IT Risk Management – As a partner with the internal services, infrastructure, application and operational technology teams, the CISO will define risk measurement standards and repeatable ISO 27000 or equivalent framework for all components of IT risk, including but not limited to vendor, cloud, stability, supportability, regulatory, disaster preparedness, and security. The team will perform ongoing risk assessments and provide executive updates / escalation as necessary.
IT General Control (ITGC) Compliance & Audit Management – Define, measure and drive ITGC compliance including but not limited to defined regulatory requirements including but not limited to PCI and HIPAA. Partner with stakeholders to ensure compliance to PCI and HIPAA, and other applicable standards. Ensure all compliance activities are mapped to defined standards (e.g. ISO, NIST Executive Order, COBIT). Act as primary interface to Audit organizations, including review of all IT-related audit findings, follow-ups and management response commitments.
Security Training & Awareness – Continue to drive and expand organizational security training and awareness through repeatable and creative initiatives across an organization.
Data Privacy - Responsible for the direction and oversight of matters governing appropriate access, security, privacy, and confidentiality of employee and other sensitive personal and organization information. Ensures organizational compliance with applicable statutory and regulatory requirements pertaining to the subjects of information security and privacy for the organization.Interfaces with Legal, HR and other appropriate departments.
Project Design & Delivery – Manage multi-vendor teams in the design, development, deployment and support of many critical security related projects as part of achieving overall improved maturity of IT security capabilities.
IT Security Operations- Responsible for defining, developing, and managing the organization’s IT Security Operations function. This includes: 1) management of an internal security organization, 2) alignment with county operational technology asset monitoring requirements, 3) interfacing 3rd party Managed Security Services Providers for external network monitoring and cyber intelligence, 4) measurement of incident handling performance, and 5) working closely with external entities (industry, government) regarding current threats, indicators of compromise, or other intelligence. As a partner with the internal services, infrastructure, application and operational technology teams, the CISO will set the direction of and deliver the overall IT Security Architecture for the county being supported by this role.
Other Key Roles & Responsibilities:
Responsible for managing the phases of the CISO as a Service framework (Assessment, implementation, operations) covering all aspects of IT Security function, including operations, new projects, third party vendors, managed services and other related costs.
Conduct internal briefings with other senior leaders across the organization on a regular basis for broad based awareness of key updates such as cyber security operational performance, incidents or breaches, new strategic areas of focus and critical project updates.
Define overall IT Security Strategy & Vision. Ensure IT Security Strategy clearly communicates future design and aligns to cyber security and risk objectives across each part of the organization.
Present to audiences and forums internal and external to the organization on topics related to IT security, risk and compliance.
Education, Experience, & Skill Requirements
Must possess and exhibit a high level of integrity and passion for the disciplines of IT Security & Risk.
Ten plus years overall of multi-disciplined IT background.
Prefer minimum of 4 years of experience as CISO or equivalent position for medium sized organizations.
Ability and experience working across multiple organization and IT organizations to develop an integrated organizational IT Security & Risk Strategy
Experience designing organizational IT Security Architecture, infrastructure and applications.
Strong knowledge and experience in managing complex project plans with interdependencies between many different projects and initiatives.
Experience working with external cyber intelligence organizations, such as MS-ISAC (NERC), ISC-CERT (DHS), FBI.
Familiarity with standard risk frameworks, including ISO 27000, SANS, NIST 800-53, and standard compliance frameworks.
Prefer degrees in Computer Science, Business, Engineering or Information Systems.
Current certifications such as CISSP, CISA, and/or others as relevant will be preferred.
Professional IT process / methodology certifications a plus (e.g., ITIL, CobIT, LEAN, Six Sigma) with experience implementing rigorous and efficient process / methodology across an organization. Prefer experience as a business or IT consultant.
|Salary||0 to 0|
|Years of Experience ||5+ to 10 years|
|Minimum Education ||-|
|Willingness to Travel||-|
|Hours per week||0|