Deputy CISO - #494965
Valley National Bank
Date: 10/14/2021 12:30 PM
City: Wayne, New Jersey
Contract type: Full Time
Work schedule: Full Day
The Deputy Chief Information Security Officer (CISO) will serve as the right hand to the CISO and act as key thought leader in information security for the organization. The role will work with the CISO to establish information security strategy for the organization that is aligned to organizational priorities, enabling business initiatives through directing the implementation and monitoring of information security solutions, standards, and policies. This role will be key role towards building consensus and bridging business, information security and technology, as well as defining, implementing, and maintaining information security frameworks, key risk indicators and programs to aid in implementation and standardization of security practices
Responsibilities include, but are not limited to:
Strategy & Planning
Responsibilities include, but are not limited to:
Strategy & Planning
- Assist CISO in developing an information security vision and strategy that is aligned to organizational priorities enabling and facilitating the organization's business objectives, and ensuring senior stakeholder buy-in and mandate.
- Assist CISO in management and coordination of security architecture standards, along with program implementation and execution to ensure adherence to security standards and policies and provide application experience in managing vulnerabilities and incidents.
- Develop operational level roadmaps, communicate plans, and support requirements to meet frameworks; define and execute improvement plans for underperforming security areas.
- Maintain security policy review process for timelines and effective thread mitigation, as well as compliance of laws, regulations, and regulatory guidance.
- Support compliance improvements - furnish information relevant for audit activities, receive and direct complianceissues to appropriate resources for investigation & resolution.
- Define local-level KPIs and collect and report necessary metrics to CISO and Executive management.
- Communicate identified threat information to Division BISO and Enterprise levels.
- Support implementation and execution of the security control framework including but not limited to CIS Security Controls, NIST800-53, FFIEC CAT.
- Direct oversight for a team of Business Information Security Officers aligned to key business areas to ensure consistent and high-quality information security management in support of business goals.
- Direct oversight for Security Architecture, including security transformation function.
- Determines information security approach and operating model in consultation with key stakeholders and aligned with risk management approach and compliance monitoring.
- Works effectively with business units to facilitateinformation security risk assessment and risk management processes and empowers them to own and accept the level of risk they deem appropriate for their specific risk appetite.
- Creates necessary internal networks among information security team and line-of-business executives, corporate compliance, audit, physical security, legal and HR management teams to ensure alignment as required.
- Builds out appropriate business engagement model and support functions.
- Ensures that security is embedded in the project delivery process by providing the appropriate information security policies, practices, and guidelines.
- Liaises with the enterprise architecture team to build alignment between the security and enterprise (reference) architectures, thus ensuring that information security requirements are implicit in these architectures and security is built in by design.
- Creates and manages a unified and flexible, risk-based control framework tointegrate and normalize the wide variety and ever-changing requirements resulting from laws, standards, and regulations.
- Develops and maintains a document framework of continuously up-to-date information security policies, standards, and guidelines. Oversees the approval and publication of these information security policies and practices.
- Creates a framework for roles and responsibilities regarding information ownership, classification, accountability and protection of information assets.
- Facilitates a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitates appropriate resource allocation, and increases the maturity of the information security, and reviews it with stakeholders at the executive and board levels.
- Builds and nurtures external networks consisting of industry peers, ecosystem partners, vendors, and other relevant parties to address common trends, findings, incidents, and cybersecurity risks.
- Liaises withexternal agencies, such as law enforcement and other advisory bodies, as necessary, to ensure that the organization maintains a strong security posture and is kept well-abreast of the relevant threats identified by these agencies.
- Participates in leading industry forums and consortiums to represent business interests and set standards/practices.
- A working knowledge of the following areas of technical expertise: information policy formulation, information security management, business risk management, IT risk assessment and management, IT continuity management, IT governance formulation, and organizational change management, IT financial management and IT audit.
- Firm understanding and working experience with frameworks such as NIST, ISO, Fedramp along with a firm grasp of security principals such as zero trust and critical security controls.
- A well-developed understanding of and appreciation for business needs and a commitment to leading the information security team in delivering high-quality, prompt, and efficient service to the business.
- Proven strategic leadership capabilities with the ability to cultivate and build collaborative working relationships with a broad range of enterprise stakeholders.
- Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicateinformation security and risk-related concepts to technical and nontechnical audiences at various hierarchical levels, ranging from board members to technical specialists.
- An ability to communicate complex and technical issues to diverse audiences, orally and in writing, in an easily understood, authoritative, and actionable manner.
- Strong decision-making capabilities, with a proven ability to weigh the relative costs and benefits of potential actions and identify the most appropriate one.
- An ability to effectively influence others and decisions without direct authority or where no formal reporting structures exist.
- Excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives.
- Project management skills: financial/budget management, scheduling, and resource management.
- BA in computer related field and a minimum of 10 years of professional experience in running an information security function, including defining information security strategy, analyzing, and applying information security risk, risk management and privacy practices, preferably in financial or banking industry and a minimum 10 years of relevant work experience, including consulting and general industry experience.
- Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT as well as those from NIST, including 800-53 and Cybersecurity Framework.
- Extensive experience in strategic planning, budgeting, and allocation.
- Experience successfully executing programs that meet the objectives of excellence in a dynamic business environment.
- Experience with contract and vendor negotiations.
- Up-to-date knowledge of methodologies and trends in information security, risk management, cybersecurity technologies, as well as business and IT.
- Master's Degree preferred.
- ISACA or GIAC certifications, Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC) or other similar credentials also preferred.