INFORMATION TECHNOLOGY SECURITY MANAGER
New York, USA
$110,000 – $130,000 per Annum
The Information Security Manager’s responsibilities include a variety of activities, including very tactical, operational and strategic activities in support of the ISM’s program initiatives, such as:
- Develop, implement and monitor a strategic, comprehensive enterprise information security and IT risk management program to ensure that the integrity, confidentiality and availability of information is owned, controlled or processed by the organization.
- Manage the enterprise’s information security organization, consisting of direct reports and indirect reports (such as individuals in business continuity and IT operations). This includes hiring, training, staff development, performance management and performance reviews.
- Facilitate information security governance through the implementation of a hierarchical governance program, including the formation of an information security steering committee or advisory board.
- Develop, maintain and publish up-to-date information security policies, standards and guidelines. Oversee the approval, training, and dissemination of security policies and practices.
- Create, communicate and implement a risk-based process for vendor risk management, including the assessment and treatment for risks that may result from partners, consultants and other service providers.
- Develop and manage information security budgets and monitor them for variances.
- Create and manage information security and risk management awareness training programs for all employees, contractors and approved system users.
- Work directly with business units to facilitate IT risk assessment and risk management processes, and work with stakeholders throughout the enterprise on identifying acceptable levels of residual risk.
- Provide regular reporting on the current status of the information security program to enterprise risk teams and senior business leaders as part of a strategic enterprise risk management program.
- Create a framework for roles and responsibilities regarding information ownership, classification, accountability and protection.
- Develop and enhance an information security management framework based on the National Information Assurance Policy.
- Provide strategic risk guidance for IT projects, including the evaluation and recommendation of technical controls.
- Liaise with the enterprise architecture team to ensure alignment between the security and enterprise architectures, thus coordinating the strategic planning implicit in these architectures.
- Coordinate information security and risk management projects with resources from the IT organization and business unit teams.
- Ensure that security programs comply with relevant laws, regulations and policies to minimize or eliminate risk and audit findings.
- Define and facilitate the information security risk assessment process, including the reporting and oversight of treatment efforts to address negative findings.
- Manage security incidents and events to protect corporate IT assets, including intellectual property, regulated data and the agency’s reputation.
- Monitor the external threat environment for emerging threats and advise relevant stakeholders on the appropriate courses of action.
- Develop and oversee effective disaster recovery policies and standards to align with enterprise business continuity management program goals. Coordinate the development of implementation plans and procedures to ensure that business-critical services are recovered in the event of a security event. Provide direction, support and in-house consulting in these areas.
- Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increase the maturity of the security.
- Understand and interact with related disciplines through committees to ensure the consistent application of policies and standards across all technology projects, systems and services, including, but not limited to, privacy, risk management, compliance and business continuity management.
- Liaise among Information Security Team & Administrative, Legal & HR Management Teams, as required.
- Liaise with external agencies, such as law enforcement and other advisory bodies as necessary, to ensure that the organization maintains a strong security posture.
- Assist resource owners and IT staff in understanding and responding to security audit failures reported by auditors.
- Work as a liaison with vendors and the legal and purchasing departments to establish mutually acceptable contracts and service-level agreements.
- Manage security issues and incidents, and participate in problem and change management forums. Ensure timely reporting and adequate participation in investigation for ICT security incidents, with Q-CERT and / or law enforcement agencies as applicable.
- Work with various stakeholders to identify information asset owners to classify data and systems as part of a control framework implementation.
- Work with IT and business stakeholders to define metrics and reporting strategies that effectively communicate successes and progress of the security program.
Architecture / Engineering Support:
- Consult with IT & Security staff to ensure that security is factored into the evaluation, selection, installation and configuration of hardware, applications and software.
- Recommend and coordinate the implementation of technical controls to support and enforce defined security policies.
- Research, evaluate, design, test, recommend or plan the implementation of new or updated information security hardware or software, and analyse its impact on the existing environment; provide technical and managerial expertise for the administration of security tools.
- Work with Enterprise Architecture Team to ensure that there is a convergence of business, technical and security requirements; liaise with IT management to align existing technical installed base and skills with future architectural requirements.
- Develop a strong working relationship with the security engineering team to develop and implement controls and configurations aligned with security policies and legal, regulatory and audit requirements.
- Coordinate, measure and report on the technical aspects of security management.
- Manage outsourced vendors that provide information security functions for compliance with contracted service-level agreements.
- Manage and coordinate operational components of incident management, including detection, response and reporting.
- Maintain a knowledge base comprising a technical reference library, security advisories and alerts, information on security trends and practices, and laws and regulations.
- Manage the day-to-day activities of threat and vulnerability management, identify risk tolerances, recommend treatment plans and communicate information about residual risk.
- Ensure audit trails, system logs and other monitoring data sources are reviewed periodically and comply with policies and audit requirements.
- Design, coordinate and oversee security-testing procedures to verify the security of systems, networks and applications; and manage the remediation of identified risks.
Preferred Education & Qualification Requirements:
Bachelor’s Degree and at least four years of full‐time IT-related experience or the equivalent education and experience is required. An MBA. or M.S. in Information Security and at least two years of experience in a supervisory capacity is preferred.
- Strong leadership skills and the ability to work effectively with business managers, IT engineering and IT development and operations staff.
- Strong interpersonal skills and the ability to build strong relationships at all levels and across all business units and organisations, and understand business imperatives.
- Knowledge and understanding of relevant legal and regulatory requirements, such as National Information Assurance Policy, Cloud Security Policy, US. Legislation etc.
- Exhibit excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives.
- Project management skills: financial/budget management, scheduling and resource management.
- Ability to lead and motivate cross-functional, interdisciplinary teams to achieve tactical and strategic goals.
- A strong understanding of the business impact of security tools, technologies and policies.
- Strong leadership abilities, with the capability to develop and guide information security team members and IT operations personnel, and work with minimal supervision.
- Excellent verbal, written and interpersonal communication skills, including the ability to communicate effectively with the IT organization, project and application development teams, management and business personnel; in-depth knowledge and understanding of information risk concepts and principles as a means of relating business needs to security controls; excellent understanding of information security concepts, protocols, industry best practices and strategies.
- Experience working with legal, audit and compliance staff.
- Experience developing and maintaining policies, procedures, standards and guidelines.
- Experience with common information security management frameworks, such as International Standards Organization (ISO) 2700x, the IT Infrastructure Library (ITIL) and Control Objectives for Information and Related Technology (COBIT) and NIST frameworks.
- Proficiency in performing risk, business impact, control and vulnerability assessments, and in defining treatment strategies.
- Knowledge of and experience in developing and documenting security architecture and plans, including strategic, tactical and project plans.
- Strong analytical skills to analyse security requirements and relate them to appropriate security controls.
- An understanding of operating system internals and network protocols.
- Familiarity with the principles of cryptography and cryptanalysis.
- Experience in system technology security testing (vulnerability scanning and penetration testing).
- Familiarity in Application Technology Security Testing (white box, black box and code review).
Candidates who have achieved industry certifications for information security professionals such as the ones listed below are preferrable:
- Certified Information Systems Security Professional (CISSP) issued by ISC2
- Certified Cloud Security Professional (CCSP) issued by ISC2
- Certified Information Systems Auditor (CISA) issued by ISACA
- Certified Information Security Manager (CISM) issued by ISACA
- Certified Ethical Hacker (CEH)
- Global Information Assurance Certification (GIAC) issued by SANS