About this Position
The individual in this position will work across the IT organization and with business partners as required to understand internal and external application and infrastructure service offerings Company has deployed or is considering. The role will be responsible for ensuring that appropriate controls, systems, and policies are in place to prevent security breaches and standard operating procedures are in place for audit, incident response and compliance reporting.
This position will work with teams to understand needs and recommend physical and technical information security best practices to be incorporated into service design and operations. Individual will be responsible to develop and publish policies for IT teams to follow, promote security awareness across the company as well as implement security procedures and safeguards.
This position will also work cross-functionally to oversee the security posture of Company and its subsidiaries ' products and services, ensuring security is embedded throughout the product development lifecycle. This position reports to the CIO.
Governance and Leadership
- Leads the internal Security Counsel. Help support corporate IT, Company Products, and monthly updates to Board on key risks and management 's plans to remediate them. Ensures information security risk is managed within the risk appetite approved by the CIO, CEO and Board.
- Serves as Company 's" Technology Control Officer (TCO)". The TCO is responsible for managing and implementing the Technology Control Plan (TCP) and other written policies and procedures (ECP, et al), per NISPOM regulations. The TCO acts the principal advisor concerning the protection of controlled unclassified information and other proprietary technology and data subject to regulatory or contractual control by the US Government.
- Act as a strategic advisor to the business heads on cybersecurity incidents and govern cross-functional alignment with trust and confidence.
- Ensure the consistent implementation and oversight of information security policies and practices across the company working closely with the business heads, CIO, General Counsel, and their teams.
- Liaises with Company 's Legal Team and Industrial Security Team in taking the necessary steps to ensure that Company complies with U.S. export control laws and regulations and does not take action deemed adverse to performance on classified contracts.
- Keeps up to date on information security threats and countermeasures and advise staff and development teams.
- Facilitates the creation of business continuity plans for business units and functions across the corporation.
- Develops the security team and overall IT organization 's capabilities in line with organizational goals and industry best practice.
- Creates and maintains the organization 's security documents (i.e., policies, standards, baselines, guidelines, and procedures) to be approved by executive management.
- Create a culture of cybersecurity engagement and ownership, driving behavioral changes within IT and the business functions.
- Initiate, facilitate and promote activities to foster information security awareness and KPIs within the organization and related entities.
- Coordinates product security with engineering and product management teams.
- Leads a strategic point of view for security solutions that can be impacted by new technologies (Cloud, Mobility, Virtualization), and business drivers (M&A, New Business Models).
- Defines processes to manage network and application security as well as prevent the proliferation of viruses and hacker intrusion.
- Manages execution of vulnerability scans, penetration tests, and audits to proactively identify areas of risk.
- Tracks and directs the mitigation of technical security incidents across enterprise IT and manage them through to resolution.
- Provides system security planning, development, and implementation of security policies across multiple platforms.
- Provides consultation and support in security management, architecture standards and documentation, and chances/enhancements to security configurations.
- Works with IT Support and Operations management as a member of the incident response team.
- Audits server event logs, firewall access logs, wireless access logs and firewall rules to identify possible security or performance problems.
- Oversees the monitoring and review of intrusion detection systems and firewall logs, analyze events and patterns, review access control lists, and manage network-based vulnerability scans and penetration tests.
- Leads the analysis of network traffic and system logs to determine corrective action and implement countermeasures; evaluate security incidents, develop solutions, and communicate results to end users and technical staff.
Risk and Compliance
- Works with third-party testing groups to perform security audits, validating threats and working with development team to implement and test resulting recommendations.
- Works with the IT service delivery and support leaders to draft, update, and implement policy.
- Directs and expands our enterprise-wide security controls and safeguards.
- Responds to client security questionnaires and audits; participate in the RFP and contracting processes.
- Creates and oversees the implementation of IT disaster recovery plans.
- Leads the performance of periodic information security risk assessments and conduct related ongoing compliance monitoring activities in coordination with the company 's other compliance and operational assessment functions.
- Candidate MUST be a U.S. citizen.
- This position requires a Top-Secret security clearance; candidate must be able to obtain and/or maintain a Top-Secret clearance.
- Knowledge of security frameworks, standards, policies, and practices '" including ISO/IEC 27001.
- Experience obtaining third party security attestations.
- The ability to analyze, interpret business requirements/issues and translate into appropriate security and risk solutions.
- Must have experience with Vendor Risk Management.
- Experience with Change Management in organizations maturing their security posture.
- An appreciation of IT, business, and regulatory strategies in relation to a global enterprise operating in countries all over the world.
- Experience evaluating security and technology risk issues relating to new technologies and services.
- Experience in leading or participating in technology reviews including due diligence assignments.
- Experience with compliance monitoring and operational assessment.
- Familiarity with data protection and privacy legal frameworks as they relate to organizational systems, networks, and data as well as enterprise products.
- Skilled in reviewing third party security and contractual requirements related to information security and data protection.
- 10+ years of experience in either risk management or information security and/or IT positions.
- Thorough understanding of identity and access management, including cross-domain federation and cloud service provider integration.
- Certifications: One or more of the following certifications: CISSP, CISM, CISA, CIPP, HCISSP, CRISC, CGEIT, PCIP required.
- Experience creating technical documentation, including product documentation, technology and process best practices, and technical whitepapers.