Director of Cybersecurity (CISO - Chief Information Security Officer)

  • Full-time

Company Description

insightsoftware is a leading provider of reporting, analytics, and performance management solutions. Over 30,000 organizations worldwide rely on us to support business needs in the areas of accounting, finance, operations, supply chain, tax, budgeting, planning, HR, and disclosure management. We enable the Office of the CFO to connect to and make sense of their data in real time so they can proactively drive greater financial intelligence across their organization. Our best-in-class solutions provide customers with increased productivity, visibility, accuracy, and compliance. Learn more at insightsoftware.com.

Job Description

Overview

The Director of Cybersecurity & Chief Information Security Officer (CISO) will be responsible for the enterprise information security program. That will involve identifying, evaluating and reporting on legal and regulatory, IT, and cybersecurity risk to information assets, while supporting and advancing business objectives.

A key element of the CISO's role is working with executive management to determine acceptable levels of risk for the organization. He or she will proactively work with business units and ecosystem partners to implement practices that meet agreed-on policies and standards for information security. The CISO should understand and articulate the impact of cybersecurity on (digital) business, and be able to communicate this to the executive team and other senior stakeholders.

He or she serves as the process owner of the appropriate second-line assurance activities not only related to confidentiality, integrity and availability, but also to the safety, privacy and recovery of information owned or processed by the business in compliance with regulatory requirements.

The ideal candidate is a thought leader, a builder of consensus and of bridges between business and technology. He or she is an integrator of people, process and technology. While the CISO is the leader of the information security program, he or she must also be able to coordinate disparate drivers, constraints and personalities, while maintaining objectivity and a strong understanding that cybersecurity is foundational for the organization to deliver on its business goals and objectives. Ultimately, the CISO is a business leader, and should have a track record of competency in the field of information security and/or risk management, with 7 to 10 years of relevant experience, including 5 years in a significant leadership role. This role will report into the Chief Information Officer and lead a team of 7+ direct reports.

Tasks and Responsibilities

Establish Governance and Build Knowledge

  • Facilitates an information security governance structure through the implementation of a hierarchical governance program
  • Provides regular reporting on the current status of the information security program to enterprise risk teams, senior business leaders and the executive team as part of a strategic enterprise risk management program, thus supporting business outcomes
  • Develops, socializes and coordinates approval and implementation of security policies
  • Works with the vendor management office to ensure that information security requirements are included in contracts by liaising with vendor management and procurement organizations
  • Directs the information security awareness training program for all employees, contractors and approved system users, and establishes metrics to measure the effectiveness of this security training program for the different audiences
  • Understands and interacts with related disciplines, either directly or through committees, to ensure the consistent application of policies and standards across all technology projects, systems and services, including privacy, risk management, compliance and business continuity management
  • Provides clear risk mitigating directives for projects with components in IT, including the mandatory application of controls
  • Leads the security champion program to mobilize employees in key roles

Lead the Organization

  • Leads the information security function across the company to ensure consistent and high-quality information security management in support of the business goals
  • Determines the information security approach and operating model in consultation with stakeholders and aligned with the risk management approach and compliance monitoring of non-digital risk areas
  • Manages the budget for the information security function, monitoring and reporting discrepancies
  • Manages the cost-efficient information security organization, consisting of direct reports and dotted line reports (such as individuals in DevOps, Engineering, and IT operations). This includes hiring, training, staff development, performance management and regular performance reviews

Set the Strategy

  • Develops an information security vision and strategy that is aligned to organizational priorities and enables and facilitates the organization's business objectives, and ensures senior stakeholder buy-in and mandate
  • Works effectively with business units to facilitate information security risk assessment and risk management processes, and empowers them to own and accept the level of risk they deem appropriate for their specific risk appetite

Develop the Frameworks

  • Develops and enhances an up-to-date information security management framework based on ISO 27001
  • Develops and maintains a document framework of continuously up-to-date information security policies, standards and guidelines. Oversees the approval and publication of these information security policies and practices
  • Creates a framework for roles and responsibilities with regard to information ownership, classification, accountability and protection of information assets
  • Facilitates a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitates appropriate resource allocation, and increases the maturity of the information security, and reviews it with stakeholders

Build the Network and Communicate the Vision

  • Provides input for the IT section of the company's code of conduct
  • Creates the necessary internal networks among the information security team and line-of-business executives, corporate compliance, audit, physical security, legal and HR management teams to ensure alignment as required
  • Builds and nurtures external networks consisting of industry peers, ecosystem partners, vendors and other relevant parties to address common trends, findings, incidents and cybersecurity risks
  • Liaises with external agencies, such as law enforcement and other advisory bodies, as necessary, to ensure that the organization maintains a strong security posture and is kept well-abreast of the relevant threats identified by these agencies
  • Liaises with the DevOps, Engineering, and IT architecture teams to build alignment between the security and enterprise architectures, thus ensuring that information security requirements are implicit in these architectures and security is built in by design

Operate the Function

  • Creates a risk-based process for the assessment and mitigation of any information security risk in the ecosystem consisting of supply chain partners, vendors, consumers and any other third parties
  • Works with the compliance staff to ensure that all information owned, collected or controlled by or on behalf of the company is processed and stored in accordance with applicable laws and other global regulatory requirements, such as data privacy
  • Collaborates and liaises with the data privacy officer to ensure that data privacy requirements are included where applicable
  • Ensures that security is embedded in the project delivery process by providing the appropriate information security policies, practices and guidelines
  • Manages and contains information security incidents and events to protect corporate IT assets, intellectual property, regulated data and the company's reputation
  • Monitors the external threat environment for emerging threats, and advises relevant stakeholders on the appropriate courses of action
  • Coordinates the development and implementation of incident response plans and procedures to ensure that business-critical services are recovered in the event of a security event; provides direction, support and in-house consulting in these areas
  • Facilitates and supports the development of asset inventories, including information assets in cloud services and in other parties in the organization's ecosystem
  • Manages the SOC2, ISO27001, and other security related audit cycles
  • Support the sales cycle by ensuring security questionnaires are answered timely, and working directly with current and potential customers to ensure their security concerns are addressed

Qualifications

A successful candidate will have the expertise and skills described below.

Education, Training and Previous Experience

  • Demonstrated experience and success in senior leadership roles in risk management, information security, and IT security
  • 4 year degree, preferring in business administration or a technology-related field

Desired, but not required:

  • Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC) or other similar credentials
  • Experience successfully executing programs that meet the objectives of excellence in a dynamic business environment
  • Experience with contract and vendor negotiations
  • Experience in a highly M&A focused environment

Technical and Business Experience

  • Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT as well as those from NIST, including 800-53 and Cybersecurity Framework
  • Sound knowledge of business management and a working knowledge of information security risk management and cybersecurity technologies
  • Up-to-date knowledge of methodologies and trends in both business and IT

Knowledge and Skills

  • Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate information security and risk-related concepts to technical and nontechnical audiences at various hierarchical levels, ranging from board members to technical specialists
  • Strategic leader and builder of both vision and bridges, and able to energize the appropriate teams in the organization
  • Ability to lead and motivate the information security team to achieve tactical and strategic goals, even when only "dotted line" reporting lines exist
  • Excellent stakeholder management skills
  • Excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives
  • Project management skills: financial/budget management, scheduling and resource management
  • A master of influencing entities and decisions in situations where no formal reporting structures exist, but achieving the desirable outcome is vital

Additional Information

All your information will be kept confidential according to EEO guidelines.

** At this time insightsoftware is not able to offer sponsorship to candidates who are not eligible to work in the country where the position is located. **

insightsoftware About Us: Hear From Our Team - InsightSoftware (wistia.com)

Background checks are required for employment with insightsoftware, where permitted by country, state/province.

At insightsoftware, we are committed to equal employment opportunity regardless of race, color, ethnicity, ancestry, religion, national origin, gender, sex, gender identity or expression, sexual orientation, age, citizenship, marital or parental status, disability, veteran status, or other class protected by applicable law. We are proud to be an equal opportunity workplace.