Director – IT Security
The Director, Information Technology Security is responsible for the development, implementation and management of security policies and business continuity programs that protect the organization’s information systems including application security, server security, mobile device security and forensics, network security and preventive systems analysis & operation and compliance to security standards such as; PCI-DSS, ISO27000, SOX, etc.
This position is also responsible for the successful implementation, review and updating of IT Processes (i.e.: ITIL, Governance, etc.) and for driving a comprehensive Metrics program to measure Governance, Risk Management and Compliance (GRC).
The ideal candidate is a thought leader, a consensus builder, and an integrator of people and processes. While the Director, Information Technology Security is the leader of the security program, he or she must also be able to coordinate disparate drivers, constraints and personalities, while maintaining objectivity and a strong understanding that security is just one of the business's activities. It cannot be undertaken at the expense of the enterprise's ability to deliver on its goals and objectives. They will be called on to lead cross functional security initiatives, establish a strategic security framework, manage day to day tactical security, and process issues and establish metrics and measures. Ultimately, the Director, Information Technology Security is a business leader, and should have a track record of competency in the field of information security or risk management, at least 5 years of relevant corporate IT Security experience, including three years in a significant leadership role.
There will be 15%-20% overall travel required for this position.
Defining and managing the Information Security strategic roadmap.
Manage and develop the enterprise's information security organization, consisting of direct reports and indirect reports, and engaging third parties as needed to ensure the required capabilities are available either internally or externally. This includes hiring, training, staff development, and performance management.
Develop, maintain and publish up-to-date information security policies, standards and guidelines including identifying and closing gaps in existing IT security processes, business continuity processes.
Oversee the approval, training, and dissemination of security policies and practices.
Facilitate information security governance through the implementation of a hierarchical governance program, including interaction with the Corporate Compliance Committee.
Create, communicate and implement a risk-based process for vendor risk management, including the assessment and treatment for risks that may result from partners, consultants and other service providers. Ensure the compliance of security practice and policy where 3rd party resources deliver IT services.
Create a framework for roles and responsibilities with regard to information ownership, classification, accountability and protection.
Develop and enhance an information security management framework based on the appropriate standards such as: International Organization for Standardization (ISO) 2700X, ITIL, COBIT/Risk IT and National Institute of Standards and Technology (NIST).
Ensure that security programs are in compliance with relevant laws, regulations, policies and standards to minimize or eliminate risk and audit findings.
Manages weekly objectives, priorities, budget and performance management of team members.
Leadership for internal and external security programs and incident response across multiple teams.
Directly manage all IT Security contracts and projects with 3rd party vendors including project objectives, budgets, renewals and RFP’s
Administration and monitoring of IT security technologies and systems, business continuity, process and metrics across the enterprise
Present recommendations, findings and assessments to senior management across the organization including operations, legal and finance
Collaborate across technical and business functions to evangelize and drive security, business continuity and metrics awareness within all IT initiatives and beyond
BA Degree in business administration or a technology-related field
8+ years combined experience in risk management and/or information security
8+ years’ experience working with IT security legal and regulatory requirements, such as Sarbanes-Oxley Act (SOX) and Payment Card Industry/Data Security Standard.
8+ years’ experience working with information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT or NIST.
5+ years’ experience in a senior leadership role.
5+ years’ experience in IT project management that incudes financial/budget management and resource management.
Experience managing effective disaster recovery policies and standards, aligning them with business continuity management programs.
Experience with contract and vendor negotiations.
Experience developing and implementing information security policies and procedures, in addition to successfully executing programs that meet the objectives of excellence in a dynamic IT environment.
Professional security management certification required, such as a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA)
Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate security and risk-related concepts to technical and nontechnical audiences.
Poise and ability to act calmly and competently in high-pressure, high-stress situations.
Critical thinker, with strong problem-solving skills.
Exhibits excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives.
High level of personal integrity, as well as the ability to professionally handle confidential matters, and show an appropriate level of judgment and maturity.
High degree of initiative, dependability and ability to work with little supervision.