Director, Information SecurityInformation Technology Dallas, Texas
Summary of Responsibilities:
The Director – Information Security directs first line of defense IT Security services, consultation, leadership and subject matter expertise to SC businesses and functions on Information Security related matters. They review, design and develop security operational processes, standards, and procedures utilizing current and new technologies to improve security controls and business performance. The Director – Information Security drives strategic information security direction that is aligned with corporate business objectives and regulatory requirements.
- Staff Management – Sets organizational direction and prescribes the activities of staff in accomplishing corporate business objectives. Set priorities, provides guidance, secures resources, interfaces with peers and executive leadership, communicates at all levels. Fosters the development of Information Security management team members.
- Information Security Risk Management – Directs information security risk management processes, program and strategy. Aligns information security activities with PCI, SOX, and GLBA regulatory requirements and internal governing enterprise risk management policies. Identifies security gaps and deficiencies by conducting risk assessments; recommend corrective action of identified vulnerabilities and weaknesses. Oversees the planning, testing, tracking, remediation, and risk acceptance for identified security risks. Supervises the creation and publication of internal controls. Ensures requisite compliance monitoring is in place to identify control weaknesses, compliance breaches and operational loss events. Ensures adequate compliance resources and training, fostering a risk and compliance focused culture and optimizing relations with corporate compliance members and regulators.
- Strategy & Architecture – Creates and directs security strategy, architecture and tools in accordance with company standards, policies, procedures and other formal guidance, ensuring security technology standards and best practices are maintained across the organization.
- Process Improvement – Promotes implementation of new technology, solutions and methods to improve business processes, efficiency, effectiveness and value delivered to customers. Ensures operational, architectural and design documentation including procedures, task lists, and architecture blue prints.
- Project Oversight – Ensures the assessment of project risk and complexity as well as project handoffs including preparing documentation, educating and supporting to ensure smooth transitions. Promotes the selection and design of tools that allow reuse of design components and patterns between projects.
- Due Diligence – Ensures enterprise due-diligence activities including security monitoring and security metrics to evaluate effectiveness of the enterprise security program and established controls.
- Incident Response – Directs security incident response activities and post-event reviews of security incidents. Ensures the clear and professional documentation of root cause and risk analysis of all findings. Reviews action plans for issue resolution. Oversees investigation and reports of security threats and incidents.
- Subject Matter Expertise – Ensures staff has sufficient skills to provide information security subject matter expertise to business areas, project teams and vendors to apply and execute appropriate use of technology solutions in efforts to examine technology vision, opportunities and challenges with regard to security standards and the impact of the technology.
- Vendor/Tool Selection – Directs the research, evaluation, proof-of-concept, selection and implementation of technology solutions. Negotiates with vendors. Provides detailed analysis of pros and cons and build vs buy options. This includes interaction with vendors, IT and business area contacts to facilitate flexible, and scalable solutions. Ensures that the technical design considers security controls, performance, confidentiality, integrity, availability, access and total cost. Oversees working solutions or prototypes and resolves any issues that arise.
- Security Trends – Continually works to enhance breadth and depth of knowledge and experience. Benchmarks technology strategies and architectures. Monitors and anticipates trends and investigates organizational objectives and needs. Provides guidance on security solutions and prepares benchmarking reports and presentations.
- Secure Application Development – Directs the management of highly technical/analytical security assessments of custom web applications, mid-tier application services and backend mainframe applications, including manual penetration testing, source code and configuration review using a risk-based intelligence-led methodology. Identifies potential misuse scenarios. Advises on secure development practices.
- Secure Testing – Directs the management of security testing projects according to a structured process, including writing test plans, test cases and test reports. This may include oversight of the configuration and deployment of security testing software and application of results to security analysis and basic proof-of-concept exploits of vulnerabilities.
The ideal candidate will possess the following:
- Bachelor’s degree in Information Security, Information Technology, Information Systems Management, Computer Science, Engineering or related field(s) or equivalent demonstrated work experience.
- ·Ten (10) or more years of experience in multiple domains of Information Security
- ·Five (5) to seven (7) years of management experience
- ·5 or more years of work experience as an Information Security Manager working on progressively complex IT projects preferably in financial services environments.
- Strong working knowledge of:
- Windows-based platforms, application and TCP/IP network security technologies
- Information security concepts, principles and components of a comprehensive information security program
- Application Security concepts including common application security issues such as OWASP Top 10
- Control frameworks and control objectives
- Strong, demonstrable aptitude for and interest in information and application security
Work Environment Characteristics
- Self-motivated and results-oriented, including ability to prioritize conflicting demands.
- Exceptional organizational skills to balance work and lead projects.
- Demonstrable leadership and interpersonal skills with experience in mentoring team members
- Strong initiative, consensus-building and ability to collaborate directly and build strong relationships with a variety of internal and external stakeholders (business, development, compliance, etc.)
- Strong written communication (writing sample may be requested) and professional verbal communication skills, experienced facilitator and presenter
- Ability to adapt and apply information to new scenarios and technologies.
Additional Preferred qualifications:
- Relevant professional certifications or working towards attainment such as: GCIH/GSEC, CISM, CISA, CISSP, CRISC
- Advanced knowledge of common web technologies, enterprise and network architecture
- Strong understanding of:
- modern security tools and controls
- secure development life cycle methodologies
- programming languages or other scripting languages
- web-based application architectures (IIS, Apache, etc.)
- financial industry regulations such as GLBA, PCI, and SOX
- application protocols such as MS-SQL, LDAP, and SSO
- data protection controls
- applied use of cryptography
- Advanced knowledge of or demonstrated experience with defense in depth, trust levels, privileges and permissions
- Advanced knowledge of or demonstrated experience in application penetration testing
- Advanced knowledge of and experienced development of mainframe and Unix platforms
- Large complex multi-national Financial Services industry related experience
Major Challenges and Role Context:
- Fast paced environment requiring execution of multiple simultaneous deliverables.
- Indirect reporting structure with conflicting deliverables and timelines.
- Influence stakeholder compliance of regulatory standards while managing deadlines
- Dallas based position (with limited telecommuting).
- Minimal travel required (<15%), Domestic
- Support 6500+ users across North America.
- Extended working hours may be required as dictated by management and business needs.
- May be required to lift, push, or pull materials weighing up to twenty (20) pounds.
- May be required to sit and review information on a computer screen for long periods of time.
- May require repetitive motions of the hands and wrist related to writing and typing at an electronic keyboard.
This job description does not list all the duties of the job. You may be asked by your supervisors or managers to perform other duties. You will be evaluated in part based upon your performance of the tasks listed in this job description.
The employer has the right to revise this job description at any time. This job description is not a contract for employment, and either you or the employer may terminate employment at any time, for any reason.