Chief Information Security Officer

American Institutes for Research
August 5, 2022
Oakland, CA
Job Type



AIR is seeking a Chief Information Security Officer (CISO) to join the Information Security team. The CISO drives information security strategy and works closely with senior stakeholders throughout the organization to ensure effective cyber defenses and maintain compliance with applicable regulations and laws.  The CISO serves as the leader of the information security program and in the delivery of information security services, that include ensuring the confidentiality, integrity, and availability of information systems, identification of threats and vulnerabilities, assessment of risks, and overseeing the implementation of controls to mitigate risks.  The CISO develops policies, plans, and guidelines, spearheads key strategic initiatives, and coaches, mentors, and develops other members of the Information Security Office. This role is vital to the organization and its stakeholders and is well regarded and resourced as a trusted position.   The role reports to the Vice President of Information Technology.

This location for this position can be remote or from any one of AIRs domestic office locations.

Candidates hired for the position might initially start working remotely but will eventually have the option to work from one of our domestic office locations or continue to work remotely.

idiopathically About AIR:

Established in 1946, with headquarters in Arlington, Virginia, AIR is a nonpartisan, not-for-profit institution that conducts behavioral and social science research and delivers technical assistance to solve some of the most urgent challenges in the U.S. and around the world. We advance evidence in the areas of education, health, the workforce, human services, and international development to create a better, more equitable world.

AIRs commitment to diversity goes beyond legal compliance to its full integration in our strategy, operations, and work environment. At AIR, we define diversity broadly, considering everyones unique life and community experiences. We believe that embracing diverse perspectives, abilities/disabilities, racial/ethnic and cultural backgrounds, styles, ages, genders, gender identities and expressions, education backgrounds, and life stories drives innovation and employee engagement. Learn more about AIR's Diversity, Equity, and Inclusion Strategy and hear from our staff by clicking here.


The responsibilities for the position include:

  • Establish and maintain strong working relationships with internal and external business partners, customers, and stakeholders regarding information security strategies, policy, risk management, and security compliance.
  • Lead a team of dedicated information security professionals and ensure they are adequately equipped and trained.
  • Play a central role in cyber defense that includes working closely with IT, ensuring they have an inventory of information assets, secure configurations, access control management, account management, intrusion prevention, incident response, continuous vulnerability management, secure log management and malware defense.
  • Provide strategic and tactical security guidance for IT initiatives and projects, including the evaluation of the enterprise and cloud architecture, supply-chain and service provider management, insider risk, data/system resilience, and identification of high-value assets.
  • Provide expert advice to senior leadership on effective strategies and technologies to efficiently deliver on FISMA and FedRAMP compliance requirements. Oversees development and maintenance of security authorization package deliverables, risk assessments, configuration management, contingency plans/testing, and continuous monitoring.
  • Drive the implementation and maturation of security controls against US Government and industry security frameworks such as NIST 800-53, NIST 800-171, Center for Internet Security, and Cloud Security Alliance.
  • Report to executive management on the effectiveness of the information security program that includes vulnerability management, incident response, security awareness, phishing assessments, progress of all security-related remedial actions.
  • Plan and oversee all enterprise and cloud penetration testing to assess defense-in-depth architecture, network security, and web application security.
  • Oversee the company-wide security awareness training program to assure the organizations workforce is knowledgeable of information security risks and relevant guidance appropriate to their role in the organization.
  • Work with in-house application development teams ensuring that best practices for security are incorporated in the software development life cycle (DAST, SAST, etc.)
  • Coordinate the use of external security services (i.e., security controls assessments, penetration testing, digital forensic services, incident response, and training exercises).
  • Provide direct support to business development and corporate procurement activities by reviewing information security terms included in proposals, agreements, and contracts to ensure supportability and suitability.
  • Work with executive leadership (CFO, CEO, Board of Directors) to apprise information security strategies, plans, issues, and concerns.
  • Maintain knowledge of and oversee incident response/management that includes oversight of all phases of incident response, digital forensics, investigation of security breaches, and works closely with other members of incident command structure.


Nouméa Education, Knowledge, Skills, and Experience:

  • Bachelors or masters degree in STEM or a closely related field.
  • 10+ years of experience in information security management, security compliance, and/or risk management; preferable if in the U.S. Government, research, healthcare, or education sector.
  • 5+ years of experience in FISMA/FedRAMP.
  • Experience with NIST SP 800-171 and CIS security controls.
  • Relevant experience in at least four of the following areas: vulnerability management, incident response, firewalls, intrusion detection/prevention, security monitoring, security assessment, penetration testing, application security, network security, or end-point protection.
  • Knowledge of data privacy laws such as GDPR, CCPA, HIPAA, etc.
  • A least one SANS GIAC certification is desired but not required.


  • Excellent communication and presentation skills.
  • Demonstrated ability to serve as an effective member of senior management team and ability to communicate security-related concepts to a broad range of technical and non-technical management and staff at all levels and from diverse backgrounds.
  • Comfortable working in a virtual work environment.


AIR requires all new hires to be fully vaccinated against COVID-19 or receive a legally required exemption from AIR, as a condition of employment.  AIR will ask candidates to verify their vaccination status only after a conditional offer of employment is made.  Applicants should not provide information about their vaccination status or need for exemption prior to receiving a conditional offer of employment from AIR.

All qualified applicants will receive consideration for employment without discrimination on the basis of age, race, color, religion, sex, gender, gender identity/expression, sexual orientation, national origin, protected veteran status, or disability.

AIR adheres to strict child safeguarding principles. All selected candidates will be expected to adhere to these standards and principles and will therefore undergo rigorous reference and background checks.

#LI-PH1 #LI-Remote

Drop files here browse files ...

Related Jobs

Retail Sales Representative   San Francisco, CA new
August 10, 2022
Real Estate Manager   Alameda, CA new
August 10, 2022
Real Estate Manager   Lafayette, CA new
August 10, 2022
Real Estate Manager   San Francisco, CA new
August 10, 2022
Senior Network Engineer   San Francisco, CA new
August 10, 2022