Chief Information Security Officer
The Chief Information Security Officer (CISO) is responsible for establishing and maintaining the information security program to ensure that information assets and associated technology, applications, systems, infrastructure and processes are adequately protected in the digital ecosystem in which we operate. The CISO is responsible for identifying, evaluating and reporting on legal and regulatory, IT, and cybersecurity risk to information assets, while supporting and advancing business objectives.
The CISO will be a visionary leader comfortable with an agile, fast-moving workplace with a working knowledge of cybersecurity technologies covering the global enterprise network as well as the broader digital ecosystem. The CISO will work with business and IT leaders to define, publish, and govern policies and standards for information risk and security. He or she will also understand IT and implement, oversee, and run cybersecurity, risk management, policies, disaster recovery/business continuity programs, identity and access management, and compliance activities related to IT to ensure the achievement of business outcomes.
The CISO must be knowledgeable about both internal and external business environments, and ensure that information systems are maintained in a fully functional and secure mode and are compliant with legal, regulatory and contractual obligations. He or she should be well aware of the operational compliance and regulatory requirements applicable to the firm including ISO 27002, NIST, NAIC, state regulations, etc.
- Establish governance: Work with PMO to ensure that information security requirements and checkpoints are included in projects. Work with procurement and vendor management to ensure information security requirements are included in contracts. Work with architecture to ensure security requirements are included in architectures and designs.
- Establish and manage an information security awareness training program for the enterprise.
- Lead the daily operation of the IT security function. Manage the staff and budgets associated.
- Develop and maintain an information security vision and strategy aligned to organizational priorities and relevant regulatory inputs; drive projects that implement and further the strategy or respond to regulatory needs. Ensure the implementation of up-to-date practices and technologies to minimize the risk of cyber-attacks, data loss, reputational impacts, etc.
- Develop and maintain an up-to-date security management framework based upon a standard framework in the industry. Develop and maintain a document repository of security policies, standards, and guidelines, overseeing the approval, publication, and governance of the same.
- Facilitate a metrics and reporting framework to measure the effectiveness of the IT security program, including assessing threats, gaps, and other risks. Report to the board and senior leadership.
- Develop, maintain, and oversee effective disaster recovery policies and standards to align with the enterprise business continuity management (BCM) program goals. Ensure adequate testing of these programs takes place periodically.
- Overseeing the execution of security audits, risk assessments, penetration tests, red/blue exercises, DR/BCP tests, vulnerability assessments, and continuous improvement programs.
- Implement and oversee security monitoring and threat assessment programs.
- Participating in M&A activities in order to evaluate IT risk & security at companies targeted for acquisition.
- Develop processes to handle security incidents and trigger investigations; oversee investigation of security breaches and participate in reporting of same.
- Minimum of 7-10 years of experience in IT Security roles including risk management, information security, cybersecurity, etc. with at least 5 in a senior leadership role.
- Excellent oral and written communication skills, interpersonal and collaborative skills, with the ability to communicate information security and risk-related concepts to technical and non-technical audiences at all levels.
- Sound knowledge of business management and a working knowledge of information security risk management and cybersecurity technologies
- Proven track record and experience in developing information security policies and procedures
- Knowledge and understanding of relevant legal, compliance, and regulatory requirements a global insurance company must adhere to including SOX, HIPAA, PCI, GPDR, etc.
- Ability to lead and motivate the information security function to achieve tactical and strategic goals, even when only "dotted line" reporting lines exist
- High degree of initiative, dependability, and ability to work with little supervision while being resilient to change
- Knowledge of common information security management frameworks such as ISO/IEC 27001, ITIL, COBIT, NIST, etc.
- Excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work in an agile, demanding, dynamic environment and meet overall objectives.