Chief Information Security Officer

Recruiter
Montclair State University
Location
Montclair
Salary
Competitive
Posted
18 Jun 2024
Closes
16 Jul 2024
Employer Sector
Technology, IT & Telecoms
Contract Type
Permanent
Hours
Full Time

SUMMARY:

Reporting to the Vice President and CIO of Information Technology, the Chief Information Security Officer (CISO) is a member of the Information Technology (IT) leadership team and works closely with senior administration, academic leaders, and the campus community. The CISO is the lead advocate for the institution's information and cyber security needs and is responsible for the development and oversight of a comprehensive information security strategy intended to protect information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction and to provide confidentiality, integrity, and availability.

As a member of the IT leadership team the CISO leads the development, implementation, and oversight of an information and cyber security program to protect campus–wide resources, facilitates information security governance, advises senior leadership on security matters and resource investments, and writes appropriate policies to manage information security risk. The CISO is responsible for recommending and coordinating the planning, implementation, enforcement, and troubleshooting activities that ensure the security and integrity of the University s overall information systems and data assets. The complexity of this position requires a leadership approach that is engaging, imaginative, and collaborative, with a sophisticated ability to work with University systems and campus leaders to optimize the information security posture of the University.

This position directly manages a team of information and cyber security staff and also has the authority to create ad hoc working groups among other central and distributed IT staff as needed to ensure that the University's overall computing and network policies, procedures, and infrastructure design adhere to information security best practice principles. The CISO is a visible/communicative leader on campus, and off–campus by representing Montclair to the global higher education community.

PRINCIPAL DUTIES AND RESPONSIBILITIES:

University and Program Leadership

  • Provide guidance and counsel to the CIO and key members of the University leadership team regarding information security and privacy issues, risks, mitigation strategies, and information security governance.

  • Develop a comprehensive information security program with annual and long–range security and compliance goals, metrics, reporting mechanisms, and program services.

  • Develop and lead outreach, communication, and user education efforts to promote campus–wide information and cyber security awareness.

  • Collaborate with IT leadership on incorporating information security throughout the technology life cycle, risk management, and audit compliance to provide adequate protections for campus–hosted information resources.

  • Build positive relationships and foster goodwill towards efforts to improve overall security posture.

  • Review hardware, software, and services considered for purchase or implementation by IT or other campus departments to assess potential security risks and ensure proper information security features are incorporated to address university requirements.

  • Maintain integrity and appropriate confidentiality of information security–related matters.

  • Provide supervision for team resources, as well as budget development and management as needed.

Policy, Compliance and Audit

  • Develop, implement, and oversee policies, standards and processes.

  • Serve as the University s primary point of contact in all audit, compliance, insurance, or legal matters related to information security.

  • Keep abreast of changes to the State, Federal, and industry regulations that can impact University operations such as HIPAA, PCI–DSS, EUGDPR, FERPA, Red Flags, and Gramm–Leach–Bliley. Make recommendations for changes or additions to university policies, procedures, or technology infrastructure to support compliance with these regulations from an information security perspective.

  • Create ad–hoc functional teams from among the various central and distributed IT units to research, recommend, and deploy new information security technologies or to implement changes to existing policies and procedures.

Risk Management and Incident response

  • Oversee IT security risk assessment processes. Coordinates annual or periodic information security risk assessment reviews as necessary or required for institutional auditing purposes.

  • Develop a roadmap to reduce high risks and sustain a well–controlled environment to protect information assets.

  • Oversee information security incident response, serving as incident coordinator and forming ad hoc incident response teams as necessary to respond to and recover from potential security incidents or data breaches.

  • Develop and lead new information security initiatives.

  • Communicate and coordinate with the Chief Information Officer and other campus leadership as appropriate during incident response activities. Escalate incidents, when appropriate, to the executive team for determination of information security breach and notification.

  • Coordinate contracted relationships with external security service providers for a variety of needs including digital forensics investigations, e–Discovery, or other sensitive data analysis as requested by IT management, Legal Counsel, Human Resources, or appropriate University officials.

Outreach, Education and Training

  • Provide leadership in identifying, developing, implementing, and maintaining information security awareness, as well as general and specialized training programs for the University.

  • Recruit, hire, train and mentor the Information Security staff and implement professional development plans for all members of the team as needed.

  • Oversee security operations–related activities and manage the relationship with the MDR partner (Red Canary) including monthly review of reports and vulnerability mitigation strategies in the broader landscape.

QUALIFICATIONS:

REQUIRED:

  • A Bachelor's degree from an accredited college or university in a relevant information technology field.

  • A minimum of fifteen (15) years of progressively responsible IT experience with a minimum of ten (10) years of managerial experience.

  • Professional experience designing, implementing, and/or managing information security policies, procedures, and solutions.

  • Broad knowledge of computer security issues, requirements, and trends.

  • Strong interpersonal and communication skills, plus the ability to achieve goals through influence, collaboration and cooperation.

  • Demonstrated ability to work effectively with an array of constituencies in a community that is both demographically and technologically diverse.

  • Experience providing education and training programs on security policies and practices to a range of technical and non–technical constituents.

  • Experience evaluating and providing guidance on the information security elements of software and hardware acquisitions, IT services, cloud–based solutions, mobility, and other present and emerging aspects of IT solutions and services in a complex environment.

  • Referenceable integrity and high standards of personal and professional conduct.

PREFERRED:

  • Cyber security industry certifications from an established organization such as SANS.

  • A post–baccalaureate degree or other relevant formal education.

  • Over ten years of experience in a higher education IT environment.

  • Ability to explain highly technical topics in terms that can be understood by a less technical audience.

  • Strong organizational skills and a successful track record of effective coordination, prioritization, collaboration, and project delivery.

  • An understanding of current legislation and regulations pertaining to higher education institutions (i.e. HIPAA, PCI–DSS, EUGDPR, FERPA, Red Flags, and Gramm–Leach–Bliley.)

  • Is professionally active by presenting at conferences and/or publishing/contributing to timely Information Security articles.

PROCEDURE FOR CANDIDACY

Applicants should include a resume and cover letter describing how their background, skills and education match the needs of the University. When applying, please take a moment to carefully read and follow the steps in the application instructions.