Chief Information Security Officer (CISO)

Overview:

The Chief Information Security Officer (CISO) is a salaried (exempt) position that defines, implements, and supports the Security and Compliance requirements and responsibilities of the organization, and our customers. This is a customer-facing role that routinely interacts with external and internal users of the Ascent Security Compliance Portal. In addition to serving as the product manager of the Ascent Portal, the CISO is also responsible for directing and supporting security and compliance activities internally, and for customers for whom active agreements/contracts are in place. This position reports directly to the VP of Operations, the VP of Technical Services, and the Board.

Key Responsibilities/Role Functions:

• Develop, implement, and maintain a comprehensive Security Program for the organization to help ensure internal and regulatory controls are continually achieved.
• Support the organizations tactical/strategic vision by participating in the development, approval, and execution of short/long-term plans.
• Drive forward-thinking tactical/strategic plans for the Security Program to help ensure the organization stays in line with security/compliance requirements, and spearhead appropriate continual improvements.
• Coordinate with other areas of the organization to implement appropriate security controls, and control ownership, accountability, and reporting.
• Perform ongoing internal assessments of Security Program controls.
• Lead the execution of annual risk assessments for the organization; approve and communicate results/reports.
• Develop, implement, update, and communicate Security Policies, Standards, and Plans for the organization.
• Lead and coordinate external audit activities for the organization to achieve and maintain an independent attestation of controls.
• Implement, maintain, and manage a process for organizational stakeholders to perform Vendor Due Diligence and report results to all affected personnel.
• Provide security awareness and phishing training to internal users, with tracking and reporting.
• Serve as the product owner for the Ascent Security Compliance Portal for all internal users and all customers:
  • Identify, document, test, track remediation, and report on features and functionality of Ascent Portal releases, capabilities, and implementations.
  • Partner to lead, manage, and support the Portal Development Roadmap.
  • Maintain and update all appropriate regulatory frameworks and associated controls.
  • Maintain and update all appropriate documentation (policy, standard, plan, reports, audit support document, etc.) templates for customers, in any industry, for all control frameworks.
  • Maintain all artifact support materials for all industries and all control frameworks.
• Provide current content as well as updates for marketing campaigns, social media, and web sites.
• Provide security awareness and phishing training solutions to customers, complete with tracking and reporting.

Required Experience/Skills:

• 25 years of Security and Compliance experience, including:
  • Security Assessments and Control Compliance (25 years)
  • Governance (25 years)
  • Business Continuity and Disaster Recovery (15 years)
  • Cybersecurity (10 years)
  • Vendor Management (5 years)
  • Auditing (25 years)
  • Security Awareness Training (10 years)
  • Security and Compliance Reporting (25 years)
  • Project coordination (15 years)
• 20 years of personnel (people/staff) management experience.
• Demonstrable experience in defining and deploying security tools, technologies, and solutions.
• Proven track record in defining and implementing IT requirements, procedures and deliverables.
• Strong experience in leading matrixed team toward common organizational goals.

Preferred Experience/Skills:

• 7-10 years in IT (infrastructure, networking).
• Experience working in an enterprise with multiple locations.
• Familiarity with regulatory control frameworks such as NIST, CMMC, ISO, FFIEC, HIPAA, PCI, etc.
• Knowledge of emerging information technologies and control requirements.
• Knowledge of messaging, service, and event-based infrastructures.
• Understanding of interrelationships between critical infrastructure protection and operations.

Minimum Education/Experience: Degree in related field and appropriate experience. (Additional experience or certifications may be substituted in lieu of degree.)

Travel Statement: Overnight travel requirement is expected to be 0-15%.