AVP & Chief Information Security Officer (CISO)

Job Level
Senior position
Job Category
Vice President, C Level
Sector
  • Technology
Job Status
Areas of Responsibility
  • All Areas of Technology
7750  
Drexel University, a comprehensive, global research university ranked among the nation's top 100, seeks an experienced and dynamic leader to serve as the Associate Vice President and Chief Information Security Officer (CISO). One of the most innovative, exciting, and successful research universities in America today, Drexel's mission has remained constant since its founding: to serve its students and society through outstanding academics, innovative technology, and experiential learning.
The CISO is responsible for establishing and maintaining a university-wide information security management program (including Drexel College of Medicine) to ensure that information assets are adequately protected. This position is responsible for identifying, evaluating and reporting on information security risks in a manner that meets compliance and regulatory requirements, and aligns with and supports the risk posture of the university. The CISO position requires a visionary leader with sound knowledge of business management and a working knowledge of information security technologies. The CISO will proactively work with the CIO, Chief Privacy Officer and business units to implement practices that meet defined policies and standards for information security. He or she will also oversee a variety of IT-related risk management activities.
The CISO serves as the process owner of all assurance activities related to the security aspects of availability, integrity and confidentiality of student, faculty, staff, patient, research subjects, business partner and business information in compliance with the university's information security policies. A key element of the CISO's role is working with executive management to determine acceptable levels of risk for the organization. The CISO must be highly knowledgeable about the business environment and ensure that information systems are maintained in a fully-functional, secure mode.
The ideal candidate is a thought leader, a consensus builder, and an integrator of people and processes. While the CISO is the leader of the security program, he or she must also be able to coordinate disparate drivers, constraints and personalities, while maintaining objectivity and a strong understanding that security is just one of the university's activities. It cannot be undertaken at the expense of the enterprise's ability to deliver on its goals and objectives. In line with that requirement, the successful candidate will champion the concept that information security is a shared responsibility for every employee who has been entrusted with sensitive data. Ultimately, the CISO is a business leader, and should have a track record of competency in the field of information security and risk management, with eight to 10 years of relevant experience, including six years in a significant leadership/executive role.  
Minimum of eight to 10 years of experience in a combination of IT risk management, information security and IT jobs. At least six must be in a senior leadership/executive role. Employment history must demonstrate increasing levels of responsibility. BS in Computer Science or related major required. Master's Degree in a technology related field, or equivalent work or education related experience preferred. Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate security and risk-related concepts to technical and nontechnical audiences. Proven track record and experience in developing information security policies and procedures, as well as successfully executing programs that meet the objectives of excellence in a dynamic environment. Poise and ability to act calmly and competently in high-pressure, high-stress situations. Must be a critical thinker, with strong problem-solving skills. Knowledge and understanding of relevant legal and regulatory requirements, such as Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry/Data Security Standard. Exhibit excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives. Project management skills: financial/budget management, scheduling and resource management. Ability to lead and motivate cross-functional, interdisciplinary teams to achieve tactical and strategic goals. Professional security management certification, such as a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or other similar credentials preferred. Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT and ones from NIST. Experience with contract and vendor negotiations. High level of personal integrity, as well as the ability to professionally handle confidential matters, and show an appropriate level of judgment and maturity. High degree of initiative, dependability and ability to work with little supervision.  
Develop, implement & monitor a strategic, comprehensive enterprise-wide information security & IT risk management program to ensure that integrity, confidentiality & availability of information is owned, controlled or processed by university. Manage university's information security organization, consisting of direct reports & indirect reports including hiring, training, staff development, performance management & annual performance reviews. Facilitate information security governance through implementation of a hierarchical governance including formation of an information security steering committee. Develop, maintain & publish information security policies, standards & guidelines. Oversee approval, training, & dissemination of security policies & practices. Create & manage information security & IT risk management awareness training programs for all employees, contractors, students & approved system users. Work directly with business units to facilitate IT risk assessment & risk management processes, & work with stakeholders on identifying acceptable levels of residual risk. Provide regular reporting on current status of information security program to enterprise risk teams, senior leaders & the board of trustees. Create a framework for roles & responsibilities with regard to information ownership, classification, accountability & protection. Develop & enhance an information security management framework using appropriate elements from: International Organization for Standardization (ISO) 2700X, ITIL, COBIT/Risk IT & National Institute of Standards & Technology (NIST). Provide strategic risk guidance for IT projects, including evaluation & recommendation of technical controls. Liaise with IT architecture team to ensure alignment between security & enterprise architectures, coordinating strategic planning implicit in se architectures. Coordinate information security & IT risk management projects with resources from IT organization & business unit teams. Create & manage a unified & flexible control framework to integrate & normalize changing requirements resulting from global laws, standards & regulations. Ensure that security programs are in compliance with laws, regulations & policies to minimize or eliminate risk & audit findings. Liaise among information security team & privacy, corporate compliance, audit, legal & HR management teams as required. Define & facilitate information security risk assessment, including reporting & oversight of treatment efforts to address negative findings. Manage security incidents & events to protect corporate IT assets, including intellectual property, regulated data & university's reputation. Contact Chief Privacy Officer to coordinate due diligence review, investigation, breach determination & required notification of local, state & federal agencies as well as individuals suffering breach to enable full, timely & accurate reporting to cybersecurity insurance carrier, responsible agencies & Board Audit Committee when sensitive data is involved. Monitor external threats for emerging threats, & advise stakeholders on appropriate courses of action. Liaise with external agencies, such as law enforcement as necessary to ensure that university maintains a strong security posture. Ensure that disaster recovery plans & procedures for business-critical services satisfy university security standards & support recovery following occurrence of a security event. Provide direction, support & in-house consulting. Facilitate a metrics & reporting framework to measure efficiency & effectiveness of information security program, facilitate appropriate resource allocation, & increase maturity of security. Understand & interact with related disciplines through committees to ensure consistent application of policies & standards across all technology projects, systems & services, including, privacy, risk management  
Drexel University is an Equal Opportunity/Affirmative Action employer, welcomes individuals from diverse backgrounds and perspectives, and believes that an inclusive and respectful environment enriches the University community and the educational and employment experience of its members. The University prohibits discrimination against individuals on the basis of race, color, national origin, religion, sex, sexual orientation, disability, age, status as a veteran or special disabled veteran, gender identity or expression, genetic information, pregnancy, childbirth or related medical conditions and any other prohibited characteristic. Please visit our website to view all University Policies and Workplace Postings.

Background investigations are required for all new hires as a condition of employment, after the job offer is made. Employment will be contingent upon the University's acceptance of the results of the background investigation.

The search for this role is being managed through Isaacson, Miller search firm. All applicants should apply through www.drexeljobs.com for consideration.

#HEJ  

Resume
Cover Letter  
No  
 
No  
(5) Full Time  
3820 Ofc of Info Resources & Technology  
Commensurate with experience  
University City, 15 S 33rd Street, Philadelphia, PA 19104  
Q  
08-02-2016  
01-30-2017
www.drexeljobs.com/applicants/Central?quickFind=81401