Chief Information Security Officer

Description:

Chief Information Security Officer (CISO) is a member of the Information Technology (IT) leadership team and works closely with senior administration, academic leaders, and the campus community. The CISO is the lead advocate for the institution's information and cyber security needs and is responsible for the development and oversight of a comprehensive information security strategy intended to protect information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction and to provide confidentiality, integrity, and availability.

As a member of the IT leadership team, the CISO leads the development, implementation, and oversight of an information and cyber security program to protect campus-wide resources, facilitates information security governance, advises senior leadership on security matters and resource investments, and writes appropriate policies to manage information security risk. The CISO is responsible for recommending and coordinating the planning, implementation, enforcement, and troubleshooting activities that ensure the security and integrity of the University’s overall information systems and data assets. The complexity of this position requires a leadership approach that is engaging, imaginative, and collaborative, with a sophisticated ability to work with University systems and campus leaders to optimize the information security posture of the University.

This position directly manages a team of information and cybersecurity staff and also has authority to create ad hoc working groups among other central and distributed IT staff as needed to ensure that the University's overall computing and network policies, procedures, and infrastructure design adhere to information security best practice principles. The CISO is a visible/communicative leader on campus and off-campus by representing Montclair to the global higher education community.

Principal Duties And Responsibilities

University and Program Leadership:

Provide guidance and counsel to the CIO and key members of the University leadership team regarding information security and privacy issues, risks, mitigation strategies, and information security governance.
Develop a comprehensive information security program with annual and long-range security and compliance goals, metrics, reporting mechanisms, and program services.
Develop and lead outreach, communication, and user education efforts to promote campus-wide information and cybersecurity awareness.
Collaborate with IT leadership on incorporating information security throughout the technology life cycle, risk management, and audit compliance to provide adequate protection for campus hosted information resources.
Build positive relationships and foster goodwill towards efforts to improve overall security posture.
Review hardware, software, and services being considered for purchase or implementation by IT or other campus departments to assess potential security risks and ensure proper information security features are incorporated to address university requirements.
Maintain integrity and appropriate confidentiality of information security related matters.
Provide supervision for team resources, as well as budget development and management as needed.

Policy, Compliance And Audit

Develop, implement and oversee policies, standards and processes.
Serve as the University’s primary point of contact in all audit, compliance, insurance, or legal matters related to information security.
Keep abreast of changes to the State, Federal, and industry regulations that can impact University operations such as HIPAA, PCI-DSS, EUGDPR, FERPA, Red Flags, and Gramm-Leach-Bliley. Make recommendations for changes or additions to university policies, procedures, or technology infrastructure to support compliance with these regulations from an information security perspective.
Create ad-hoc functional teams from among the various central and distributed IT units to research, recommend, and deploy new information security technologies or to implement changes to existing policies and procedures.

Risk Management And Incident Response

Oversee IT security risk assessment processes. Coordinates annual or periodic information security risk assessment reviews as necessary or required for institutional auditing purposes.
Develop a roadmap to reduce high risks and sustain a well-controlled environment to protect information assets.
Oversee information security incident response, serving as incident coordinator and forming ad hoc incident response teams as necessary to respond to and recover from potential security incidents or data breaches.
Develop and lead new information security initiatives.
Communicate and coordinate with the Chief Information Officer and other campus leadership as appropriate during incident response activities. Escalate incidents, when appropriate, to executive team for determination of information security breach and notification.
Coordinate contracted relationships with external security service providers for a variety of needs including digital forensics investigations, e-Discovery, or other sensitive data analysis as requested by IT management, Legal Counsel, Human Resources, or appropriate University officials.

Outreach, Education And Training

Provide leadership in identifying, developing, implementing and maintaining information security awareness, as well as general and specialized training programs for the University.
Recruit, hire, train and mentor the Information Security staff and implement professional development plans for all members of the team as needed.
Oversee security operations related activities and manage the relationship with the MDR partner (Red Canary) including monthly review of reports and vulnerability mitigation strategies in the broader landscape.

Qualifications

REQUIRED: 

A Bachelor's degree from an accredited college or university.
Cyber security industry certifications from an established organization, such as SANS.
A minimum of ten (10) years of progressively responsible IT experience