Chief Information Security Officer (Filled, 3 Resumes)

Position Reference Number:
Executive Package
Relocation Package: Yes
Job Type: Full-Time
Required Education: BA/BS, Masters Preferred

Job Description has been retained to find this company’s first CISO. This role reports to the head of legal and will immediately have a small staff that is already in place. There is opportunity to add to the existing staff. Our client is headquartered in Irvine, CA and has significant global operations across North America, Latin America, Europe, Japan, Asia and employees approximately 8,000 employees globally. The Director Information Security Management is responsible for establishing and maintaining a corporate-wide information security management program to ensure that information assets, technology and intellectual property are adequately protected. This role operates as the chief information security officer who directly manages a team of IT security professionals and collaborates with the corporation’s physical security team to promote a comprehensive security program. This position is responsible for identifying, evaluating and reporting on security risks in a manner that meets compliance and regulatory requirements and aligns with and supports the risk posture of the enterprise. The role requires a visionary leader with sound knowledge of business management and a working knowledge of information security technologies. This role will proactively work with business units and shared services organizations to implement practices that meet defined policies and standards for information security. He or she will also oversee a variety of IT-related risk management activities. The ideal candidate is a visionary thought leader, a consensus builder and an integrator of people and processes. A key element of this role is working with executive management to determine acceptable levels of risk for the organization. This role functions as the leader of the security program and must also be able to coordinate disparate drivers, constraints and personalities, while maintaining objectivity and a strong understanding that security is just one of the business's activities. It cannot be undertaken at the expense of the enterprise's ability to deliver on its goals and objectives. The successful candidate must be highly knowledgeable about the business environment and ensure that information systems are maintained in a fully functional, secure mode. Ultimately, this role functions as a business leader that requires a track record of competency in the field of information security and risk management, with eight to ten years of relevant experience, including four years in a significant leadership role. • Develop, implement and monitor a strategic, comprehensive enterprise security IT risk management program in collaboration with existing IT and physical security teams, to ensure the security, integrity, confidentiality and availability of information that is owned, controlled or processed by the organization • Develop, maintain and publish up-to-date security policies, standards and guidelines. Oversee the approval, training and dissemination of security policies and practices for all employees, contractors and approved system users • Create and manage information security and risk management awareness training programs • Create, communicate and implement a risk-based process for vendor risk management, including the assessment and treatment for risks that may result from partners, consultants and other service providers • Create a framework for roles and responsibilities with regard to information ownership, classification, accountability and protection • Provide regular reporting on the current status of the information security program to enterprise risk teams, senior business leaders and the board of directors as part of a strategic enterprise risk management program • Manage security incidents and events to protect corporate information assets, technology and intellectual property, regulated data and the company's reputation. Monitor the external threat environment for emerging threats, and advise relevant stakeholders on the appropriate courses of action

Job Requirements

• A minimum of 8-10 years of experience in a combination of risk management, information security and IT jobs with at least 4 years in a senior leadership role. • Employment history must demonstrate increasing levels of responsibility. • A Bachelor’s degree is required. A Master’s degree in information technology, business administration or a related field is preferred. • Demonstrate past experience that includes protecting Intellectual Property • Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to effectively communicate security and risk-related concepts to technical and nontechnical audiences up to and including the “C” suite • Demonstrated ability to lead to drive change management while skillfully considering cultural sensitivity • Demonstrated ability to introduce a security mindset into an organization • Poise and ability to act calmly and competently in high-pressure, high-stress situations • Certification: such as a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or other similar credentials, is desired • Leadership experience developing global policies and strategies in collaboration with existing IT and physical security teams to protect, human, physical and information technology assets and intellectual property around the world • A strong understanding and knowledge of information security standards and laws (e.g., ISO 27001/27002, NIST, FFIEC, etc), and commonly used concepts, practices and procedures within the information security and privacy field • Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT and/or NIST • Knowledge of global privacy regulations and appropriate safeguards • Experience in mobile device management and access controls; Experience in data protection processes and technologies, cyber threat management, incident response, vulnerability testing and more