Director, Information Security

The California State University
09 Jul 2024
06 Aug 2024
Employer Sector
Technology, IT & Telecoms
Contract Type
Full Time

The Division for Information Technology & Institutional Planning (IT&IP) provides innovative, strategic, and cost–appropriate technology services in collaboration with the campus community to advance the mission of the University. The Division's services are recognized as an essential resource in furthering the University's mission. The Department of IT Security & Compliance is responsible for:
  • Information Security – Works in collaboration with the campus community to protect the integrity of campus information technology infrastructure to mitigate risks and losses associated with security threats while supporting access to technology.
  • Information & Digital Compliance – An information & digital compliance program to improve the efficiency and effectiveness of the internal controls and assessment processes, monitor regulations for new or changed requirements, and coordinate with internal and external auditors to ensure compliance.
  • Business continuity (BC) and disaster recovery (DR) – Work with the University community to establish IT Disaster Recovery and Business Continuity criteria and plans;
  • Accessible Technology – Leadership, oversight, and coordination for the campus implementation of the CSU's Accessible Technology Initiative (ATI) to comply with Section 508, WCAG 2.0AA, and WAI–ARIA. It includes each of the three priority areas of ATI: web accessibility, instructional materials accessibility, and procurement.
  • Vulnerability Management, Alert Monitoring, and Response
  • Oversight for vulnerability analysis, process, and management, which includes vulnerability scanning/reporting process. Includes use of campus vulnerability, SIEM systems and log management systems. Work with CISO, security staff and IT staff to perform technical analysis of high impact vulnerabilities and coordinate/verify response with appropriate technical teams.
  • Provide Leadership for alert monitoring security tools and services, investigate, respond, and escalate as appropriate.
  • Communicate with CISO to follow incident response process, coordinate with appropriate campus security and technical teams as appropriate.
  • Participate as requested in approved campus investigations as a representative of IT Security & Compliance Department in accordance with CSU and CPP policy and procedures following accepted industry best practices/principles as well as ethics, privacy, and confidentiality.
  • Perform risk and control assessments of campus 3rd party products/service and new projects
  • Participate in contract review and negotiations for compliance with legal and policy obligations
  • Provide subject matter expertise related to information security, standards and regulatory compliance.
  • Provide recommendations for security controls and ensures remediation of any deficiencies to ensure compliance with CSU, campus policy and regulatory requirements.
  • Provide subject matter expertise for initiatives related to information security and regulatory compliance.
  • Coordinate and align security operation practices and compliance requirements through department and campus partnerships, training, and documentation.
  • Collaborate with campus IT and functional departments to assess, design, develop and implement security controls for campus systems, applications, devices, workstations, networks, for faculty staff and student environments.
  • Participate as a member of the IT change control process to assess changes for IT security impact.
  • Contribute to campus & CSU security & risk assessments, audits & reports.
Reporting & Communications
  • Build and maintains an effective evidence and metrics–based culture to measure program and process effectiveness.
  • Provide status reporting to all levels of management.
  • Maintains a broad knowledge base on the latest information security issues related to job duties.
  • Raises security risks to CISO, or other members of the IT&IP leadership as appropriate, using effective communication about impact, cause and remediation using campus incident procedures.
  • Participates in teams and contributes to the development and maintenance of a security awareness programs for the campus community
  • Participates in teams and shares knowledge with other IT&IP team members and the campus community through cross–training, presentations, etc.
  • Promotes awareness of IT&IP security and compliance working with IT and campus management. Awareness and training program that focuses on the elements of the compliance program, and seeks to ensure that all appropriate employees and management are knowledgeable of, and comply with, pertinent federal and state, and CPP policies and standards.
  • Demonstrates ongoing and self–motivated pursuit to enhance knowledge and skills (both technical and non–technical) through formal and informal trainings, conferences/events, informal learning plans, professional memberships, etc.
  • Serve as a member of the IT&IP Leadership Team and contribute to regularly scheduled management meetings.
  • Works in collaboration with other IT&IP leaders on the division's strategic planning initiatives, projects and related assignments.
  • Supports and coordinates various campus risk and security assessments as assigned.
  • Represents IT&IP in various campus committees and venues, leveraging them as additional input sources for planning and feedback.
  • Works with faculty, staff and students on cyber security initiatives and partnerships (grants, cyber fair, etc.)
  • Promote professional development of department staff through cross training, vendor/application specific conferences/courses.
  • Lead the department in the assessment and development of procedures that reflect continuous improvement.
  • Works in collaboration with other IT&IP leaders to draft and formalized CPP and IT&IP policy and procedures in a collaborative environment.
  • Ability to quickly and accurately aggregate, analyze, and review large volumes of technical and non–technical information to support simultaneous assessments for audits, compliance, vulnerabilities, risk analysis, incidents, investigations, etc.
  • Ability to analyze complex situations such as personnel, operational, technical or security issues and to develop and work with and through others to implement corrective actions and/or mitigation strategies for university–wide success.
  • Ability to interpret and evaluate data and results to develop sound conclusions and make recommendations, including new or revised guidelines, procedures, practices, and/or policy.
  • Ability to understand problems from a broad, interactive perspective and discern applicable underlying principles to conceive of and develop strategic solutions;
  • Ability to understand and interpret technical information and communicate technical information to vendors and end users with different levels of technical expertise.
  • Familiarity with IT audit, compliance or security risk assessment, policy management, or compliance programs.
  • Familiarity with regulatory requirements, standards, and guidelines such as PCI DSS, CLETS/JDIC, HIPAA, GLBA, Red Flag Rule, GDPR, FERPA, OWASP, Section 508 of the Rehabilitation Act, WCAG, WAI–ARIA, etc.
  • Familiarity with control frameworks such as MITRE ATT&CK, NIST, COBIT, ISO27001, ITIL
  • Demonstrated consultative, interpersonal, and communications skills required to work with diverse technical and non–technical audiences to develop and promote high–performing teams, partnerships, inclusivity, and transparency with others.
  • Excellent oral and written communications skills required to communicate to technical and nontechnical audiences in a team environment including experience preparing and presenting information clearly and concisely to a wide–range constituencies, including executives.
  • Demonstrated ability to offer constructive opinions and alternative solutions to a problem and be supportive of the final decision once it has been made.
  • High ethical standards and business acumen.
  • Ability to lead, motivate, manage, train, and develop technical and non–technical staff members.
  • Familiarity with professional development and progressive discipline techniques, ability to understand and interpret complex policies and related documents in accordance with CSU and CPP policy and procedures.
Preferred Qualifications
  • Master's degree in Instructional Technology, Information Technology, Computer Science, Business Administration, or related discipline.
  • Relevant IT professional certification such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM) or other Information Security / IT audit certification (e.g., CISA); Program Management Professional (PMP), ITIL Foundations, AWS/ Azure certifications
  • Demonstrated experience with information technology risk, security, and/or privacy within a large–scale IT organization.
  • Prior management experience within a comprehensive or large university environment, preferably a California State University campus or a University of California campus, in a technology–related environment.
  • Demonstrated experience with the full implementation of large–scale projects.
  • Demonstrated ability to work proactively and creatively in a fast–paced and ever–changing environment.
  • Ability to work collaboratively in an environment with multiple and diverse priorities, basing decisions on sound judgment and discretion for confidentiality.
  • . click apply for full job details