Sr. Director of Information Security and Chief Information Security Officer

The Chief Information Security Officer (CISO) has primary responsibility for ensuring that NIU develops and continuously maintains an optimal balance between the institution’s tolerance for risk with respect to its information assets, the ability of the community to easily and safely transact their business and leisure activities, the institution’s compliance with applicable laws and regulations; and the development of academic and research needs for cost-effective secure computing and data storage solutions. In pursuit of this balance, the CISO is involved in the full life cycle of IT Service Management, beginning with Service Design, continuing through a well-functioning security and architectural review process, development of a system of internal controls, establishment of Disaster Recovery and Business Continuity capabilities, and culminating in the full spectrum of training, education, and continual improvement activities needed during Service Transition and Service Operation. The CISO applies industry-accepted methodologies or frameworks (i.e., IT Service Management [ITIL]; COBIT; NIST; Six Sigma; etc.) to ensure adherence to standards and requirements and to provide stakeholders with continual reports on progress and performance.

In this role, the CISO has ownership and accountability for the information security policies, processes and procedures that ensure NIU compliance with applicable international, federal and state laws and regulations. The CISO partners with non-IT entities throughout the institution in order to foster compliance with regulations such as the Federal Information Security Modernization Act (FISMA); the Family Educational Rights and Privacy Act (FERPA); the Health Insurance Portability and Accountability Act (HIPAA); the Payment Card Industry (PCI) Data Security Standards; the Illinois Personal Information Protection Act (PIPA); and others. The CISO also works with the Internal Audit Department, the Office of General Counsel, the Ethics and Compliance Office, the NIU Board of Trustees, the Illinois Auditor General’s Office, and other outside consultants to support auditing efforts and remediate audit findings. The CISO continuously advocates for a perspective that puts the university in its best light and tracks to successful resolution any findings that may result.

As a senior leader in the university, this position guides and mentors managers and staff as needed in order to create, perform, manage, and optimize enterprise-wide IT services or operational processes. The CISO communicates frequently with executive stakeholders to create trust and transparency between IT and functional units. The CISO demonstrates his/her commitment to diversity, equity and inclusion by establishing a rapport with diverse populations, addressing concerns of diverse communities within NIU, and incorporating best practices in order to establish inclusive working groups and environments.

This position reports to the Chief Information Officer.

Continuously Develops, Improves and Implements a Framework of Security Controls

• Establishes and follows a multi-year plan for adopting and optimizing information security within and outside of the central IT division.

• Defines, manages, and optimizes the IT architecture and security processes of the institution.

• Establishes controls across the full spectrum of security and leads efforts to make recommendations regarding the adequacy of security controls.

• Authors and wins approval for policies relating to information security and privacy.

• Mentors and guides IT staff and managers in basic through advanced methods of assuring protection of assets from unauthorized modification, disclosure, or destruction.

• Builds relationships through communication that lead to widespread adoption of established systems, practices, and policies.

Leads Administrative Proceedings and Information Security Investigations

• Designs, promotes and ensures compliance with privacy standards, laws and regulations.

• Designs, creates, and uses policies, plans, and procedures to conduct information security investigations in conjunction with campus leaders in the Office of General Counsel, the Department of Police and Public Safety, Human Resource Services, and others as required.

• Ensures that security incidents and investigatory documents are properly documented, processed, and stored in accordance with university policy and applicable federal and state regulations.

Actively Supports and Coordinates Internal and External Audits and Assessments

• Assesses internal compliance, both inside and outside the central IT division and prioritizes short, medium, and long-term plans to improve compliance.

• Coordinates and tracks all IT and security related audits including scope, units involved, timelines, agencies, and outcomes.

• As resources are available, brings business analyst capabilities into play to improve business practices as well as assure security.

• Assists project managers and senior leaders in skillfully managing executive stakeholders across the entire project portfolio.

Assures Education and Awareness for End Users

• Develops, designs, and provides staff training and awareness programs throughout campus to raise levels of knowledge and proficiency in best practices for IT work.

• Chairs or participates in cross-functional governance and advisory committees to advance the incorporation of security systems and business practices in new projects and current operations.

• Using an accepted framework for organizational change management, arranges security campaigns that use multimodal communication to move users from resistance to acceptance and behavioral change.

Builds Communities of Practice

• Wins support for information security techniques even among those who are resistant.

• Finds ways to spread good practices, both through formal and informal means.

• Encourages and creates process development techniques to encourage wider adoption of good security practices.

• Bachelors or advanced degree in computer science, information technology, MIS, engineering, or another technology or security field.

• 15 years of work-related experience, with at least 10 years related to implementing security policies, security standards, security incident response and remediation, and enterprise risk management. 

• Demonstrated knowledge of federal security regulations such as FERPA, HIPAA, PCI DSS, and FISMA. 

• Possession of at least one of the following certifications: CISSO, CISSP, CISM, CHP, CGEIT, CSCS, ISSAP, ITIL Foundations.

• Possession of at least two of the following certifications: CISSO, CISSP, CISM, CHP, CGEIT, CSCS, ISSAP, ITIL Foundations.

• ITIL Intermediate v3 certifications dealing with service strategy, service operations and continual service improvement.

• Exceptional interpersonal, analytical, and communication skills.

• Proven ability to train and mentor teams in areas of security awareness, ethical hacking, security frameworks and standards, and similar disciplines.

For questions regarding this position and application, please contact Tina Varney at tvarney@niu.edu.

In accordance with applicable statutes and regulations, NIU is an equal opportunity employer and does not discriminate on the basis of race, color, national origin, ancestry, sex, religion, age, physical and mental disability, marital status, veteran status, sexual orientation, gender identity, gender expression, political affiliation, or any other factor unrelated to professional qualifications, and will comply with all applicable federal and state statutes, regulations and orders pertaining to nondiscrimination, equal opportunity and affirmative action.

In compliance with federal law, all persons hired will be required to verify identity and eligibility to work in the United States and to complete the required employment eligibility verification document form upon hire.

NIU remains committed to ensuring that its recruitment and application procedures include full opportunities for applicants with disabilities. Employment opportunities will not be denied to anyone because of the need to make accommodations for a person’s disability during either the application or interview process. An applicant who believes they require an accommodation to participate in the employment process due to a disability may request that accommodation through the Accommodation Request Form. This form can be obtained by contacting the Office of Academic Diversity, Equity and Inclusion (ADEI) at 815-753-8399.

N.I.U. provides information regarding campus security, personal and fire safety, including topics such as: crime prevention, emergency response procedures and crime reporting policies, in addition to crime and fire statistics for the most recent three calendar years. The Annual Security Report containing security and safety information is available at www.safety.niu.edu/clery or by contacting the University Police Department and Public Safety Department at 815-753-9628 to receive a hard copy. The Annual Fire Safety Report is available at www.niu.edu/clery/fire_report.pdf or by contacting the Environmental Health and Safety Department at 815-753-0404 to receive a hard copy.