Chief Information Security Officer

SUMMARY

Open until filled-
The Chief Information Security Officer (CISO) is responsible for establishing and maintaining the information security program to ensure that information assets and associated technology, applications, systems, infrastructure and processes are adequately protected in the digital ecosystem in which we operate. The CISO is responsible for identifying, evaluating and reporting on legal and regulatory, IT, and cybersecurity risk to information assets, while supporting and advancing business objectives.
 
The CISO reports to the Chief Operating Officer (COO), is a member of the Technology Services leadership team and serves a key role in college leadership, working closely with senior administration, academic leaders, and the campus community. The CISO is an advocate for the Institution's total information security needs and is responsible for the development and delivery of a comprehensive information security strategy to optimize the security posture of the college.
The CISO position requires a visionary leader with sound knowledge of the college environment and a working knowledge of cybersecurity technologies covering the college network as well as the broader digital ecosystem. The CISO will proactively work with business units and ecosystem partners to implement practices that meet agreed-on policies and standards for information security; should understand IT and must oversee a variety of cybersecurity and risk management activities related to IT to ensure the achievement of business outcomes where the business process is dependent on technology. The CISO will be responsible for implementing and running the enterprise information security program. The CISO should understand and articulate the impact of cybersecurity on (digital) business and be able to communicate this to the senior stakeholders. A key element of the CISO's role is working with the CIO, Executive Management and college leadership team to determine acceptable levels of risk for the organization.

The CISO leads the development and implementation of a security program that leverages collaborations and campus-wide resources, facilitates information security governance, advises senior leadership on security direction and resource investments, and designs appropriate policies to manage information security risk. The complexity of this position requires a leadership approach that is engaging, imaginative, and collaborative, with a sophisticated ability to work with other leaders to set the best balance between security strategies and other priorities at the campus level.

DUTIES AND RESPONSIBILITIES

 Lead the information security function across the college to ensure consistent and high-quality information security management in support of the business goals. Responsible for the strategic leadership of the college's information security program. Provide guidance and counsel to the CIO and key members of the college leadership team, working closely with senior administration, academic leaders, and the campus community in defining objectives for information security, while building relationships and goodwill. Promote collaborative, empowered working environments across campus, removing barriers and realizing possibilities. Facilitate an information security governance structure through the implementation of a hierarchical governance program, including the formation of an information security steering committee or advisory board. Lead information security planning processes to establish an inclusive and comprehensive information security program for the entire institution in support of academic and administrative information systems and technology. Establish annual and long-range security and compliance goals, define security strategies, metrics, reporting mechanisms and program services; and create maturity models and a roadmap for continual program improvements.  Determine the information security approach and operating model in consultation with stakeholders and aligned with the risk management approach and compliance monitoring of non-digital risk areas. Provide regular reporting on the current status of the information security program to enterprise risk teams and the Executive Management team as part of a strategic enterprise risk management program, thus supporting business outcomes. Manage the budget for the information security function, monitoring and reporting discrepancies. Strategy and Frameworks. Develop an information security vision and strategy that is aligned to the college priorities and enables and facilitates the college's business objectives, and ensures senior stakeholder buy-in and mandate.  Develop, implement and monitor a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy and recovery of information assets owned, controlled or/and processed by the college. Develop and enhance an up-to-date information security management framework based on the following: National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), CIS Controls, or Security Operations Center (SOC). Create and manage a unified and flexible control framework to integrate and normalize the wide variety and ever-changing requirements resulting from global laws, standards and regulations. Develop and maintain a document framework of continuously up-to-date information security policies, standards and guidelines. Oversee the approval and publication of these information security policies and practices. Create a framework for roles and responsibilities with regard to information ownership, classification, accountability and protection of information assets. Work closely with CIO, technical experts, deans and administrative leaders across campus on a wide variety of security issues that require an in-depth understanding of the IT environment in their units. Create the necessary internal networks among the information security team and line-of-business executives, compliance & audit, physical security, legal and HR management teams to ensure alignment as required. Build and nurture external networks consisting of industry peers, ecosystem partners, vendors and other relevant parties to address common trends, findings, incidents and cybersecurity risks. Liaise with external agencies, such as the North Carolina Community College System Information Security Office, law enforcement and other advisory bodies, as necessary, to ensure that the organization maintains a strong security posture and is kept well-abreast of the relevant threats identified by these agencies. Create education and awareness programs and advise operating units at all levels on security issues, best practices, and vulnerabilities. Pursue security initiatives to address unique needs in protecting identity theft, mobile social media security and online reputation program. Lead the development and implementation of effective and reasonable policies and practices to secure protected and sensitive data and ensure information security and compliance with relevant legislation and legal interpretation. Define and facilitate the processes for information security risk and for legal and regulatory assessments. Monitor the external threat environment for emerging threats, and advise relevant stakeholders on the appropriate courses of action. Develop and oversee effective disaster recovery policies and standards to align with the college business continuity management (BCM) program goals, with the realization that components supporting primary business processes may be outside the institution's perimeter. Coordinate the development of implementation of incident response plans and procedures to ensure that business-critical services are recovered in the event of a security event; provide direction, support and in-house consulting in these areas. Facilitate and support the development of asset inventories, including information assets in cloud services and in other parties in the organization's ecosystem. Monitor security incidents and act as primary control point during significant information security incidents. Convene a Security Incident Response Team (SIRT) as needed, or requested, in addressing and investigating security incidents that arise. Convene Ad Hoc Security Committee as appropriate and provide leadership for breach response and notification actions for the college. Provide leadership, direction and guidance in assessing and evaluating information security risks and monitor compliance with security standards and appropriate policies. Examine impacts of new technologies on the college's overall information security. Establish processes to review implementation of new technologies to ensure security compliance. Coordinate and track all information technology and security related audits including scope of audits, colleges/units involved, timelines, auditing agencies and outcomes. Work with auditors as appropriate to keep audit focus in scope, maintain excellent relationships with audit entities and provide a consistent perspective that continually puts the institution in its best light. Provide guidance, evaluation and advocacy on audit responses. Maintain a high standard of professional and ethical practice in representing the College. Maintain confidentiality of relevant information. Demonstrate a thorough knowledge of the field or discipline with continued adherence to professional accountability. Establish and maintain effective working relationships and partnerships. Accept responsibility for managing situations and problems. Work cooperatively with team members and colleagues and contribute positively and constructively to the achievement of team and College objectives. Adhere to the College's policies, procedures, and other established guidelines.  Serve on various College committees as required. Perform other duties as assigned.

MINIMUM EDUCATION QUALIFICATIONS

Bachelor's degree in a technology or Business related field of study such as Computer Science, Information Technology, Cybersecurity, Business or Business Information Systems required.

MINIMUM EXPERIENCE QUALIFICATIONS

Seven (7) to ten (10) years of related experience in a combination of risk management, information security and IT roles required. Active security certifications (e.g.: CISSP, CISM, CEH, GCIA, GCIH, SANS, NSA IAM) preferred. Knowledge of and experience applying security control requirements for information security standards (e.g.: FERPA, HIPAA, PCI DSS, IRS 1075, or other federal compliance requirements) Demonstrated project management experience with cyber security program management, cyber exercise planning, incident response and monitoring, and security vulnerability/patch management. Demonstrated supervisory experience leading a technical team in developing and transitioning cybersecurity capabilities. Excellent written and verbal communication skills, interpersonal and collaborative skills, and ability to work under pressure in emergencies and communicate cyber security and risk-related concepts to colleagues required. Strong leadership skills that incorporate organizational, analytical, decision-making, and team-building skills. Experience in developing information security policies, procedures, standards, and guidelines, and successfully executing cyber security programs required. Comprehensive understanding of industry standards and requirements for information security management, state and federal statues, and third-party security assessments.  Demonstrated experience in internet and network security products and platforms, including intrusion detection, intrusion prevention, incident response, vulnerability assessments and penetration testing. Advanced knowledge of attack vectors, threat trends, mitigation strategies, intrusion analysis, malware analysis, anomalous behavior, and incident response protocols.  Excellent knowledge of information security alerts, threat trends, intrusion analysis, malware, anomalous behavior, forensic research, and incident response protocols. Ability to work nights and weekends as needed to resolve security related issues.  Eligibility to obtain and maintain a Division of Criminal Investigation (DCI) certification required. In addition to the standard background check, this position requires having a clear fingerprint-based criminal records search through the State Bureau of Investigation (SBI).

PHYSICAL REQUIREMENTS

Generally, works in a traditional climate-controlled office environment and requires the ability to sit for extended periods. Some walking, standing, and bending required, and the ability to lift and maneuver items weighing up to 25 pounds. Work environment can be stressful at times in dealing with a wide variety of challenges and deadlines.

---