Director, Information Security

Full Time
Boston, MA
Areas of Interest: Information Systems Security Operations/Officer
report a problem
Overview
This is what we're looking for: 
Secure access to information assets is critical to achieve business objectives. The Director, Information Security is responsible for establishing and maintaining the information security program to ensure that information assets and associated technology, applications, systems, infrastructure and processes are adequately protected in the digital ecosystem in which we operate. The Director, Information Security is responsible for identifying, evaluating and reporting on legal and regulatory, IT, and cybersecurity risk to information assets, while supporting and advancing business objectives.
 
Lead the Organization
  • Lead the information security function across the organization to ensure consistent and high-quality information security management in support of the business goals.
  • Determine the information security approach and operating model in consultation with stakeholders and aligned with the risk management approach and compliance monitoring of nondigital risk areas.
  • Manage the budget for the information security function, monitoring and reporting discrepancies.
Set the Strategy
  • Develop an information security vision and strategy that is aligned to organizational priorities and enables and facilitates the organization's business objectives, and ensure senior stakeholder buy-in and mandate.
  • Develop, implement and monitor a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy and recovery of information assets owned, controlled or/and processed by the organization.
  • Assist with the identification of non-IT managed IT services in use ("citizen IT") and apply standard controls and rigor to these services; where this is not possible, ensure that risk is reduced to the appropriate levels and ownership of this information security risk is clear.
  • Work effectively with business units to facilitate information security risk assessment and risk management processes, and empower them to own and accept the level of risk they deem appropriate for their specific risk appetite.
Build the Network and Communicate the Vision
  • Provide input for the IT section of the organization's code of conduct.
  • Create the necessary internal networks within the Information Technology and line-of-business leadership, compliance, audit, physical security, legal and HR management teams to ensure alignment as required.
  • Build and nurture external networks consisting of industry peers, ecosystem partners, vendors and other relevant parties to address common trends, findings, incidents and cybersecurity risks.
  • Liaise with external agencies, such as law enforcement and other advisory bodies, as necessary, to ensure that the organization maintains a strong security posture and is kept well-abreast of the relevant threats identified by these agencies.
Operate the Function
  • Create a risk-based process for the assessment and mitigation of any information security risk in your ecosystem consisting of supply chain partners, vendors, consumers and any other third parties.
  • Work with the compliance staff to ensure that all information owned, collected or controlled by or on behalf of the organization is processed and stored in accordance with applicable laws and other global regulatory requirements, such as data privacy.
  • Define and facilitate the processes for information security risk and for legal and regulatory assessments, including the reporting and oversight of treatment efforts to address negative findings.
  • Ensure that security is embedded in the project delivery process by providing the appropriate information security policies, practices and guidelines.
  • Oversee technology dependencies outside of direct organizational control. This includes reviewing contracts and the creation of alternatives for managing risk.
  • Manage and contain information security incidents and events to protect corporate IT assets, intellectual property, regulated data and the organization's reputation.
  • Monitor the external threat environment for emerging threats, and advise relevant stakeholders on the appropriate courses of action.
  • Develop and oversee effective disaster recovery policies and standards to align with the enterprise business continuity management (BCM) program goals, with the realization that components supporting primary business processes may be outside the corporate perimeter.
  • Coordinate the development of implementation of incident response plans and procedures to ensure that business-critical services are recovered in the event of a security event; provide direction, support and in-house consulting in these areas.
  • Facilitate and support the development of asset inventories, including information assets in cloud services and in other parties in the organization's ecosystem.
 And these are the skills you should have:
  • Minimum of five to seven years of experience in a combination of risk management, information security, or IT security roles
  • Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate information security and risk-related concepts to technical and nontechnical audiences at various hierarchical levels, ranging from board members to technical specialists
  • Strategic leader and builder of both vision and bridges, and able to energize the appropriate teams in the organization
  • Sound knowledge of business management and a working knowledge of information security risk management and cybersecurity technologies
  • Up-to-date knowledge of methodologies and trends in both business and IT
  • Proven track record and experience in developing information security policies and procedures, as well as successfully executing programs that meet the objectives of excellence in a dynamic business environment
  • Poise and ability to act calmly and competently in high-pressure, high-stress situations
  • Must be a critical thinker, with strong problem-solving skills
  • Knowledge and understanding of relevant legal and regulatory requirements
  • Excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives
  • Project management skills: financial/budget management, scheduling and resource management
  • Ability to lead and motivate colleagues to achieve tactical and strategic goals, even when only "dotted line" reporting lines exist
  • A master of influencing entities and decisions in situations where no formal reporting structures exist, but achieving the desirable outcome is vital
  • Degree in business administration or a technology-related field, or equivalent work- or education-related experience
  • Professional security management certification is desirable, such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or other similar credentials.
  • Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT as well as those from NIST, including 800-53 and Cybersecurity Framework
  • Experience with contract and vendor negotiations
  • Excellent stakeholder management skills
  • High level of personal integrity, as well as the ability to professionally handle confidential matters and show an appropriate level of judgment and maturity
  • High degree of initiative, dependability and ability to work with little supervision while being resilient to change
  • Additional background investigations or probes may be conducted as part of hiring process
  
 



Share this job:

Road Scholar

Road Scholar is a not-for-profit leader in Educational Travel for Adults
Road Scholar inspires adults to learn, discover and travel. Our learning adventures open minds to new ideas and deepen understanding of oneself and of the world’s peoples, places, cultures, history and environments. A true university of the world, not-for profit Road Scholar’s meaningful — often transformational — educational adventures engage people for whom learning is the journey of a lifetime.
Company Industry: Leisure, Travel & Tourism
Company Type: Non Profit
Company Size: 201-500