Business InfoSec Lead (BISL)

Responsibilities:

• Articulates the security perspective to the business and helps them understand the potential impact and possible controls in business terms.

• Communicates business knowledge and requirements to the Information Security organization thus ensuring security is aligned with business strategy and need.

• Counsels business units in understanding regulatory information security compliance requirements and helps ensure compliance.

• Represents the business unit in development of policies and standards.

• Act as primary point of contact for all IT internal audits, participates in scoping, deliverable requests and collaborates with senior leadership to clear audit reports and ensure action plans are complete and effective.

• Ensures IT owners are held accountable for their controls and understand responsibilities as to risk mitigation and remediation as well as compliance to security policy and standards to reduce liabilities.

• Understands and reports on the overall information security risk posture of the business unit, and provides an enterprise view of vulnerabilities and associated risks to both the business and information security.

• Focuses on process improvement to manage risk, proactively prevent problems and identify opportunities for efficiencies and automation.

• Investigates security incidents for the business and works with Information Security teams to recommend/implement appropriate corrective actions.

• Understands, tests and implements security plans, products, strategies and control techniques.

• May lead or participate in security related projects and strategy.

• Performs other duties and responsibilities as assigned.

• Design and implement disaster recovery and contingency plans to protect company data.

• Help develop procedures for an area of the organization and monitor their implementation.

• Contribute to stakeholder engagement by identifying stakeholders; by finding out their needs, issues, and concerns; and by reacting to these needs, issues, and concerns, arranging meetings and events and drafting supporting materials to promote understanding and commitment.

• Develop own capabilities by participating in assessment and development planning activities as well as formal and informal training and coaching; gain or maintain external professional accreditation, where relevant, to improve performance and fulfill personal potential. Maintain an understanding of relevant technology, external regulation, and industry best practices through ongoing education, attending conferences, and reading specialist media.

• Support strategy formulation for digital by exploring how information technology can be used to help the organization become more responsive to customer needs and changing business requirements.

• Provide specialist advice on the interpretation and application of policies and procedures, resolving queries and issues and referring very complex or contentious issues to others.
  

Skills:

• Financial services experience highly preferred.

• Knowledge of Information Security programs including, but not limited to, audit reviews, risk assessment, awareness and training, identity and access management, data protections, secure SDLC, incident management, vulnerability assessment, penetration testing, third-party assessment, secure configurations and patch management.

• Advanced knowledge of infrastructure and logical security technology with experience working with ITIL, ISO 17799 and/ or CoBit processes and procedures.

• Experience translating business drivers and priorities into security design.

• Knowledge of government and other regulations related to Information Security (e.g., GLBA, SOXA 404, FFIEC, PCI, Privacy, HIPAA, etc.).

• Technical skills and proficiency in a wide array of platforms and systems (e.g., Windows, UNIX, SQL, Tandem).

• Uses clear and effective verbal communications skills without supervision and provides technical guidance when required on expressing ideas, requesting actions and formulating plans or policies.

• Works without supervision and provides technical guidance when required on achieving full compliance with applicable rules and regulations in management and/or operations.

• Works without supervision and provides technical guidance when required on maintaining the security, integrity, compliance and continuity of IT systems and services.

• Works without supervision and provides technical guidance when required on developing, monitoring, interpreting and understanding policies and procedures, while making sure they match organizational strategies and objectives.

• Needs guidance (but not supervision) to communicate with other people by speaking in a clear, concise and compelling manner.

Licenses/Certifications:

• Security and control certifications highly preferred (CISSP, CISM, CISA, CRISC).