(Sr.) Manager, Enterprise Information Security

Cybersecurity is essential to ensure the security, resilience, and compliance of the systems and data used to manage the power grid. The (Sr.) Manager, Enterprise Information Security plays a critical role in ensuring this security and compliance by leading a team responsible for executing critical functions and programs designed to keep PJM's systems and data secure and in compliance with NERC CIP and other requirements. These functions include the cyber risk management program, configuration management, vulnerability and patch management, and supply chain security as well as information protection, cybersecurity assessments, red teaming, and phishing training are additional critical elements of this position.

Essential Functions :

• Develop, maintain, and execute a risk management program that includes cybersecurity, IT compliance, and information system resilience risks. Regularly assess changes to risk ratings and mitigations
• Oversee the execution of an annual risk assessment, including action plans to mitigate risks
• Make decisions that effectively balance security risk with operational and business risk
• Oversee the supply chain cybersecurity risk program in compliance with NERC CIP-013 and vendor review policies
• Oversee a robust vulnerability management program, including system scanning, results analysis, and remediation follow-up
• Support application security assessments by ensuring that staff are effectively assigned to projects, are assessing security against well-defined requirements, and are validating controls. Ensure that penetration tests are performed, as needed.
• Define and oversee objectives for red teaming to test the effectiveness of PJM's security controls
• Oversee the development and execution of an annual simulated spear phishing training program
• Oversee the execution of an annual information protection program that includes controls for classifying, protecting, and monitoring PJM's security controls for sensitive information, including BCSI, PII, and other types of sensitive information in compliance with NERC CIP-011 requirements
• Manage systems security by implementing and maintaining policies and procedures for management of ports and services and security patch management in compliance with NERC CIP-007 requirements, including annual vulnerability assessments
• Oversee configuration change management processes, including developing baseline configurations and monitoring for unauthorized changes in compliance with NERC CIP-010 requirements
• Provide leadership and management to department and matrixed staff in the execution of departmental responsibilities, providing appropriate opportunities for development, ensuring department staff are trained in necessary skills and competencies, and staff performance is managed to accomplish departmental goals
• Define, maintain, operate and improve department functions and programs, including its documentation, processes, and supporting technology; provide reporting of program operations through routine reports, presentations and other deliverables as needed
• Staff department programs with qualified employees, contractors and matrixed support from across the division, as needed
• Establish a sense of urgency to complete tasks in an efficient and cost-effective manner while creating, establishing and enhancing relationships (both internal and external to the organization)
• Participate in NERC CIP audit readiness activities including gathering and presentation of evidence to demonstrate compliance with requirements
• Other duties, as assigned

Characteristics & Qualifications :

Required :

• Bachelor's Degree in Computer Science, Engineering or 10 years of leadership experience in a managerial / supervisory role
• 2 years of leadership experience in a managerial / supervisory role
• At least 5 years of work experience in Cyber Security, Information Security and Risk Management

Preferred :

• Master's Degree in Business Administration
• 5-10 years of leadership experience in a managerial / supervisory role.
• At least 5 years of experience in cybersecurity, compliance, or IT-related leadership experience
• Ability and desire to build relationships and interact with a wide range of stakeholders and staff to maintain and enhance PJM's customer service reputation
• Experience with PJM operations, markets, and planning functions
• Certified Ethical Hacker (CEH)
• Certified Information Systems Security Professional (CISSP)
• Certified Information Systems Auditor (CISA)