Job Description
Job ID
12433
Location
Case Main Campus
Full/Part Time
Full-Time
Regular/Temporary
Regular
Job Description
POSITION OBJECTIVE
As a member of the IT leadership team, the Chief Information Security Officer (CISO) provides dynamic and visionary leadership to secure our information assets and systems. The CISO reports directly to the Chief Information Officer (CIO) and collaborates with other senior executives, faculty, staff, and external stakeholders to develop and execute a strategic and comprehensive information security program that aligns with our academic and research mission and objectives.
The position requires a proven track record of leading information security initiatives in a complex and diverse environment, a deep understanding of the higher education and research landscape and its unique challenges and opportunities, and excellent analytical and communication skills. The CISO must demonstrate strong executive function and strategic planning abilities, as well as a passion for innovation and continuous improvement.
ESSENTIAL FUNCTIONS
Risk Management: Continually evaluate risks and act expeditiously in making mitigation decisions and recommendations, while considering the technology environment as well as the varying needs and viewpoints of the university community and its unique requirements. Maintain and report regularly on the university information security risk tolerance levels. Develop security plans to support information protection needs across the complete system lifecycles from design and architecture to disaster recovery and potential system retirement. (20%)
Strategy Development: Using the established security governance committees, develop and promulgate a strategic vision for information security services and support of the university and UTech missions, notably through the respective strategic plans. Assure that security initiatives address all aspects of university information technology including academic, research, and administrative efforts. (15%)
Staff Development: Develop, implement, and maintain information security technical staff. Manage, guide, and coach information security managers and leadership, ensuring that team members are properly trained and responsive to organizational and campus needs. (15%)
Security Management and Operations: Oversee and direct university wide technology incident management program to effectively defend the university brand from cyber, physical loss, and network-based threat sources. Use established incident response mechanisms and policies to advise university leadership in management actions in response to information security events and incidents. Train and support team members in the established methods and best practices for use of security tools and services. (15%)
Campus Leadership: Serve as a program leader for development of information security, data protection, and risk management activities in the university enterprise. As part of the CIO's Leadership Team, advise CIO on security impact on IT operations and strategy. Serve as chair of the Information Security Committee and the Identity and Access Management Committee and play a key leadership role in the University Compliance, Cloud Governance, PCI Compliance, Data Governance committees. Also serve as UTech representative to University Emergency Management Operations group and as a member of the VP UTech Cabinet and provide invited participation on Faculty Senate Committee on Information and Communications Technology and the IT Executive Committee. (10%)
Policy Development: Develop and maintain both IT and information security policies that promote responsible stewardship of information assets and provide practical, economical, and workable solutions to emerging policy questions. Serve as a resource for interpreting and establishing university policies with impact on IT operations and governance through the University Compliance Committee. Serve as the UTech lead on IT and security focused legislation. (10%)
Incident Management: Lead and direct complex, cross-organizational security incident response events. Direct the investigation and resolution of all incidents, develop, and execute action plans, communicate with end-users or other impacted parties. Manage UTech incident communications for security, disaster recovery, business continuity, and campus emergency operations and exercises. Coordinate post-mortem follow-up activities. (10%)
Regional and National Leadership: Represent division and university through leadership roles in regional and national information security committees. Represent division and university in leadership roles in regional and national information security committees and professional organizations. Develop relationships with security peers at local community institutions (e.g. Northeast Ohio Cyber Consortium, hospitals, local and Federal law enforcement,) where collaboration is needed, and with peer research institutions nationally through REN-ISAC and equivalent institutions. (5%)
NONESSENTIAL FUNCTIONS
Perform other duties as assigned. (
CONTACTS
Department: Moderate contact with UTech peers to set priorities, strategize vision, set policy, troubleshoot issues, plan resources and integrate the activities of the division.
University: Occasional contact with Research Administration, executive leadership, schools and deans, General Counsel, and Compliance to collaborate on establishing information security policy, evaluate and communicate needs and priorities, educate on resources and solutions, establish priorities, and communicate solutions.
External: Periodic contact and collaboration with industry peers to share practical cybersecurity defense information. Periodic contact with key vendors, and contractors to consider options, negotiate contracts, and monitor fulfillment. Regular contact with peers at other universities.
Students: Limited contact with students
SUPERVISORY RESPONSIBILITY
This position leads a staff of 8 to 10. May supervise and mentor information security team members, and direct multi-disciplinary project teams of staff and vendors/contractors.
QUALIFICATIONS
Education, Experience, and Certifications: Bachelor's degree and 12+ years of progressive leadership experience - OR- a Master's degree (desired) and 8 to 10 years progressive leadership experience in a dedicated information security function or responsibility (with at least 5 years of experience in an enterprise IT environment). Experience in higher education preferred. The position requires industry-standard Information Assurance certification appropriate to the position (CISSP, CISM, CISA, CCSP, SSCP, etc.).
REQUIRED SKILLS
Experience establishing and maintaining an information security governance framework and policies that ensure compliance with relevant laws, regulations, standards, and best practices.
Demonstrated ability to assess and manage the information security risks and threats facing the university and implement appropriate controls and mitigation strategies.
Ability to lead the development and implementation of an information security awareness and education program that fosters a culture of security among all members of the university community.
Demonstrated ability to oversee the design, deployment, and operation of security technologies and systems that protect the confidentiality, integrity, and availability of the university's data and infrastructure.
Experience coordinating and directing the response and recovery efforts in the event of an information security incident or breach and reporting on root cause analysis and lessons learned.
Demonstrated ability to monitor and evaluate the effectiveness and performance of the information security program and report on key metrics and indicators to the CIO and other stakeholders.
Ability to manage the information security budget and resources and ensure the optimal allocation and utilization of them.
Experience recruiting, mentoring, and developing a high-performing information security team and fostering a collaborative and inclusive work environment.
A thorough knowledge of information security principles, practices, and technologies, such as encryption, authentication, firewalls, intrusion detection and prevention, vulnerability management, incident response, and disaster recovery.
A familiarity with information security frameworks and standards, such as NIST, ISO, and COBIT, and their application in the higher education and research context.
Demonstrated knowledge of various information security and regulatory compliance standards, such as FERPA, HIPAA, FISMA, PCI, GLBA, CMMC, preferred.
A strong ability to communicate effectively and persuasively with diverse audiences, both verbally and in writing, and to translate complex technical concepts into business terms. Ability to interact with colleagues, supervisors and customers face to face.
A demonstrated ability to think strategically and creatively, and to plan and execute initiatives that support the university's vision and goals.
A proven ability to lead and influence others, and to build and maintain positive and productive relationships with internal and external partners.
A high level of integrity, ethics, and professionalism, and a commitment to the values and mission of the university.
Experience working with diverse populations and willingness to support a community commitment to diversity, equity, and inclusion.
Ability to meet consistent attendance.
WORKING CONDITIONS
Professional office setting. The position is required to be available to respond to emergency information security issues and incidents on a 24/7/365 basis. On-call status and some off-hours work effort required. The employee will be required to carry a cell phone, during and after their normal work hours, including weekends to attend to after-hours emergencies. There may be occasional pressure from demanding customers. Due to time constraints, many functions must be completed within set deadlines. Travel between various locations on campus may be required. The position requires typing on a computer keyboard and using a computer mouse and a printer.
Diversity Statement
In employment, as in education, Case Western Reserve University is committed to Equal Opportunity and Diversity. Women, veterans, members of underrepresented minority groups, and individuals with disabilities are encouraged to apply.
.
Reasonable Accommodations
Case Western Reserve University provides reasonable accommodations to applicants with disabilities. Applicants requiring a reasonable accommodation for any part of the application and hiring process should contact the Office of Equity at 216-368-3066 to request a reasonable accommodation. Determinations as to granting reasonable accommodations for any applicant will be made on a case-by-case basis.
.
Case Western Reserve University strives to maintain a diverse and inclusive work environment. All applicants are protected under Federal law from discrimination based on race, color, religion, sex, national origin, disability, age and genetics.
