CHIEF INFORMATION SECURITY OFFICER 
Information Technology Services 
"Preserving the Past, while Innovating our Future!" 

 
Opportunity of a Lifetime! 

The City of Alexandria is located in northern Virginia, and is bordered by the District of Columbia (Potomac River), Arlington, and Fairfax counties. With a population of approximately 160,000 and a land area of 15.75 square miles, Alexandria is the seventh largest city in the Commonwealth of Virginia. Approximately one-quarter of the City's square miles have been designated as a national or local historic district. Several buildings in these districts are monuments to the past, while being actively used by citizens for homes, businesses, and museums. We proudly embrace our rich history and seize the endless opportunities that lie ahead. If you are interested in working for the vibrant City of Alexandria, we invite qualified candidates to apply for our Chief Information Security Officer position. 

 
ITS Department Core Values:
 
Empower People
Evaluate
Strategically Invest
Secure Information
Collaborate
Data-Centric

An Overview 
 
The Department of Information Technology Services (ITS) is seeking a Chief Information Security Officer who will have responsibility for overseeing the City of Alexandria government’s Cybersecurity Program. This supervisory position reports directly to the Deputy Chief Information Officer (CIO) and uses industry best practices to oversee the implementation of all security policies as directed by the CIO, and enforces the City’s enterprise cybersecurity through policy, architecture, technical and functional administration, and training. The Chief Information Security Officer will also lead in selecting, configuring, communicating, and implementing cybersecurity solutions and security controls to identify and reduce IT risk.
 

What You Should Bring 
 
You should have a demonstrated ability of being able to work independently, as well as a history of establishing and maintaining effective working relationships with coworkers, representatives of other departments and agencies, and the public. You must be able to communicate clearly and effectively, both verbally and in writing, as well as being able to mentor junior staff. You should be able to show proactivity in continuously improving your job knowledge and technical and functional skills through training opportunities and self-study. Our ideal candidate will have considerable hands-on experience in all aspects of cybersecurity, and an ability to lead, manage, and communicate.
 
The Opportunity  
 
The Chief Information Security Officer will be focused on all aspects of City-wide IT cybersecurity, from developing cybersecurity plans and strategies to preventing and mitigating cyber-attacks. Examples of duties include:
 
Establish Governance and Build Knowledge 

• Provides regular reporting on the current status of the information security program and relevant metrics to ITS stakeholders and City senior leadership as part of a strategic enterprise risk management program, thus supporting business outcomes. 
• Develops, socializes and coordinates approval and implementation of security policies. 
• Works with stakeholders to ensure that information security requirements are included in contracts. 
• Establish an information security governance structure through the implementation of a hierarchical governance program, including the formation of an information security steering committee or advisory board. 
• Directs the information security awareness training program for all employees, contractors and approved system users, and establishes metrics to measure the effectiveness of this security training program for the different audiences. 
• Understands and interacts with related disciplines, either directly or through committees, to ensure the consistent application of policies and standards across all technology projects, systems and services, including privacy, risk management, compliance and business continuity management. 
• Provides clear risk mitigating directives for projects with components in IT, including the mandatory application of controls. 

 
Lead the Organization 

• Leads the information security function across the City to ensure consistent and high-quality information security management in support of the business goals. 
• Determines the information security approach and operating model in consultation with stakeholders and aligned with the risk management approach and compliance monitoring of non-digital risk areas. 
• Manages the budget for the information security function, monitoring and reporting discrepancies. 
• Manages the cost-efficient information security organization, consisting of direct reports and federated technology partners. This includes hiring (and conducting background checks), training, staff development, performance management and annual performance reviews. 

 
Strategic Direction  

• Develops an information security vision and strategy that is aligned to organizational priorities and enables and facilitates the organization's business objectives, and ensures senior stakeholder buy-in and mandate. 
• Monitors the comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy, and recovery of information assets owned, controlled or/and processed by the organization.
• Creates budgetary requests for both operational needs as well as proposes long-range funding considerations. Performs contractual management, devises statement of work, and conducts negotiations for related products and services. Proposes solutions that are right sized and bring the most value to the organization.
• Engages stakeholders to address risk management which includes assessment, identification, mitigation controls, and acceptance to ensure ownership of the information security risk is clear and documented. Ensure the risks are considered in totality and align with the City’s overall risk appetite.

Develop the Frameworks 

• Develops and enhances an up-to-date information security management framework based on the following: NIST, COBIT, CIS Critical Controls, and others. 
• Creates and manages a unified and flexible, risk-based control framework to integrate and normalize the wide variety and ever-changing requirements resulting from global laws, standards and regulations. 
• Develops and maintains a document framework of continuously up-to-date information security policies, standards, and guidelines. Oversees the approval and publication of these information security policies and practices. 

 
Mature the Program and Communicate the Vision 

• Creates the necessary internal networks among the information security team and line-of-business stakeholders, compliance, audit, physical security, legal and HR management teams to ensure alignment as required. 
• Builds and nurtures external networks consisting of industry peers, ecosystem partners, vendors, and other relevant parties to address common trends, findings, incidents, and cybersecurity risks. 
• Liaises with external agencies, such as law enforcement and other advisory bodies, as necessary, to ensure that the organization maintains a strong security posture and is kept well-abreast of the relevant threats identified by these agencies. 
• Liaises technology staff across the organization to build alignment between the security and enterprise (reference) architectures, thus ensuring that information security requirements are implicit in these architectures and security is built in by design. 

 
Cybersecurity Operations 

• Defines and facilitates the processes for information security risk and for legal and regulatory assessments, including the reporting and oversight of treatment efforts to address negative findings. 
• Manages and contains information security incidents and events to protect City ITS assets, intellectual property, regulated data and the City's reputation. 
• Monitors the external threat environment for emerging threats, and advises relevant stakeholders on the appropriate courses of action. 
• Develops and oversees effective disaster recovery policies and standards to align with the enterprise business continuity management (BCM) program goals, with the realization that components supporting primary business processes may be outside the City perimeter. 
• Coordinates the development of implementation of incident response plans and procedures to ensure that business-critical services are recovered in the event of a security event; provides direction, support and in-house consulting in these areas. 
• Facilitates and supports the development of asset inventories, including information assets in cloud services and in other parties in the organization's ecosystem. 

 


About the Department 
 
The Information Technology Services Department is responsible for enterprise technology operations for the City of Alexandria. ITS provides technology services and solutions to City departments to enhance service delivery. ITS aligns its work with City needs by providing leadership, resources, expertise, and products that enable departments to better serve the City’s residents, businesses, and visitors. ITS resources support initiatives funded through the multi-year Information Technology Capital Improvement Plan (IT/CIP) to improve the overall technology landscape. The City of Alexandria’s ITS Department has been a Top Ten National Finalist in the Digital Cities Award program for over the past 10 years.