Full-time
Chief Information Security Officer (CISO) - Gemological Institute of America - Carlsbad, CA

The Chief Information Security Officer (CISO) is primarily responsible for establishing, implementing, monitoring and enforcing the information security governance, standards and policies across the Institute. The incumbent will establish strategic direction and oversee day to day execution of operational information security initiatives at GIA. The CISO will report to the Chief Operating Officer (COO) and dotted line to Enterprise Risk Committee and collaborate closely with the other Executives and Managers within the organization to ensure integration and efficacy of security initiatives. Secure access to information assets is critical to achieve business objectives. The CISO is responsible for establishing and maintaining the information security program to ensure that information assets and associated technology, applications, systems, infrastructure and processes are adequately protected in the digital ecosystem in which we operate. The CISO is responsible for identifying, evaluating and reporting on cybersecurity risk to information assets, while supporting and advancing business objectives. The CISO should be a great communicator and be effective in convincing all levels of the organization to follow their vison for a successful information security program. The CISO should also be adept at articulating priorities and taking a phased, efficient, and intentional approach to maturing the Institute’s information security program to a level appropriate for the organization. Success in the role will require an individual with an understanding of how to achieve complex objectives through collaboration. Key initiatives will require engaging internal IT and external security services resources to drive to a shared mission. The CISO may also need to grow strong community relationships to create a feedback loop that informs on best practices. The CISO will be required to build a staffing and resource plan that supports their vision. In this capacity, this individual should consider creative and efficient ways to execute their strategy without being hampered by the long lead times typically associated with information security hires. Additionally, the CISO should cultivate a pipeline of suitable internal and external candidates that could be leveraged to fill roles as the needs arise. Ultimately, the CISO is a business leader, and should have a track record of competency in the field of information security and/or risk management, with ten to fifteen years of relevant experience, including five years in a significant leadership role. Set the Strategy and Communicate the Vision Develop and enhance an up-to-date information security management framework based on the following: International Organization for Standardization (ISO) 27002, ITIL, COBIT/Risk IT and National Institute of Standards and Technology (NIST) Cybersecurity Framework and account for ever-changing requirements resulting from global laws, standards and regulations. Use framework to form information security vision and strategy that is aligned to organizational priorities and enables and facilitates the organization's business objectives, and ensure board, executive team and enterprise risk committee buy-in and mandate. Create the necessary internal networks among the information security team and line-of-business executives, corporate compliance, audit, physical security, legal and HR management teams to ensure alignment as required. Develop, implement and monitor a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy and recovery of information assets owned, controlled or/and processed by the organization. Assist with the identification of non-IT managed IT services in use (i.e. Marketing, research) and facilitate a corporate IT onboarding program to bring these services into the scope of governance and compliance. Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increase the maturity of the information security, and review it with stakeholders at the executive and board levels. Establish Governance and Build Knowledge Facilitate an information security governance structure through the implementation of a hierarchical governance program, in alignment with Enterprise Risk Management Committee. This governance structure will address all critical elements including but not limited to employee awareness, policy lifecycle, and vendor management. Work with the compliance staff to ensure that all information owned, collected or controlled by or on behalf of the company is processed and stored in accordance with applicable laws and other global regulatory requirements, such as data privacy. Provide regular reporting on the current status of the information security program to Enterprise Risk committee, Chief Operating Officer and the board of Governors as part of a strategic enterprise risk management program, thus supporting business outcomes. Actively engage line-of-business leadership to address their unique operational requirements and build their understanding of the information security profiles of their critical assets, including establishing a security champion program to mobilize employees in all locations. Operate the Function Ensure that security is embedded in the project delivery process by providing the appropriate information security policies, practices and guidelines. Oversee technology dependencies outside of direct organizational control. This includes reviewing contracts and the creation of alternatives for managing risk. Coordinate the development and implementation of incident response plans and procedures to ensure that business-critical services are recovered in the event of a security incident; provide direction, support and in-house consulting in these areas. Monitor the external threat environment for emerging threats and advise relevant stakeholders on the appropriate courses of action. Build the Network Liaise with external agencies, such as law enforcement and other advisory bodies, as necessary, to ensure that the organization maintains a strong security posture and is kept well-abreast of the relevant threats identified by these agencies. Liaise with the enterprise architecture team to build alignment between the security and enterprise (reference) architectures, thus ensuring that information security requirements are implicit in these architectures and security is built in by design. Requirements and Qualifications Minimum of ten to fifteen years of experience in a combination of risk management, information security and IT. Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate information security and risk-related concepts to technical and nontechnical audiences. Strategic leader and builder of both vision and bridges, and able to energize information security supporting teams in the organization. Must be a critical thinker, with strong problem-solving skills. Proven track record and experience in developing information security policies and procedures, as well as successfully executing programs that meet the objectives of excellence in a dynamic business environment. Poise and ability to act calmly and competently in high-pressure, high-stress situations. Knowledge and understanding of relevant legal and regulatory requirements, such as: relevant local or global laws, standards and regulations, GDPR, State laws and Payment Card Industry/Data Security Standard. Strong understanding of how to maximize value from technology investments (e.g.; next generation firewalls, Cisco IOS, Cisco switches, understanding of IPS (Intrusion Prevention Systems), threat analysis and protection, sandboxing, IDS (Intrusion Detection System), IMS (Identity Management System), and auditing and event logging solutions). Ability to lead and motivate the information security team to achieve tactical and strategic goals, even when only "dotted line" reporting lines exist. Degree in business administration or a technology-related field, or equivalent work- or education-related experience. Professional security management certification is desirable, such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or other similar credentials. Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT as well as those from NIST, including 800-53 and Cybersecurity Framework. High level of personal integrity, as well as the ability to professionally handle confidential matters and show an appropriate level of judgment and maturity. High degree of initiative, dependability and ability to work with little supervision while being resilient to change. Additional background investigations or probes may be conducted as part of the hiring process.
Disclaimer: This job description indicates in general terms, the type and level of work performed as well as the typical responsibilities of employees in this classification and it may be changed by management at any time. Other duties may also apply. Nothing in this job description changes the at-will employment relationship existing between the Company and its employees.

Apply for this job  or Save to My Jobs

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.com, you agree to our use of cookies.