Director, IT Security

The Division of Information Technology (it.gwu.edu) is the chief provider of technology infrastructure, services and applications at GW. The Division partners with stakeholders across GW to equip students, staff and faculty with the technology know-how and tools necessary to achieve academic excellence. Reporting to the AVP, IT Security, the Director, IT Security primarily works within the Division’s Information Security and Risk & Compliance Services department.

The Director of IT Security is responsible for establishing and maintaining a University wide information security management program to ensure that information assets are adequately protected. This position is responsible for identifying, evaluating and reporting on information security risks in a manner that meets compliance and regulatory requirements, and aligns with and supports the risk posture of the enterprise. He or she will also oversee a variety of IT-related risk management and compliance activities.

The Director serves as the process owner of all assurance activities related to the availability, integrity and confidentiality of customer, business partner, employee and business information in compliance with the University’s information security policies. The Director must be highly knowledgeable about the business environment and ensure that information systems are maintained in a fully functional, secure mode.

The Director also evaluates future security requirements, developing and recommending budget changes accordingly. This role requires the incumbent to maintain a professional expertise by attending outside seminars/courses as well as through the review of published literature to remain current on industry trends and threats.

The Director will provide leadership and oversight to the broader information security team, including risk and compliance services.

Additional Responsibilities include but not limited to:

• Manage security incidents and events to protect University IT assets, including intellectual property, regulated data and the University’s reputation.
• Monitor the external threat environment for emerging threats, and advise relevant stakeholders on the appropriate courses of action.
• Manages the use of external resources involved in the information security program, including, but not limited to, interviewing, negotiating contracts and fees, and managing external resources.

• Work directly with the business units to facilitate IT risk assessment and risk management processes, and work with stakeholders throughout the enterprise on identifying acceptable levels of residual risk.

The position is can be based at either GW’s Virginia Science & Technology campus in Ashburn, VA or the Foggy Bottom campus in Washington, DC. This position may require travel between the two campus at times. The incumbent may perform other related duties as assigned. The omission of specific duties does not preclude the supervisor from assigning duties that are logically related to the position.

Qualified candidates will hold a Bachelor’s degree in an appropriate area of specialization plus 10 years of relevant professional experience, or, a Master’s degree or higher in a relevant area of study plus 8 years of relevant professional experience. Degree must be conferred by the start date of the position. Degree requirements may be substituted with an equivalent combination of education, training and experience.

· Experience interfacing, influencing, and communicating with all levels of management, customers, and industry organizations.
· Experience partnering with Human Resources, Legal, Risk Management, and other non-IT functions on processes and issues that relate to protection of critical information assets.
· Experience with assisting in the development and management of information security programs and related standards.
· Experience working with and influencing most elements of internal controls and risk architecture design, and implementing policies, processes, and standards.
· Experience with the development and management of information risk assessment processes, including vulnerability testing and monitoring.
· Experience with continuity and recovery planning and testing, auditing, risk analysis, business resumption planning, and contingency planning.
· Experience with intrusion detection and incident response procedures and solutions. Experience managing incident response professionals is preferred.
· Experience with developing security strategies for on-premises, cloud, and hybrid IT service delivery models.
· Experience with application security, specifically pertaining to understanding risks, vulnerabilities, mitigation techniques, and compensating controls. Experience managing application security professionals or penetration testers is preferred.
· Experience with formulating communication of information security, compliance, and risk standards and methodology to staff working on varied analytical, engineering, or systems integration projects.
· Experience working with outside consultants, auditors, and regulators on independent security reviews as required.
· Experience promoting information security awareness throughout the institution via training activities in coordination with other training units.
· Experience with best practices pertaining to data classification, data access controls, data stewardship, and privileged access management and monitoring.
· Experience managing and interfacing with remote workers and teams.
· Experience working in a higher education environment.