Chief Information Security Officer - Board of Supervisors (0931)

  • 1 Dr Carlton B Goodlett Pl, San Francisco, CA 94102, USA
  • Full-time
  • Fill Type: Permanent Exempt
  • Work Hours: Regular
  • Job Code and Title: 0931-Manager III

Company Description

The Board of Supervisors is the legislative branch of the City and County of San Francisco that responds to the needs of the people, establishes city policies, and adopts ordinances and resolutions.

Job Description

Appointment Type: 
Permanent Exempt (PEX), Full-Time position, not to exceed three (3) years. This position is excluded by the Charter from the competitive civil service examination process, is considered "at will", and shall serve at the discretion of the appointing officer, the Clerk of the Board of Supervisors.

Position Description: 
The 0931 Chief Information Security Officer (CISO) is dedicated to managing information security, data, technology disaster recovery, risk and technology compliance for the Legislative Branch of Government. The CISO will report directly to the Clerk of the Board and will be a member of the Clerk of the Board’s leadership team and held accountable as the expert in cybersecurity. The CISO will establish and execute an information security strategy, policy, standards, architecture, processes and assessments to ensure that information assets and critical processes are adequately protected with acceptable levels of controls for the Legislative branch. The CISO will be tasked with scaling the security organization and driving the cybersecurity program to its next level of maturity for the Board of Supervisors. The CISO will partner with leaders in the Clerk’s Office, and provide day to day leadership and management to IT and Cybersecurity staff, technology infrastructure and IT operations – including cloud services, communications infrastructure, service desk, data warehouse, business intelligence systems, and Digital services oversight and administration.

We are seeking a knowledgeable leader to provide vision, strategy, and broad-based planning, while applying hands-on responsibility. We are looking for an adaptive communicator with strong interpersonal skills who can both listen and speak at an executive level, and is comfortable making public presentations to elected officials, members of the public, community groups, the media, and other City departments, agencies, and organizations.

The BOS CISO also supports and consults the City CISO in City-wide cybersecurity efforts, participates in the Citywide Cybersecurity Forums, initiates, implements, and executes departmental cybersecurity measures. They will be an advocate for BOS’ information security needs and be responsible for the development and execution of a comprehensive information security strategy to optimize the security posture of BOS within the cybersecurity framework established by the City Cybersecurity Policy.

Essential duties of this position include:

  • Use a risk-based approach to provide leadership, direction and prioritization in assessing and evaluating information security risks across the organization with a high level of integrity and discretion, advising and consulting with executives on identified risks and ensuring the execution of agreed upon mitigation/remediation steps.
  • Create alignment and support for the BOS security program goals, initiatives, and strategies, effectively balancing the needs of internal and external stakeholders and informing leadership at all levels on efforts and trends impacting the overall effectiveness of the information security programs.
  • Provide leadership and direction for all information technology projects and initiatives and development of a new Five-Year IT Plan.
  • Act as an executive Cybersecurity Advisor to the Clerk of the Board and the Board of Supervisors.
  • Introduce and present project initiatives, and secure resources and funding through the Committee on Information Technology (COIT). Follow up with providing quarterly reports to COIT.
  • Promote understanding of regulatory requirements across the organization, leading and/or collaborating with cross functional teams and senior business leaders to ensure execution of required testing and auditing activities by internal and external parties leading to the successful certification and/or compliance of the organization on an on-going basis.
  • Partner with the Citywide Cybersecurity team to monitor external and emerging threats and take all appropriate courses of preventative action and communication.
  • Oversee business continuity and disaster recovery policy management to support departmental compliance with Citywide Disaster Recovery policy, training, testing, and coordination with agencies and staff for disaster planning and preparation.
  • Develop and coordinate plans for BOS incident response within the City cybersecurity incident response framework to ensure that business critical services can be maintained.
  • Participate and support data assets on premises, in coordination with third parties and in the cloud.
  • Ensure project management including processes to manage security risks.
  • Manage procurements, contracts, and vendor negotiations, ensuring ongoing contract security standards and close coordination with legal and risk management.
  • Manage the performance of project staff, including contractors and City and County employees; assigning duties and responsibilities to project personnel, including contract consultants; directing and coordinating activities of project personnel to ensure project progresses on schedule and within budget; conferring with project personnel to provide technical advice and resolve problems.
  • Develop, implement and maintain departmental policies (on a routine cadence) to support Citywide Cybersecurity policies and departmental procedures in order to ensure effective security program operations.
  • Actively represent BOS in security-related matters with the Citywide CISO and in the Citywide Cybersecurity Forum City partners, internal and external customers, and industry groups.
  • Provide regular reporting on the current status of the information security program to risk teams and senior BOS leaders as part to support ongoing security strategy and management.
  • Stay current with industry trends and the latest information security practices and standards to ensure solutions incorporate effective use of technology.
  • Perform other duties, as assigned.


Possession of a baccalaureate degree from an accredited college or university, with major college coursework in management information systems, computer science, information technology, business administration or closely related field.

Six (6) years of experience in IT systems or projects that provide mission critical IT functions, the failure of which would have a major impact on the organization such as: payroll, cybersecurity, or enterprise management system. Three (3) years of this experience must include supervising staff in a technology unit.


Education Substitution:
Applicants may substitute up to two (2) years of the required education with additional qualifying experience on a year-for-year basis. One year (2,000 hours) of additional qualifying experience will be considered equivalent to 30 semester units/45 quarter units.

Experience Substitution:
Possession of a graduate degree from an accredited college or university in business, engineering, or a closely related field may substitute for one (1) year of the required non-supervisory experience.

Please Note: Applicants must meet the minimum qualification requirement by the final filing date unless otherwise noted.

Desirable Qualifications

The following desirable qualifications may be used to identify job finalists at the end of the selection process when candidates are referred for hiring. 

  • Graduate degree in business, computer science, engineering, or closely related field.
  • Managerial experience over IT systems.
  • Demonstrated Project Management experience successfully transitioning an organization or functional group from an outdated legacy system to a new application or system.
  • Professional security management certification is desirable (CISSP, CISM, CISA).
  • National Incident Management Training.
  • Experience with vendor management.
  • AXELOS ITIL (information Technology Infrastructure Library) Certification.
  • Knowledge of cybersecurity systems and best practices.
  • Excellent verbal, written, organizational, presentation, and interpersonal communications skills.

Verification of Education and Experience:
Applicants may be required to submit verification of qualifying education and experience at any point during the recruitment and selection process. More information can be found here.

Additional Information

Application Opening: October 29, 2021
Application Deadline: Upon until the position is filled. The earliest it may close is Friday, November 12, 2021.

**Application reopened for further recruitment. Applicants who have previously applied do not need to resubmit another application**

Compensation: The normal annual salary range is $133,770 - $170,742

Additional Information Regarding Employment with the City and County of San Francisco:

For questions regarding this recruitment or application process, please contact the recruitment analyst, Jessica Wong at [email protected]

Please note: All your information will be kept confidential according to EEO guidelines.    

CONDITION OF EMPLOYMENT:  All City and County of San Francisco employees are required to be vaccinated against COVID-19 as a condition of employment.  For details on how it is applicable to your employment, please click here.

The City and County of San Francisco encourages women, minorities and persons with disabilities to apply. Applicants will be considered regardless of their sex, race, age, religion, color, national origin, ancestry, physical disability, mental disability, medical condition (associated with cancer, a history of cancer, or genetic characteristics), HIV/AIDS status, genetic information, marital status, sexual orientation, gender, gender identity, gender expression, military and veteran status, or other protected category under the law.