead the information security function across the Institute to ensure consistent and high-quality information security management in support of the business goals.

Lead the information security team, ensuring (1) the acquisition, retention and development of the skills and experiences that advance our organizations overall information security capabilities; (2) effective collaboration with stakeholders; and (3) an environment of inclusion, growth and accountability in support of business objectives.

Determine the information security approach and operating model in consultation with stakeholders and align with the risk management approach and compliance monitoring of non-digital risk areas.

Create the necessary internal networks among the information security team and line-of-business executives, as well as corporate compliance, audit, physical security, legal, and HR management teams, to ensure alignment as required.

Liaise with the IT architecture team to establish alignment between security and enterprise architectures, ensuring that information security requirements are inherently incorporated into these architectures and that security is designed in.

3.Build and Embed Capabilities in the Organization Work with the IT vendor management team and business leaders to ensure that information security requirements are included in contracts by liaising with legal affairs, vendor management, and procurement organizations.

Create and manage a targeted information security awareness training program for all employees, contractors, and approved system users, and establish metrics to measure the effectiveness of this security training program for different audiences.

Understand and interact with related disciplines through committees to consistently apply policies and standards across all technology projects, systems, and services, including privacy, risk management, compliance, and business continuity management.

Provide clear risk-mitigating directives for projects with components in IT, including the mandatory application of controls.

Provide the appropriate information security policies, practices, and guidelines to ensure that security is embedded in the project delivery process.

Work effectively with Laboratory, Education, Research and Instrumentation to facilitate information security risk assessment and risk management processes, and empower them to own and accept the level of risk they deem appropriate for their specific risk appetite.

4.Operate the Information Security function Manage the cost-effective information security organization, consisting of direct reports and dotted-line reports (such as individuals in business continuity and IT operations). This includes hiring (and conducting reference checks), training, staff development, performance management, and annual performance reviews.

Manage the budget for the information security function, monitoring and reporting discrepancies.

Develop, maintain, and enhance an up-to-date information security management framework for GIA based on the following: International Organization for Standardization (ISO) 27002, ITIL, COBIT/Risk IT or National Institute of Standards and Technology (NIST) Cybersecurity Framework that incorporates: A unified and flexible control framework to integrate and normalize the wide variety and ever-changing requirements resulting from global laws, standards, and regulations.

A document framework of continuously up-to-date information security policies, standards, and guidelines. Oversee the approval and publication of these information security policies and practices.

Metrics and reporting framework to measure the efficiency and effectiveness of our information security capabilities, facilitate appropriate resource allocation, and increase information security maturity. Review it with stakeholders at the executive and board levels.

Manage enterprise risks according to agreed risk thresholds. Create a risk-based process for assessing and mitigating any information security risk in your ecosystem, which includes employees, vendors, clients, students, consumers, and any other third parties.

Define and facilitate the processes for information security risk and legal and regulatory assessments, including the reporting and oversight of treatment efforts to address negative findings.

Oversee technology dependencies outside of direct organizational control. This includes reviewing contracts and the creation of alternatives for managing risk.

Monitor the external environment for emerging threats and advise relevant stakeholders on appropriate action.

Develop and maintain Information security profiles for GIAs major systems.

Manage and contain information security incidents and events to protect corporate IT assets, intellectual property, regulated data, and the company's reputation.

Manage continuous monitoring of GIAs security for networks, systems, event logging, and applications.

Develop and oversee effective disaster recovery policies and standards to align with the enterprise business continuity management (BCM) program goals, with the realization that components supporting primary business processes may be outside the corporate perimeter.

Coordinate the development of implementation of incident response plans and procedures to ensure that business-critical services are recovered in the event of a security event; provide direction, support, and in-house consulting in these areas.

Facilitate and support the development of asset inventories, including information assets in cloud services and other parties in the organization's ecosystem.

Requirements and Qualifications GIA Core Values

Behaves consistently with GIAs core values: Integrity, Respect, Results, Leadership, Teamwork

Displays a high level of personal integrity and the ability to professionally handle confidential matters and show an appropriate level of judgment and maturity.

Relationships / Impact on Others

Creates an environment that is inclusive and inspires team members to perform to high standards.

Demonstrates a Service Mindset. Acts in service to others and GIAs mission. Puts the institutes objectives and priorities above personal and/or team. Demonstrates poise and ability to act calmly and competently in high-pressure, high-stress situations to reduce anxiety and stress on others.

Displays Effective Communication. Develops and delivers multi-mode communications that convey a clear understanding of the unique needs of different audiences. Demonstrates the ability to communicate information security and risk-related concepts to technical and non-technical audiences at various hierarchical levels, ranging from board members to technical specialists.

Builds Collaborative Relationships. Builds connections and nurtures relationships to facilitate the accomplishment of work goals. Demonstrates vulnerability and builds trust. Leads and motivates the information security team and project teams to achieve tactical and strategic goals, even when only "dotted line" reporting lines exist.

Optimizes the Talent Experience. Identifies and develops diversity of talent and creates an inclusive environment to improve organizational outcomes. Actively develops team members.

Results Orientation

Consistent track record of achieving results, demonstrating a growth mindset, resilience, and accountability.

Demonstrates a growth mindset by showing curiosity and willingness to challenge self and others to learn and evolve, regardless of situation or context. Open to new approaches even if these are inconsistent with previous methodologies.

Demonstrates resilience by adopting a can-do approach; bounces back when faced with challenges and setbacks by demonstrating a willingness to learn from mistakes or obstacles and move ahead.

Demonstrates accountability by owning actions and results; takes responsibility to drive outcomes and achieve successes. Does not make excuses when things do not go well.

Business and Industry Acumen

Thinks and acts as a business leader who applies expertise to address business opportunities and challenges.

Demonstrates the ability to think strategically and uses insights to enable decisions for mission and strategy achievement (big-picture alignment). Creates a vision and energizes the appropriate teams in the organization to deliver to that vision.

Use organizational savvy to navigate comfortably through complex policy, process, culture, and organizational dynamics to solve problems and accomplish goals

Embraces a continuous improvement and innovation mindset and leads the organization in change with tools, processes, and techniques to achieve organizational goals/outcomes

Demonstrates effective problem-solving. Incorporates a holistic approach to making quality, timely, ethical decisions that keep the organization moving forward. Must be a critical thinker with an ability to frame problems/opportunities and apply strong analytical skills to identification, assessment, and selection of solution(s).

Demonstrates effective and holistic project management skills: financial/budget management, scheduling, resource management, and time management. Balances multiple projects simultaneously

Bachelor's degree in Engineering, Computer Sciences, Information Technology, or related field; or, 10-12+ years of related experience in progressively challenging Information Security leadership roles comprising a combination of risk management, information security, and IT, with 3+ years of experience leading staff.

Sound knowledge of business management and a working knowledge of information security risk management and cybersecurity technologies.

Up-to-date knowledge of methodologies and trends in both business and IT.

Proven track record and experience in developing information security policies and procedures and successfully executing programs that meet the objectives of excellence in a dynamic business environment.

Knowledge and understanding of relevant legal and regulatory requirements, such as relevant local or global laws, standards and regulations, GDPR, State laws, and Payment Card Industry/Data Security Standards.

Experience with a wide range of network equipment and security systems in use at the organization (e.g., next-generation firewalls, Cisco IOS, Cisco switches, understanding of IPS (Intrusion Prevention Systems), threat analysis and protection, sandboxing, experience and knowledge of IDS (Intrusion Detection System), IMS (Identity Management System), data exfiltration, and auditing and event logging solutions.

Professional security management certifications, such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), or similar credentials, are desirable.

Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, and COBIT, as well as those from NIST, including 800-53 and Cybersecurity Framework.

Salary range: $250-$300k

Disclaimer: This job description indicates in general terms, the type and level of work performed as well as the typical responsibilities of employees in this classification and it may be changed by management at any time. Other duties may also apply. Nothing in this job description changes the at-will employment relationship existing between the Company and its employees.

Find even more open roles below ordered by popularity of job title or skills/products/technologies used.

#J-18808-Ljbffr