Global Chief Information Security Officer
Job Location:White Plains, New York, United States
The Chief Information Security Officer is responsible for providing strategic leadership and direction for the organization’s information and security function and coordinating alignment with the physical security function. The CISO will build and sustain a Cyber Risk Framework that integrates Governance and Risk Compliance controls, requirements, oversight and validation into Information Technology (IT) and Operational Technology (OT). The CISO will be responsible for developing and championing the methods and structure for measuring IT/OT cyber risk metrics through regular status monitoring of Cyber Security activities and operations in accordance with North American Electric Reliability Corporation (NERC) standards.
The CISO is accountable for ensuring the IT/OT Cyber Security and Governance strategies and the alignment with Physical Security are consistent with business objectives of the organization. (i.e. Growth/Innovation, Operational Efficiency, Reliability, Risk Management and Regulatory Compliance). The CISO directs staff in identifying, developing, implementing and maintaining processes across the organization to reduce data and information technology risks. It will be particularly important for the CISO to ensure alignment among the technology groups and business leadership teams regarding threat vectors, risk levels, data and technology security.
- Establish and sustain organization-wide (i.e. IT & OT) security technology standards, process improvements, governance processes and performance metrics to ensure that people, processes and technology mitigate persistent threats and meet (NERC) Reliability standards adopted by the organization and protects the company’s information assets.
- Identify, select and implement security technology standards which complement NERC CIP standards, more suited for IT and OT non-Critical Cyber Assets (such as NIST, IS27001, COBIT)
- Develop a best practice disaster recovery program to ensure technology availability and safety for employees
- Establish and manage processes for monitoring cyber security strategies, policies, compliance controls, and programs to meet the company’s business needs.
- Identify Information Security needs and risks, and establish operational plans that align with the organization’s vision, mission and objectives, and support long-term Information Security growth and sustainability.
- Understand, communicate, execute tasks (e.g. provide input, review, coordinate, etc.), and/or implement specific elements of the New York Power Authority’s (NYPA’s) NERC Reliability Standards Compliance program
- Coach and mentor the Information Security Management team to evolve skills, capabilities and teamwork across the technology organization.
- Oversee the selection, development, deployment, monitoring, maintenance, and enhancement of the organizations cyber security technology.
- Direct the assessment of business and technology risks to ensure such risks are appropriately identified and evaluated. Oversee the development and implementation of appropriate measures to identify risks associated with applications/business functions.
- Provide management oversight to all activities related to technology compliance with regulatory as well as audit requirements, ensuring that technology best practices are being followed for Information Security and Disaster Recovery.
- Provide oversight for developing, implementing and managing the enterprise technology Disaster Recovery program to ensure timely technology operations recovery following an interruption in service caused by a technology system outage or declared disaster.
- Develop communication strategies for informing employees of cyber security initiatives
- Develop out-year resource plans for addressing future cyber threats and future strategic initiatives.
- Continually seek and consider innovative solutions to business problems and apply as relevant in support of the organization’s mission.
- Manage and direct the cyber security team and provide input to the physical security function, including performance management, succession planning and workload balancing. Work closely with physical security to improve NYPA’s overall security posture.
- Build and maintain effective relationships across the Authority among various functions and business units in support of NYPA’s business objectives and goals.
- Manage staff, including performance management, salary administration, succession planning and workload balancing.
- IT Enterprise Architecture and Governance Risk and Compliance (GRC).
- Program and project management
- Cyber Risk Reporting and establishment of Key Risk Indicators and Key Performance Indicators
- Incident Readiness and Incident Recovery
- Information security technologies, markets and vendors including firewall, intrusion detection, assessment tools, encryption, certificate authority, web, and application development
- Strategy, roadmap and investments
- Organization structure and accountability
- Relationship management – regulators C-suite, Board, law enforcement and audit
- Audit and assessment methodologies, procedures and best practices that relate to information networks, systems, and applications
- Application security, database technologies used to store enterprise information, directory services, financial information, and information systems auditing
- Strong understanding of how to apply current and emerging security technologies to solve business problems. Track record of developing and implementing comprehensive strategic response and recovery strategies, plans and procedures. Comprehensive understanding of applicable practices and laws relating to data privacy and protection.
- Strong verbal and written communication skills, especially in the areas of presentation and interaction with people at all levels across an organization
- A track record in the successful management of programs and people, both internal and external, as well as demonstrated complex program/project/vendor management skills.
- Agile, versatile, flexible and the ability to work with constantly changing priorities.
- Advanced degree in technology (computer science/engineering or related field) preferred
- Bachelor of Science Degree in Engineering Technology, Computer Science, or equivalent.
- 10+ years of progressive leadership experience in computing and information security, including experience with Internet technologies and security issues.
- Formal certification in Information Security Management: CompTIA Security+, CISSP, CISM, CISA, and/or CEH an advantage.
- Cyber security experience in the energy industry preferred