Washington University is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, age, sex, sexual orientation, gender identity or expression, national origin, genetic information, disability, or protected veteran status.
This position is full-time and works approximately 40 hours per week. Available to respond to incidents after normal hours.
Department Name/Job Location:
This position is in the Department of Information Security. This position is for the Danforth Campus. Required to travel between campuses as needed.
The Chief Information Security Officer (CISO) is responsible for developing and executing the information security strategy for the University. This includes running security operations and driving architecture directions to mitigate emerging and increasingly sophisticated attacks while strengthening Washington University’s prevent and detect capabilities.
The position requires a proven leader, capable of working in a fast-paced regulated environment across multiple divisions and disciplines.
The position reports to the University Chief Information Officer.
PRIMARY DUTIES AND RESPONSIBILITIES:
Leadership and Strategy
Lead the development and execution of the information security strategy, programs to ensure that the integrity, confidentiality, and availability of information is owned, controlled, or processed across the university.
Develop, execute, and manage the investment and operational financial plans associated with the information security strategy and programs.
Facilitate information security governance through the implementation of a hierarchical governance program.
Develop and implement an information security management framework that aligns with the organization, risk profile, and existing compliance initiatives and efforts.
Work directly with the major stakeholders to facilitate security risk assessment processes; align with stakeholders throughout the enterprise on identifying acceptable levels of mitigated or residual risk.
Align with the Office of Compliance, HIPAA Compliance Officer, Internal Audit, Research Compliance and General Counsel to ensure that security and privacy programs�� comply with relevant laws, regulations and policies to minimize or eliminate risk and audit findings.
Align with executive stakeholders on key initiatives and implement appropriate security practices.
Align with the IT partners and architecture teams to ensure inclusion of security requirements during the design, implementation, and maintenance of application and systems.
Establish annual and long-range security and compliance goals. Define security strategies, metrics, reporting mechanisms and program services. Create maturity models and a roadmap for continual program improvements.
Engage with external higher education communities and industry associations to maintain a good perspective on information security practices at peer organizations and the present threat environments challenging today’s CISOs.
Oversee the management of all security systems, services and their corresponding software and hardware, including firewalls, VPNs, intrusion detection, cryptography, content filters, and anti-malware systems.
Develop the information security organization’s talent, engaging / managing third parties as needed to ensure the required capabilities are available either internally or externally
Policy, Compliance and Audit
Ensure Information Security Programs are in compliance with the Family Education Rights and Privacy Act (FERPA), HIPAA, HITECH and FISMA.
Lead the development and implementation of effective and reasonable policies and practices to secure protected and sensitive data and ensure information security and compliance with relevant legislation and legal interpretation.
Lead efforts to assess, evaluate and make recommendations regarding the adequacy of security controls for the university information and technology systems, and establish a process that guarantees rigorous and appropriate vetting and risk assessment.
Coordinate and track all information technology and security related examinations, audits and compliance assessments including scope, units involved, timelines, and outcomes. Work to keep focus in scope, maintain excellent relationships with these entities and provide a consistent perspective that continually puts the university in its best light.
Develop a strategy for dealing with increasing number of examinations, audits, compliance checks and external assessment processes.
Liaise with auditors, regulators and other examiner groups.
Outreach, Education, Training and Team leadership
Provide regular reporting on the current status of the security program to Executive Leadership and the Chancellor’s office.
Align with the Office of the General Counsel to communicate published security policies, standards and guidelines.
Partner with leaders of research activities, serve on leadership committees and be a resource to others to offer solutions that proactively minimize security risk, liability, or concerns utilizing a broad and inclusive view to help the organizational activities be successful.
Pursue security initiatives to address unique needs in protecting identity theft, mobile social media security and online reputation program.
Promote and develop university awareness programs, e.g., identity theft pamphlets, phishing awareness, and more.
Manage the university information security organization, consisting of direct and indirect reports. This includes hiring, training, staff development, performance management and annual performance reviews.
Motivate and lead a high performing team, utilizing effective talent management practices to attract and retain team members.� Ensure growth in cybersecurity skills within the team.
Manage cybersecurity personnel dedicated to research programs with advance data security requirements such as FISMA.
Manage relationships with third parties (vendors, suppliers, contractors, partners, etc.), external stakeholders (DHS, FBI) and others.
Risk Management and Incident Response
Monitor and understand potential threats, vulnerabilities, and control techniques affecting the organization, and advise relevant stakeholders on the appropriate courses of action.
Define and facilitate the information security risk assessment process, including the reporting and oversight of findings and remediation strategies.
Maintain awareness of security threats, breaches and incidents in the industry and beyond to proactively assess emerging threats to the WashU constituency, data, and its environment.
Oversee the Change Management Program, ensuring that all changes comply with Security and Regulatory standards and appropriately identify risk and impact to the organization.
Provide strategic direction for the Identity & Access Management program and establish standards for delivery of enterprise-wide identity and access for employees and vendors to the organization’s systems and applications.
Keep abreast of security incidents and act as primary control point during significant information security incidents. Convene a security incident response team as needed in investigating and addressing security incidences that arise.
Convene Ad Hoc Security Committee as appropriate and provide leadership for breach response and notification actions.
Conduct a continuous assessment of current IT security practices and systems and identify areas for improvement.
Partner with external agencies, such as law enforcement, government agencies and other advisory bodies as necessary, to ensure that the organization maintains a strong security.
Perform other duties as assigned
Bachelor’s degree in information security, engineering, telecommunications, computer science, or a closely related field.
Ten or more years in a leadership role of combined IT and security work experience, with a broad exposure to infrastructure/network, cloud, endpoint, and multiplatform environments.
Seven or more years of experience working with IT security guidelines and requirements outlined or as driven by FERPA, HIPAA, PCI-DSS, NIST, GLBA, etc.
Deep experience in leading all dimensions of Information Security in complex settings that include academic, research, medical education, and patient care activities.
Proficiency in creating security and architectural strategy spanning enterprise organizations including web-scale environments, applications, and systems such as: ecommerce, online marketing, online advertising, digital media, content management systems, content publishing systems, etc.
Overall knowledge of application and operating system hardening, vulnerability assessments, security audits, intrusion detection, data-leak protection, firewalls, networking, VPN.
Understanding of risk assessment procedures, policy formation, role-based authorization methodologies, authentication technologies, and security attack pathologies.
Well versed in the implementation of security controls and understands key business and technological processes, implementing effective risk mitigation strategies to protect the confidentiality, integrity, and availability of information assets.
Direct experience or strong working experience managing security infrastructure — e.g., firewalls, intrusion prevention systems (IPSs), web application firewalls (WAFs), endpoint protection, SIEM and log management technology.
Skilled in information security risk management, including, but not limited to, risk and gap analysis, risk evaluation and ranking, mitigation strategy recommendation, and reporting on the risk profile, and residual risk.
Demonstrated experience building credibility and working with senior University leadership together with interacting at the Board level.
Must be an intelligent, articulate, consensus building, and persuasive leader who can serve as an effective member of the senior management team and communicate information security-related concepts to a broad range of technical and non-technical team members at all levels of the organization.
Certifications to include one or more of:
Certified Chief Information Security Officer (CCISO)
GIAC Strategic Planning, Policy, and Leadership (GSTRT)
Certified Information Security Manager (CISM)
Certified Cloud Security Professional (CCSP)
Certified in Risk and Information Systems Control (CRISC)
Certified Information Systems Security Professional (CISSP)
Certified Ethical Hack (CEH)
Pragmatic and outcome-oriented, leveraging data to make decisions.
Exemplary planning and organizational skills, along with a high degree of detail orientation.
A hands-on and adaptable leadership style with commitment to driving results.
Highly collaborative with the ability to build trusting relationships.
Ability to analyze and resolve highly difficult problems, to integrate information from multiple sources, to utilize creative thinking, and to exercise considerable judgment and resourcefulness.
Collaborates with other teammates to provide assistance, and expertise, as well as to receive expert input and assistance from others delivering the best solution and experience for the customer.
Must be enthusiastic and committed to helping others and exhibit the ability to quickly assess the specific needs of the customer to determine an appropriate course of action.
Ability to develop and manage processes that have trans-university impacts.
Base pay commensurate with experience.
All external candidates receiving an offer for employment will be required to submit to pre-employment screening for this position. Current employees applying for a new position within the university may be subject to this requirement. The screenings will include a criminal background check and, as applicable for the position, other background checks, drug screen, employment and education or licensure/certification verification, physical examination, certain vaccinations and/or governmental registry checks. All offers are contingent upon successful completion of required screening.
Please attach a copy of your most current signed performance evaluation (completed within the last 18 months) to your online account. If you have not received a performance evaluation, you may provide two current signed letters of recommendation (written within the last 18 months), preferably to include one letter from either a current or recent former supervisor. To attach these documents, go to: My Career Tools, Add Attachment, Attachment Type – Performance Reviews or Letters of Recommendation.
Washington University in St. Louis, a medium-sized, independent university, is dedicated to challenging its faculty and students alike to seek new knowledge and greater understanding of an ever-changing, multicultural world. The University offers more than 90 programs and almost 1,500 courses leading to bachelor's, master's and doctoral degrees in a broad spectrum of traditional and interdisciplinary fields, with additional opportunities for minor concentrations and individualized programs. The faculty is composed of scholars, scientists, artists and members of the learned professions. They serve society by teaching; by adding to the store of human art, creativity, understanding, and wisdom; and by providing direct services, such as health care.