Director, Cybersecurity (Global/Emerging Market Experience Required - DC Area)

Position Title: Director, Cybersecurity

Department: Information, Communication and Technology (ICT)

Location and Working Hours: US, Washington DC Metro (DMV) area

Reports to: VP of ICT

Position Summary:

The Director, Cybersecurity will provide cybersecurity leadership and guide the development and implementation of the organization's cybersecurity roadmap. This is a hands-on role that involves setting security goals, establishing policies, managing cybersecurity activities, and ensuring alignment with organizational objectives. The Director will work closely with senior management, the Risk & Compliance team, and the ICT team to secure systems and data. The Director will supervise and coordinate with the Sr. Analyst, Cybersecurity to create a resilient cybersecurity posture and act as a backup for critical operational tasks.

This position may be based within the contiguous United States, but will require the candidate to work on East Coast time. Candidates in the Washington DC (DMV) area are strongly preferred.

Key Responsibilities:

Strategic Leadership

• Define and communicate long-term security goals, objectives, and strategies aligned with organizational priorities and the evolving threat landscape.

• Assess security posture to identify critical gaps and develop a cybersecurity maturity roadmap to guide improvement efforts.

• Oversee cybersecurity projects, directing the Sr. Analyst, Cybersecurity to align initiatives with strategic objectives and the security roadmap.

Policy and Procedure Development

• Develop, implement, and maintain the organization's cybersecurity strategy and policy framework, ensuring alignment with regulatory requirements and industry standards.
• Ensure consistent application of cybersecurity policies across all environments, holding teams accountable for compliance and implementation.

Security Program Management

• Oversee cybersecurity architecture reviews and configuration enhancements to strengthen network security.

• Manage the Security Awareness Program, collaborating with the Sr. Analyst, Cybersecurity to deliver targeted training and awareness initiatives.
• Lead disaster recovery and business continuity planning with ICT, including regular testing and maintenance to ensure readiness.

Risk Management

• Oversee security assessments, audits, and risk management activities, prioritizing risks based on organizational impact.

• Manage annual vulnerability and penetration testing, collaborating with ICT to address findings.

• Prepare for audits by facilitating necessary documentation and meetings, serving as the primary cybersecurity contact for external auditors.

Data Protection and Privacy

• Develop, implement, and enforce data protection policies that ensure confidentiality, integrity, and availability of sensitive information.

• Collaborate with Risk, Compliance, and Legal teams to align cybersecurity policies with data privacy regulations (e.g., GDPR, CCPA, HIPAA).

• Lead data protection impact assessments, implement access controls, and establish response processes for potential data breaches.

• Promote data privacy awareness and lead organization-wide training on data protection policies and best practices.

Compliance and Regulatory Alignment

• Collaborate with Risk & Compliance to determine regulatory requirements, creating strategic plans for implementing necessary controls.

• Define roles and responsibilities within ICT, Cybersecurity, and Risk & Compliance teams, clarifying accountability for compliance efforts.

• Monitor changes in regulations and industry standards, implementing updates in collaboration with stakeholders to maintain compliance.

Incident Response Management

• Develop and implement the organization's incident response program, including detection, containment, eradication, and recovery processes.

• Establish and approve incident response policies, procedures, and guidelines, ensuring they align with risk tolerance and compliance requirements.

• Ensure regular tabletop exercises with ICT and cross-functional teams are conducted.

• Serve as the Incident Response Commander, leading all phases of incident response and communicating status, business impact, and remediation strategies to executive leadership.

• Conduct post-incident reviews and integrate lessons learned into policies and procedures to enhance future response efforts.

Guidance and Reporting

• Provide regular updates to executive management on security posture, strategic progress, and key risks.

• Develop a cybersecurity dashboard to provide executives with visibility into security status and progress.

• Coordinate cross-functional risk management initiatives, leveraging input from the Risk & Compliance and ICT teams.

Team Management and Development

• Manage and mentor the Sr. Analyst, Cybersecurity, ensuring alignment with security priorities and fostering professional growth.

• Serve as a backup for hands-on cybersecurity tasks, instilling a culture of continuous learning and improvement within the team.

Vendor and Third-Party Management

• Develop third-party risk assessment protocols in collaboration with the ICT, Procurement and Risk & Compliance teams.

• Oversee third-party cybersecurity assessments to ensure vendors meet organizational standards, with guidance on strategic vendor relationships.

POSITION QUALIFICATIONS

• Bachelor's degree in Cybersecurity, Information Security, or a related field;

• Essential certifications: CISSP, CISA and CISM.

• Recommended additional certifications: CGEIT, PMP. ITIL. CCISO, CBCP.

• 10 years of experience in information security, with 5 years in a senior leadership role.

• Global experience required, preferably in regions where Winrock International works.

• Proven track record in developing and executing cybersecurity strategies.

• Strong understanding of security frameworks and compliance standards (NIST, CIS, etc.).

• Crisis management expertise

• Enterprise-level security understanding

• Excellent leadership, communication, and project management skills, with experience building and managing teams.

• Excellent communication skills with the ability to collaborate across departments and present complex IT concepts to non-technical stakeholders.

• Experience managing operational-level cybersecurity tasks within a nonprofit or international setting.

• Required Travel: A minimum of two to three trips required annually, may be domestic or international

• Candidates in the Washington DC (DMV) area are strongly preferred.

The salary range for this role is set between $155,000 and $165,000, with the majority of candidates typically landing within the midpoint of this range, there is an additional 10% contribution for a 403b annually and an excellent benefits package.

Winrock is an equal opportunity employer. We are committed to providing equal employment opportunity for all people and value diversity and inclusiveness. Winrock recruits, employs, trains, promotes, and compensates regardless of race, color, religion, sex, gender, gender identity, gender expression, sexual orientation, national origin, ancestry, citizenship, age, physical or mental disability, medical condition, family care status, or any other basis protected by law.

At Winrock we have a clear mission: Empower the disadvantaged, increase economic opportunity, and sustain natural resources through unwavering dedication to accountability, equity, innovation, integrity, and transformation.

Winrock knows that its success comes from the hard work and steadfast dedication of its diverse workforce. Winrock remains committed to maintaining diversity, inclusion, and equity across the entire organization.