Director of Security Risk and Compliance
The Director of Security, Risk and Compliance is responsible for establishing and maintaining an enterprise-wide information security and privacy program that ensures information assets are stored and protected in a manner that meets or exceeds corporate, compliance and regulatory requirements.
This role oversees the advancement and maintenance of information security policies, identifies and supports security initiatives, establishes programs, and leads risk assessments, threat intelligence and status reporting. The Security, Risk and Compliance Director is the primary role within the focused on risks relating to information security and privacy. This critical position collaborates with the teams responsible for applications, infrastructure, data, architecture, development, deployment, and operations to establish and implement a secure environment. This role works in direct partnership with the operations and application teams, and the enterprise architect to ensure all ongoing activities related to the availability, integrity and confidentiality of information about customers, residents, employees and the lines of business are in compliance with the information security practices. This role will lead the implementation of remediation as appropriate. The person in this role is a strategic thought leader and visionary advocate.
- Develop, implement and monitor a strategic enterprise information security and risk management program to ensure the integrity, confidentiality and availability of information owned, controlled or processed by the organization.
- Guide on the appropriate information security services, mechanisms, technologies and features to satisfy security policies and requirements in key areas: computing platform architecture, data governance, network environment, enterprise architecture, security models, and protection mechanisms.
- Advise the IT Leadership Team on risks related to information security and recommend actions in support of the wider risk management and security program. Partner with business and IT leaders on risk and control areas, such as regulatory, external audit and risk management processing, including conducting periodic risk assessments.
- Develop policies and processes to monitor compliance with information based on industry leading practices, applicable laws and regulations. Refine, maintain, and oversee compliance with IT Policies and Procedures.
- Build and deploy effective data protection, data security and information security management processes, as well as assist appropriate teams in ongoing management, review, audit and enforcement. This may include activities such as, firewall configuration, log analysis and gap remediation activities.
- Perform security audits of custom written applications and make recommendations to improve security with enterprise custom applications. Lead and direct a team responsible for providing guidance and recommendations for the configuration of all security appliances.
- Lead and guide the continuous improvement of business continuity and disaster recovery planning efforts across the enterprise.
- Work with IT leadership to develop security-related training programs, awareness campaigns, metrics and skills for the organization.
- Closely monitor emerging information security threats, assess the organization’s risk exposure, implement mitigating measures and communicate this information to key stakeholders on a timely basis.
- Lead evaluations and provide recommendations to leadership regarding new technologies related to information security.
Equivalent combinations of education and experience will be considered for the required qualifications.
- Bachelor’s Degree in Computer Science or Engineering, Management Information Systems, or a related technical field or equivalent combination of experience and education
10+ years of combined experience in security risk and compliance management, assessment, auditing, research and/or consulting.
- Demonstrated ability to perform security risk and compliance assessments in complex, multi-department and technology environments.
- Experience developing information security policies and standards.
- Experience developing and managing reporting of security and risk performance metrics and reporting dashboards for executive, business and technical audiences.
- Experience in a complex environment with rapidly changing technology needs, multiple sources of funding, multiple services contracts, and multi-agency contacts.
- Strong understanding of federal, state, and local regulatory compliance drivers and requirements relevant to information security and data protection, such as PCI, NERC, and HIPAA.
- Strong understanding of network, system, application and data protection standards, benchmarks, processes, applications, tools, and techniques.
- Excellent oral and written communication skills.
NOTE: Employment contingent upon successful completion of comprehensive criminal background investigation.
- Active Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), or equivalent industry certifications.
- Eight plus years in a senior leadership role managing security, risk, and compliance.