Senior Director IT,Information Security & Service Management

The Senior Director IT is responsible for establishing and maintaining the information security program to ensure that information assets and associated technology, applications, systems, infrastructure and processes are adequately protected in the digital ecosystem in which we operate. The individual is responsible for identifying, evaluating and reporting on legal and regulatory, compliance, IT and cybersecurity risk to information assets, while supporting and advancing business objectives.

Description

Establish Governance and Build Knowledge

• Facilitate an information security governance structure through the implementation of a hierarchical governance program, including the formation of an information security steering committee or advisory board.
• Provide regular reporting on the current status of the information security program to enterprise risk teams and senior business leaders
• Work with the vendor management office to ensure that information security requirements are included in contracts by liaising with vendor management and procurement organizations.
• Create and manage a targeted information security awareness training program for all employees, contractors and approved system users, and establish metrics to measure the effectiveness of this security training program for the different audiences.
• Understand and interact with related disciplines through committees to ensure the consistent application of policies and standards across all technology projects, systems and services, including privacy, risk management, compliance and business continuity management.
• Provide clear risk mitigating directives for projects with components in IT, including the mandatory application of controls.

Develop the Frameworks

• Develop and enhance an up-to-date information security management framework based on one of the following: International Organization for Standardization (ISO) 2700X, ITIL, ENISA, ISA-62443, COBIT/Risk IT and National Institute of Standards and Technology (NIST) Cybersecurity Framework.
• Create and manage a unified and flexible control framework to integrate and normalize the wide variety and ever-changing requirements resulting from global laws, standards and regulations.
• Develop and maintain a document framework of continuously up-to-date information security policies, standards and guidelines. Oversee the approval and publication of these information security policies and practices.
• Create a framework for roles and responsibilities with regard to information ownership, classification, accountability and protection of information assets.
• Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increase the maturity of the information security, and review it with stakeholders at the executive and board levels.

Architecture/Engineering Support

• Work with IT staff to ensure that security is factored into the evaluation, selection, installation and configuration of hardware, applications and software.
• Recommend and coordinate the implementation of technical controls to support and enforce defined security policies.
• Research, evaluate, design, test, recommend or plan the implementation of new or updated information security hardware or software, and analyze its impact on the existing environment; provide technical and managerial expertise for the administration of security tools.
• Work with the enterprise architecture team to ensure that there is a convergence of business, technical and security requirements; liaise with IT management to align existing technical installed base and skills with future architectural requirements.

Operational Execution

• Coordinate, measure and report on the technical aspects of security management.
• Manage outsourced vendors that provide information security functions for compliance with contracted service-level agreements.
• Manage and coordinate operational components of incident management, including detection, response and reporting.
• Maintain a knowledgebase comprising a technical reference library, security advisories and alerts, information on security trends and practices, and laws and regulations.
• Manage the day-to-day activities of threat and vulnerability management, identify risk tolerances, recommend treatment plans and communicate information about residual risk.
• Manage security projects and provide expert guidance on security matters for other IT projects.
• Assist and guide the disaster recovery planning team in the selection of recovery strategies and the development, testing and maintenance of disaster recovery plans.
• Ensure audit trails, system logs and other monitoring data sources are reviewed periodically and are in compliance with policies and audit requirements.
• Design, coordinate and oversee security testing procedures to verify the security of systems, networks and applications, and manage the remediation of identified risks.

Qualifications

• Bachelor’s Degree in Engineering, Computer Science, Information Systems, or related discipline required.
• Master’s Degree in a related field is preferred.
• Professional security management certification is desirable, such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or other similar credentials

Experiences

• A minimum of ten years of IT experience, with seven years in an information security role and at least five years in a managerial capacity is required.
• Experience working with legal, audit and compliance staff is preferred.
• Experience developing and maintaining policies, procedures, standards and guidelines is required.
• Familiarity with applicable legal and regulatory requirements, including, but not limited to, the U.S. Sarbanes-Oxley Act, the U.S. Health Insurance Portability and Accountability Act (HIPAA), the European Union Privacy Directive, and the Japanese Financial Instruments and Exchange Law ("J-SOX").

Skill Sets

• Excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives
• Project management skills: financial/budget management, scheduling and resource management
• Ability to lead and motivate the information security team to achieve tactical and strategic goals, even when only "dotted line" reporting lines exist
• A master of influencing entities and decisions in situations where no formal reporting structures exist, but achieving the desirable outcome is vital
• Excellent communication, interpersonal and collaborative skills. Experience working with a multi-continent technical team preferred
• High degree of initiative, dependability and ability to work with little supervision while being resilient to change

Technical Competencies

• Experience with common information security management frameworks, such as International Standards Organization (ISO) 2700x, the IT Infrastructure Library (ITIL) and Control Objectives for Information and Related Technology (COBIT) frameworks
• An understanding of operating system internals and network protocols.
• Familiarity with the principles of cryptography and cryptanalysis.
• Experience in application technology security testing (white box, black box and code review).
• Experience in system technology security testing (vulnerability scanning and penetration testing).