Chief Information Security Officer (CISO)
Location: Elkridge, MD/Remote
FosterThomas, a Mid-Atlantic Staffing and Recruiting Firm, is leading the search for a Chief Information Security Officer (CISO) for our Client located Elkridge, MD, currently remote.
This Chief Information Security Officer (CISO) is a key leadership role responsible for the governance and oversight of the access, availability, and integrity of business data assets and intellectual property. The leader is responsible for ensuring the business is appropriately protected against risks associated with cyber-attacks on external and internal resources. The leader develops the enterprise information security strategy and is responsible for the security and privacy program. Communicates regularly with the President/CEO and executive staff and educate the workforce about threats, vulnerabilities, and risks.
The CISO will oversee and coordinate security efforts across the company, including information technology, human resources, communications, facilities management and other groups, and will identify security initiatives and standards.
- Develops and maintains the corporate security program(s); implements and maintains industry best practices with respect to security and security controls across the organization
- Manage the development and implementation of global security policy, standards, guidelines and procedures to ensure ongoing maintenance of security. Physical protection responsibilities will include asset protection, workplace violence prevention, access control systems, video surveillance, and more. Information protection responsibilities will include network and cloud security architecture, network access and monitoring policies, employee education and awareness, and more
- Lead the information security team to achieve the information security strategy; proactively influence peers and senior leaders in other business units to build a strong security culture
- Balance the risk between security controls in a strongly-regulated and complex IT environment against the needs for fast revenue growth in a highly competitive industry
- Understand the threats against the company – who they are, how they operate, what motivates them – and how to allocate the right level of resources to counter them
- Think creatively about simple, practical, cost-effective solutions for defending the company and customers against increasingly aggressive and sophisticated cyber attackers
- Prior experience in leading security incident response efforts
- Articulate complex information security concepts to senior executives and non-technical employees clearly while accurately portraying real risks and threats to the company
- Lead operational risk management activities to enhance the value of the company and brand
- Oversee a network of security practitioners and vendors who safeguard the company's assets, intellectual property and computer systems, as well as the physical safety of employees and visitors.
- Identify protection goals, objectives and metrics consistent with corporate objectives
- Work with other executives to prioritize security initiatives and spending based on appropriate risk management and/or financial methodology
- Lead, develop, and oversee incident response planning as well as the investigation of security breaches, and assist with disciplinary and legal matters associated with such breaches as necessary.
- Work with outside consultants as appropriate for independent security audits
- Demonstrated ability to work under pressure and maintain composure during high-stress situations
- Experience in establishing, operating, assessing, and maintaining a FISMA/NIST compliant architecture
- Advanced understanding of security architecture, security technologies, systems design, integration of systems and networking
- Leads and/or Participates in formal certification, test, and evaluation activities. Working experience in drafting, developing, and submitting Security Assessment and Authorization (SA&A) documentation, System Security Plans (SSP), Security Concept of Operations (CONOPs), Contingency Plans, Security Architectures, Risk Assessment Plan and Plan of Action and Milestones (POAM)
- Review and/or implement security programs in compliance with FedRAMP and HIPAA/HITECH. ISO 27001 and HITRUST experience strongly desired
- Establish and maintain a vulnerability management program for corporate and client environments
- Assist analysts with the review of SAST, DAST, and SCA scans as needed, and provide recommendations on remediation/mitigation approaches
- Assist analysts with the review and update of SIA, SSP, CP, ISRA, POA&M, and network security diagrams
- 10 years of information security experience including 5 years as an information security leader, with a demonstrated record of delivering business value
- BA or BS; MA or MS preferred
- CISSP required.
- CISM, C|CISO, CISSP-ISSMP, GSTRT or similar certification security management certification preferred
- Previous experience in a CISO role is preferred
- Experience with applicable regulatory and standards frameworks (e.g. FISMA, NIST CSF, FedRAMP, ISO2700x, HIPAA/HITECH, HITRUST etc.)
- Advanced understanding in one or more of the following areas: Platform Security, Data Security, Network Security, Cloud Security, Physical Security, Security Assessment Tools including SAST, DAST, and SCA, Security Monitoring Tools, and Managed Security Services
- Advanced understanding in one or more of the following areas: Security Governance Standards, Business Continuity Planning, Enterprise Risk Management, Computer Security Incident Response, and Security Compliance Audits
- Previous experience preparing updates and presenting to Senior Leadership