Chief Information Security Officer

CHIEF INFORMATION SECURITY OFFICER

JOB SUMMARY

The Chief Information Security Officer (CISO) is responsible for developing, implementing, and maintaining a comprehensive security strategy to protect PERA’s digital assets, mitigate risks, and ensure compliance with industry regulations and best practices. As a member of the executive team, the CISO will oversee security operations, threat intelligence, incident response, governance, and employee awareness programs. The CISO will be responsible for managing enterprise security programs, implementing best-in-class security technologies, and fostering a culture of security across the organization.  The CISO will also develop and enforce security training, policies, standards, and procedures and verify compliance with applicable laws and regulations. Additionally, this position acts in an advisory capacity to the Executive Leadership Team, providing consultation and advice on security-related matters. This role requires a strong leader with deep technical expertise, risk management experience, and the ability to align cybersecurity initiatives with business objectives.

ESSENTIAL FUNCTIONS

Strategy & Leadership

• Develop and implement an enterprise-wide information security program to ensure the security and integrity of PERA’s electronic information and IT assets. This includes developing and maintaining an enterprise-wide information security strategy and roadmap that aligns with business objectives and regulatory requirements.

• Lead cybersecurity and information security governance efforts, ensuring alignment with industry best practices and regulatory requirements.

• Develop and manage the cybersecurity budget that is cost-effective and based on forecasted resource needs, cost-effective security investments, level of effort, and prioritization of key initiatives.

• Develops and maintains an Information Security workforce with the appropriate mix of business knowledge, technical skills and competencies that balance the needs between growing the agility required to achieve PERA’s business objectives and ensuring the core information security functions are reliable, stable, and efficient.

• Lead and mentor a team of security professionals, ensuring professional growth, and is responsible for all management functions, including hiring and building a high-performing team.

• Commitment to creating a diverse and inclusive workforce.

• Performs other duties as assigned.

Policy Development & Governance

• Develop and enforce security policies, standards, and procedures commensurate with PERA’s risk appetite and evolving threat landscape.

• Coordinate with legal as well as enterprise risk and compliance teams to ensure compliance with data protection laws such as HIPAA.

• Create a framework for roles and responsibilities with regard to information ownership, classification, accountability and protection of information and assets.

• Develop and maintain an incident response plan, ensuring quick and effective responses to security incidents.

Risk Management & Compliance

• • Create and maintain security and risk assessment programs. Conduct risk assessments, identify vulnerabilities, and prioritize remediation efforts to reduce risk exposure. Work with executive leadership to determine acceptable levels of risk for the organization and communicate cybersecurity risks and strategies to executive leadership and the PERA Board of Trustees (Board).

• Monitor external threats and vulnerabilities and develop strategies for mitigating risks.

• Conduct regular security audits and assessments to identify gaps and vulnerabilities, stay apprised of relevant legal and regulatory requirements, and ensure compliance with applicable laws and regulations.

• Conduct regular incident response exercises to test responses to various threats.

• Oversee security operations, including monitoring, incident detection, response, and recovery, ensuring swift mitigation of potential breaches.

• Conduct post-incident security analysis and forensic reviews and implements measures to prevent future breaches.

Information Security Management

• Establish security policies, standards, and procedures to safeguard information and assets.

• Manage and monitor information security systems.

• Participate in the development and implementation of information technology architecture decisions, as needed, to address current and future security controls.

• Ensure data protection, encryption, and secure system configurations across the organization.

Security Awareness and Training

• Keep leadership abreast of and, as appropriate, adopts technologies consistent with enterprise standards

• Promote a culture of cybersecurity within the organization to reduce human-related security risks by developing and providing security-related training and awareness programs.

Collaboration and Stakeholder Engagement

• Work closely with IT, legal, HR, and business leaders to integrate security across the organization.

• Develop collaborative and professional relationships with cross-organizational teams, help businesses to identify and mitigate risk and work with representatives from business partners to consider business needs and objectives and ensure appropriate change management protocols are fostered prior to making changes that will impact business operations.

• Work collaboratively with Internal Audit.

QUALIFICATIONS

• Bachelor’s degree in information technology, computer science, cyber security, or a related field.

• Professional certification as a Certified Information Systems Security Professional (CISSP), Certified Chief Information Security Officer (CCISO), Certified Information Security Manager (CISM), or Certified Risk and Information Systems Control (CRISC) required.

• 10 years of experience in information security, including IT risk management, network security, or cybersecurity operations, with at least five years in a senior leadership capacity. A combination of relevant education, training, certification and experience that demonstrates the necessary skills, knowledge, and abilities will also be considered.

• Knowledge of industry standards and security frameworks such as the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) and demonstrated ability to develop and manage a security plan to a framework.

• Proven experience in developing and implementing security strategies, policies, standards, and procedures, and ensuring compliance across the organization.

• Knowledge of security auditing, vulnerability assessments, and risk mitigation.

• Advanced knowledge and understanding of security principles, protocols, and standards, as well as emerging threats, attack vectors, and mitigation strategies.

• Experience with security technologies and controls such as firewalls, intrusion detection systems, vulnerability scanners, encryption, penetration testing, privileged access management, vendor risk management, data loss prevention, and mobile device management.

• Experience in implementing zero-trust architecture and cybersecurity best practices.

• Proven experience leading incident management response and crisis management.

• Knowledge of secure software development and DevSecOps practices.

• Experience with contract and vendor negotiations and ensuring vendor procurement documents and contracts incorporate provisions that help to ensure PERA’s security interests are protected.  

• Excellent communication, problem-solving, and analytical skills, including the ability to convey complex cybersecurity concepts to both technical and non-technical stakeholders, including executives, Board members, and employees.

• Knowledge of contingency planning, including disaster recovery practices and procedures, as well as information security practices and procedures, including software utilized for security across various applications on different hardware and cloud-based platforms.

• Ability to understand and comply with all PERA and enterprise security standards, policies, processes, and procedures.

• Proven ability to work with cross-functional teams, across varying divisions and roles, to learn business operations, help educate teams about risk, and work collaboratively to mitigate risk.

• Demonstrated proficiency with time management and prioritizing tasks effectively.

• Adaptable, willing to continuously learn and update skills and knowledge for themselves and their team to ensure the security program is updated to meet evolving threats and industry trends.

PREFERRED QUALIFICATIONS

• Certified Information Systems Security Professional (CISSP), Certified Chief Information Security Officer (CCISO), Certified Information Security Manager (CISM), Certified Risk and Information Systems Control (CRISC)or other similar credentials.

WORKING CONDITIONS

• Standard office environment with frequent computer use

• Ability to travel occasionally

• All employees are expected to present themselves in a professional manner in alignment with the financial services industry

HYBRID WORK OPTION

• Opportunity to work from home up to 2 days per week. Eligibility dependent upon factors detailed in PERA's Work from Home Policy.

Qualifications

JOB DESCRIPTION DISCLAIMER:

This job description is not designed to cover or contain a comprehensive listing of activities, duties, or responsibilities that are required of an employee. Duties, responsibilities, and activities may change, or new ones may be assigned with or without notice.

Unfortunately, at this time, we cannot consider candidates that require sponsorship (now or in the future), or are located outside of the US.

INTERESTED CANDIDATES
Complete the employment application online at https://www.copera.org/careers. Please have copies of your resume and cover letter available to upload. Please review the following questions. You will be asked for a response to these as part of your application:

• Briefly summarize your relevant background and explain how your experience makes you an ideal candidate for this position.
• What would you consider to be the greatest achievement in your professional career? Talk through the steps you took to reach it. 

ABOUT COLORADO PERA
As Colorado’s largest public pension plan, we are committed to providing retirement and other benefits to more than 600,000 current and former teachers, State Troopers, corrections officers, snowplow drivers, and many other public employees who provide valuable service to all of Colorado.

We hire exceptional employees and invest in their growth and development. We are passionate about our work and committed to serving our members by delivering quality customer service, sound investment decisions, and education programs.  Our culture is built on the core values of integrity and accountability, excellence and initiative, collaboration, and engagement. We value diverse perspectives and promote an inclusive culture, recognizing that our people are our primary asset. We provide a healthy work-life balance and a culture where excellence is rewarded.  At PERA, your work makes a difference every day.

At PERA, you will earn more than just a paycheck- our total rewards package is focused on wellbeing. We offer a comprehensive benefit plan including Health, Dental and Vision coverage, with eligibility for most plans being the first of the month following the date of hire. We offer a generous paid time off plan as well as paid volunteer hours, PERA’s defined benefit plan, 401(k) and 457 defined contribution plans (including employer match on the 401(k), as applicable), tuition assistance, on-the-job training, free access to an on-site fitness center, free on-site parking or RTD subsidy, and more. For more information, please visit www.copera.org/careers.

Position Title:            Chief Information Security Officer
Division:                     Administration
Reports to:                Chief Administrative Officer
Job Status:                 Full Time / Exempt
Salary:                         $215,000.00 - $250,000.00 annually, Commensurate with experience
Posting Dates:           03/07/2025 - 04/06/2025

Salary : $215,000 - $250,000