Job Summary
We are looking for a hands-on technical information security leader. This individual needs to understand the technical facets of information/cyber security including security architecture, security engineering, risk management, governance risk & compliance, and incident response while having the leadership and project management skills necessarily to effectively manage people.
Primary responsibilities include:
- Directing outsourced IT Security to execute information security projects and activities.
- Defining security requirements including security policies, standards, plans, methodologies, and guidelines.
- Creating and executing project plans to ensure the timely execution of security projects.
- Reviewing the security of technologies, systems, networks, and applications.
Areas of Responsibility:
IT Security & Risk Management's responsibilities include a variety of activities including strategic, tactical, and operational such as:
- Strategic Support
- Security Liaison
- Security Architecture & Engineering Support
- Operational Support
Strategic Support:
- Work with the Director to develop an information security program and security projects that address identified risks and business security requirements in alignment with the risk tolerance of the organization.
- Manage the process of gathering, analyzing, and accessing information security threats.
- Partner with the Director to develop budget projections based on short- and long-term goals and objectives.
- Monitor and report on compliance with security policies and enforce security policies.
- Propose changes to existing policies and procedures to ensure the protection of Purdue systems, efficient operations, and regulatory compliance.
- Work with IT Security, IT, and business stakeholders to build metrics and reports that effectively communicate risks, progress, and areas of opportunity.
Security Liaison:
- Assist resource owners and IT staff in understanding and responding to reported security audit failures.
- Advocate information security with the organization and ensure that personnel are trained on information security best practices.
- Review the security of systems, networks, applications, and resources; identify risks; and provide security recommendations.
- Work with stakeholders to ensure that asset owners are identified, and systems are appropriately classified.
- Serve as an active and consistent participant in the information security governance process.
- Provide support and guidance for legal and regulatory compliance efforts, including audit support.
- Keep up-to-date with information security threats, risks, and vulnerabilities.
- Ensure that vulnerabilities are addressed in line with their criticality and agreed upon SLAs.
Security Architecture & Engineering Support:
- Consult with IT and security staff to ensure that security is factored into the evaluation, selection, installation, and configuration of hardware, applications, and software.
- Recommend and coordinate the implementation of technical security controls.
- Research, evaluate, design, test, recommend, and plan the implementation of technical information security controls and analyze its impact on the existing environment.
- Direct the administration of security tools and controls.
- Work with IT to ensure that there is a convergence of business, technical, and security requirements.
- Proactively identify areas of improvement in technical security architecture and processes.
Operational Support:
- Create, develop, and execute KPIs, metrics, and reports.
- Manage outsourced vendors that provide information security functions for compliance with contracted service-level agreements.
- Manage the day-to-day activities of threat and vulnerability management & risk management including the recommended treatment plans, status, and residual risks.
- Manage security projects and provide expert guidance on security matters.
- Assist and guide the disaster recovery planning team in the selection of recovery strategies and the development, testing, and maintenance of these disaster recovery plans.
- Ensure audit trails, system logs and other monitoring data sources are reviewed periodically and are in compliance with policies and audit requirements.
- Design, coordinate and oversee security testing procedures to verify the security of systems, networks, and applications, and manage the remediation of identified risks.
Education and Experience Requirements:
- BS / MS / Equivalent Training and 8+ years of relevant experience.
- Experience managing a small team and outsourced IT personnel.
- Strong hands-on technical system and network security skills.
- Experience with information security governance, risk, and compliance.
- Professional certification, such as CISM or CISSP is preferred.
Necessary Knowledge, Skills, and Abilities:
IT Security & Risk Management must have the following:
- Experience reviewing security architecture and defining security requirements.
- Management skills including experience managing outsourced personnel.
- Experience developing and maintaining policies, procedures, standards, and guidelines.
- Experience with common information security management frameworks, such as ISO 27001, NIST.
- Familiarity with applicable legal and regulatory requirements, including, but not limited to SOX, HIPPA, GPDR, and CCPA.
- Strong project management skills and experience in creating and managing project plans.
- Proficiency in performing risk, business impact, control, and vulnerability assessments, and in defining treatment strategies.
- Strong analytical skills to analyze security requirements and relate them to appropriate security controls.
- Ability to communicate with technical and non-technical stakeholders at all levels.
- Strong written and verbal communication skills.
Please include below skill matrix on top of resume.
Skill Matrix |
Security Domain | Rating (1 5) (1 = Novice & 5 = Expert) |
Security Architecture | |
Security Engineering | |
System Security | |
Network Security | |
Application Security | |
Dev Sec Ops (nice to have) | |
Access Controls | |
Risk Management | |
Policy & Compliance | |
Incident Response | |
Digital Forensics (nice to have) | |
Firewalls | |
IPS/IDS | |
SIEM | |
Vulnerability Management Systems | |
Microsoft Windows | |
Linux | |
Azure or AWS | |
General Skills | |
Project Management | |
Matrixed Resource Management | |
Scripting (nice to have) | |
Programming (nice to have) | |
Managers note:
- Looking for technical person with management as well as technical skills
- Some People Management
- IT Security Architecture and Solutions