Chief Information Security Officer

Title: Chief Information Security Officer (CISO)

State Role Title:Info Technology Manager II

Hiring Range: Up to $185,000

Pay Band: 7

Agency: Dept Behavioral Health/Develop

Location:Central Office

Agency Website:www.dbhds.virginia.gov

Recruitment Type: General Public - G

Job Duties

The Department of Behavioral Health and Developmental Services (DBHDS) is seeking a dynamic and experienced information security and privacy leader to serve as the Chief Information Security Officer (CISO). This position is responsible for developing, managing and ensuring an efficient and effective information security and privacy program that safeguards the agency's information assets and supports the compliance with all applicable federal and Commonwealth laws and regulations. This position oversees the agency's security policies, risk management, compliance, and cybersecurity operations to ensure protection, detection, and corrective controls for all IT systems.

Additional responsibilities include:
• Providing strategic leadership for enterprise-wide cybersecurity, privacy, and IT governance, risk, and compliance (GRC) programs.
• Designing and implementing policies, standards, and risk management frameworks aligned with Commonwealth security standards, and HIPAA requirements.
• Overseeing the agency's incident response, vulnerability management, and cloud security, ensuring protection, detection, and corrective controls for all IT systems and cloud environments.
• Leading the agency's initiatives in AI governance and emerging technology oversight, establishing responsible AI policies, risk assessments, and controls to ensure ethical, secure, and compliant adoption of artificial intelligence and automation technologies across DBHDS systems.
• Supervising professional staff responsible for implementing technical safeguards, conducting risk assessments, managing investigations, and delivering security and privacy awareness training to maintain a secure, compliant, and resilient technology environment.
• Advising the Executive Leadership Team on cybersecurity, privacy, and risk posture.
• Developing data protection strategies and ensuring business continuity and incident recovery plans align with enterprise risk tolerance.

Minimum Qualifications

• Considerable experience in information security, information systems review, or related technology fields.
• Demonstrated knowledge of information security and privacy practices, IT governance, risk management, and compliance frameworks (e.g., NIST, ISO 27001, HIPAA, ARMICS, VITA SEC-530)
• Proven experience implementing and managing cloud security controls in cloud environments, including IAM, monitoring, and shared responsibility compliance.
• Ability to lead enterprise cybersecurity operations, manage incident response, and oversee vulnerability and threat management programs.
• Knowledge of cloud security architectures, shared responsibility models, and cloud-native risk mitigation strategies.
• Experience establishing or managing AI governance frameworks or oversight committees related to data ethics, model transparency, and security of AI systems.
• Proven ability to lead teams and supervise staff performing cybersecurity and risk management functions.
• Strong communication, analytical, and problem-solving skills, with the ability to interact effectively with technical, executive stakeholders, and oversight entities.

Additional Considerations

• Certification as an Information Systems Security Professional (CISSP), Information Security Manager (CISM), or Information Systems Auditor (CISA).
• Experience working in state or public sector information security programs.
• Familiarity with HIPAA, ARMICS, and NIST security standards.
• Experience building or maturing governance, risk, and compliance (GRC) programs and reporting metrics to executive leadership or board-level committees.

Special Instructions

You will be provided a confirmation of receipt when your application and/or résumé is submitted successfully. Please refer to "Your Application" in your account to check the status of your application for this position.

This position is eligible, however not guaranteed, for telework opportunities; availability, hours, and duration of telework shall be approved as outlined in the Commonwealth telework policy.

For consideration, interested applicants must apply by completing the online application. A resume may also be included with your submission. However, emailed, faxed, and hand-delivered applications and/or resumes will not be accepted. This position is open until filled; however, applications/resumes will begin to be reviewed within seven (7) business days of the date of this posting. Reasonable accommodations are available to persons with disabilities during application and/or interview processes per the Americans with Disabilities Act.

DBHDS welcomes all applicants authorized to work in the U.S. For more information on how to seek this authorization, please refer to Working in the United States or contact the U.S. Citizenship and Immigration Services office directly.

For any technical assistance with the jobs.virginia.gov website, please contact applicantinquiry@dhrm.virginia.gov.

Contact Information

Name: ShaKiera Miles

Phone: N/A

Email: shakiera.miles@dbhds.virginia.gov - Inquiries Only/No Submissions, to include resumes.

In support of the Commonwealth's commitment to inclusion, we are encouraging individuals with disabilities to apply through the Commonwealth Alternative Hiring Process. To be considered for this opportunity, applicants will need to provide their AHP Letter (formerly COD) provided by the Department for Aging & Rehabilitative Services (DARS), or the Department for the Blind & Vision Impaired (DBVI). Service-Connected Veterans are encouraged to answer Veteran status questions and submit their disability documentation, if applicable, to DARS/DBVI to get their AHP Letter. Requesting an AHP Letter can be found at AHP Letter or by calling DARS at 800-552-5019.

Note: Applicants who received a Certificate of Disability from DARS or DBVI dated between April 1, 2022- February 29, 2024, can still use that COD as applicable documentation for the Alternative Hiring Process.

---