Job Summary:
The Director of Information Security with EdgeCo Holdings, reporting to the company’s Chief Information Officer, is a critical role, responsible for establishing, implementing, monitoring and enforcing a corporate-wide information security management program to ensure that information assets are protected. This position is responsible for proactively identifying, evaluating and reporting on information security risks in a manner that meets compliance and regulatory requirements, and aligns with and supports the risk posture of the company.
Location: Hybrid to the company headquarters in Pittsburgh, PA
Supervisory Responsibilities:
Manage all teams, employees, contractors and vendors involved in IT security.
Provide training and mentoring to security team members.
Identifies individual and team skill gaps, developmental areas, and opportunities (e.g., training, special assignments, projects, etc.) to advance individual and team capability.
Coordinates audit activities with technology teams across the enterprise.
Duties/Responsibilities:
Information Security Program Leadership
Responsible for the strategic leadership of the information security program.
Develop, implement and monitor a strategic, comprehensive enterprise information security program to ensure that the integrity, confidentiality and availability of information that is owned, controlled or processed by the organization is maintained.
Lead the Cybersecurity compliance activities that enable the business to become and remain compliant with various regulatory programs to include FINRA, SEC, and CCPA.
Facilitate information security governance through the implementation of a governance program.
Establish annual and long-range security and compliance goals, define security strategies, metrics, reporting mechanisms and program services; and create a roadmap for continual program improvements.
Provide regular and consistent reporting on the current status of the information security program to senior business leaders.
Lead the corporate Information Security Task Force consisting of senior leadership throughout the organization.
Develop and enhance an information security management and control framework based on appropriate information security industry standards to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increase the maturity of the security.
Risk Management and Incident Response
Keep abreast of security incidents and act as primary control point during significant information security incidents.
Manage security incidents and events to protect corporate IT assets, including intellectual property, regulated data and the company’s reputation.
Define and facilitate the information security risk assessment process, including the reporting and oversight of treatment efforts to address findings.
Develop, implement, and administer technical security standards, as well as a suite of security services and tools to address and mitigate security risk.
Provide leadership, direction and guidance in assessing and evaluating information security risks and monitor compliance with security standards and appropriate policies.
Create a framework for roles and responsibilities regarding information ownership, classification, accountability, and protection.
Examine impacts of new technologies on the company’s overall information security.
Establish processes to review implementation of new technologies to ensure security compliance.
Policy, Compliance, and Audit
Develop, maintain, and publish up-to-date information security policies, standards and guidelines.
Oversee the approval, training, and dissemination of security policies and practices.
Lead efforts to internally assess, evaluate and make recommendations to management regarding the adequacy of the security controls for the information technology systems.
Work with Internal Audit and outside consultants as appropriate on required security assessments and audits.
Ensure that security programs follow relevant laws, regulations and policies to minimize risk and audit findings.
Provide guidance, evaluation, and advocacy on audit responses.
Outreach, Education and Training
Create education and awareness programs and advise departments on all levels on security issues, best practices, and vulnerabilities.
Pursue security initiatives to address unique needs in protecting identity theft, mobile social media security, and online reputation program.
Monitor the external threat environment for emerging threats and advises relevant stakeholders on the appropriate courses of action.
Coordinate information security projects with resources from IT and business unit teams.
Skills & Experience:
Degree in business administration or a technology-related field required.
Professional security management certification.
8 to 12 years of demonstrated experience in a combination of risk management, information security and IT jobs.
Knowledge of common information security management frameworks, such as ISO/IEC 27001, and NIST.
Strong, executive level oral and written communication skills with ability to understand technology sufficiently to clearly communicate the complexity in simple terms for key stakeholders.
Innovative thinking and leadership with an ability to lead and motivate cross-functional, interdisciplinary teams.
Proven ability to work with competing resources, budget limitations, and strong conflict management skills.
Experience with contract and vendor negotiations and management including managed services.
Ability to work independently.