Department: Office of the CIO
SUMMARY
The Information Security Manager is responsible for fostering a security-aware culture based on a spirit of information stewardship, not fear. The position is responsible for developing, implementing, maintaining and nurturing a comprehensive enterprise information security and IT risk management program. The program includes the development of policies and standards along with their implementation, periodic security assessments, structured incident response, threat mitigation and remediation, reporting, security tools selection, and ongoing all-employee security training.
ESSENTIAL DUTIES AND RESPONSIBILITIES
Information security and IT risk management program
- Champions security and effective risk-management of the information infrastructure across the Church organization.
- In partnership with cybersecurity vendors, work with TMC senior management to identify and quantify acceptable levels of risk for the organization resulting in enterprise-wide policies, standards, controls, program development, and funding. Seeks approval from CIO and the Christian Science Board of Directors for these programs and activities.
- Engages regularly with cybersecurity vendors for insights. Stays up-to-date on cybersecurity threats and trends, as well as threat prevention, mitigation and remediation, and associated technologies.
- Manages periodic security assessments including those run by third-party consultants. Reports and follows through on all recommendations and observations.
- Works with the Office of the CIO, Office of General Counsel, and Treasurer’s Office to evaluate and prioritize the remediation and mitigation of security threats.
- Identifies, evaluates, and reports on information security risks in a manner that meets the needs of TFCCS, as well as compliance and regulatory requirements.
- Accountable for successful security incident responses executed by the Church's Information Security Team and vendors.
- Evaluates and approves, from a security perspective, the use of business software tools and hardware, preferably prior to purchase, implementation, or upgrade.
- Partners with stakeholders across the organization while serving as an information security expert and resource for TFCCS management.
- Facilitates the Information Security Team meetings
- Drives the agenda and facilitates meetings
- Manages the tracking and execution of all action items
- Reports on status of new and ongoing security concerns and initiatives
- Accountable for ongoing TFCCS employee security awareness through training and other initiatives.
Manages the Information Security Team
- Supervises a small team of security professionals.
- Manages relationships with third-party vendors and partners critical to the information security mission.
- Develops short- and long-term goals and objectives for team members.
- Ensures proper staffing and training of the team.
- Plans and manages the annual budget.
- Accountable for successful procurement and implementation of both hardware and software managed by the Information Security Team.
- Teams with fellow OCIO managers to deliver quality services to TFCCS.
STAFF MANAGEMENT AND JOB CONTACTS
Reporting Relationships
Supervisor: Chief Information Officer
Supervises: A small staff of skilled security professionals and vendors as needed
Regular Contacts: Has regular contact with CIO, OCIO managers and staff, Office of General Council staff, Operation Services Group, as well as managers throughout The Mother Church and Christian Science Publishing Society.
JOB REQUIREMENTS
Education/Experience
The position requires a bachelor's degree or equivalent. Minimum of 5 years experience in a combination of IT risk management and information security is required. Any of the following certifications are preferred: Security+, CISM, CISSP, CCSK, CEH or other related certifications. Supervisory experience required.
Knowledge/Skills
The position requires:
- Obtain CISSP certification within 12 months of hire.
- Experience with industry standards and information security management frameworks such as ISO/IEC 27001 and NIST
- Effective communication of complex technical information to non-technical mid-level and senior management
- Selfless team mind-set that works well in an extremely collaborative environment
Technology Skills
Exposure to popular and current threat actor’s tactics, techniques, and procedures. Familiarity with the MITRE ATT&CK Framework.
Exposure to business productivity tools like Google GSuite, Trello, Slack, and Zoom.
Experience with Security Information and Event Management (SIEM) systems.
Experience with running/supervising/interpreting results of cyber security scanning tools such as Nessus, Rapid7, etc. for SANS Top 20, CIS Top 18, CSC, NIST CSF compliance.
Work Environment
This position regularly works in an office environment.
Engagement with Christian Science
Mother Church membership required. Primary class instruction preferred.
In compliance with federal law, all persons hired will be required to verify identity and eligibility to work in the United States and to complete the required employment eligibility verification document form upon hire.