Accomplishing the mission of SANDBOX Cybersecurity & Information Security program requires a CISO with strong leadership skills, executive presence, security knowledge and effective placement within the organization. The attributes of the required CISO are:
- Leadership: The CISO must provide executive leadership in developing, planning, coordinating, administering, managing, staffing and supervising all information security-related operations. The CISO must provide overall
leadership to the Information Security program and its coordination with complimentary programs including Corporate Continuity, Privacy, Regulatory Compliance, Corporate Security, Risk Management, Corporate Sourcing, Human Resources and Legal Counsel as well as integrate closely with Line of Business executives.
- Executive Presence: The CISO serves as a spokesperson for the Information Security program including presentations to the Board of Directors, addressing concerns expressed by Auditors, vendors, and customers, and appearing as a featured speaker in Industry and regional information security seminars, symposia, courses, etc. The CISO must have the executive presence to effectively represent the company’s position regarding information security matters and the ability to influence other company executives in the achievement of their business objectives in a manner consistent with the security program objectives. Simultaneously, the CISO must possess effective communication skills and an ability to interact with personnel at all levels in the organization.
- Security Knowledge: The CISO will decide or recommend the company’s stance on numerous information security issues and, as such, must have a solid basis of security knowledge upon which to draw. The CISO must possess strong analytical and diagnostic abilities to understand and apply theoretical concepts to practical problems. The CISO must have strong information security skills derived from having at least ten years experience in Information Technology and five to seven years of direct Information Security experience. The CISO should be a Certified Information Systems Security Professional (CISSP).
The CISO is responsible for overseeing all aspects of information security within the organization. The CISO implements and supports all of the company's information security initiatives. CISO acts as a focus and resource for information security matters, taking direction from Upper Management and Chief Technology Officer. CISO investigates and recommends secure solutions that implement information security policy and standards. CISO coordinates Corporate Information Security (CIS) activities and manages CIS staff. CISO oversees, implements and monitors regulatory requirements and Company’s information security posture against those requirements.
The fundamental job responsibilities of this position are:
- Leadership of Company’s Cybersecurity & Information Security program – Represent Company’s Information Security program, internally and externally, directing the focus, activities, and priorities. Work directly with senior management to identify, define and confirm the key threats to the information and financial assets of the Company.
- Direct and monitor security procedures and practices – Define roles and responsibilities regarding information security operations and review the various reports and logs available. Investigate and report on irregularities. Develop a management control program that proactively identifies threats to the organization including conducting periodic risk assessments
- Develop security policies and standards – Develop and enhance existing security policies to adequately reflect Company’s strategy for securing information assets. Policies will reflect business needs, changing technologies and potential threats to the organization.
- Promote security awareness – Provide information on Company’s security policies and practices to employees and company affiliates.
- Create an environment that encourages the participation of business managers, External and Internal Audit, insurance and legal staff in the Information Security program.
- Coordinate security-related activities including Corporate Continuity, Privacy, Cybersecurity Regulatory Compliance, Cyber Risk Management, Cybersecurity aspects of Corporate Sourcing and Legal Counsel. Ensure all security related tasks are completed and that adequate provisions and practices are in place.
- Ensure adequate security provisions for existing and new applications and systems – Be aware of and review the security features of new applications and systems to ensure that they meeting existing security policies and standards.
- Take leadership role in the design, development, testing, integration, implementation and maintenance of security systems that protect key information assets. Maintain configuration profiles of all systems.
- Maintain awareness of changes in industry and threats – Attend courses and seminars as required to maintain a high level of proficiency in the field of information security. Network with other industry security professionals. Develop security skill sets of the CIS staff.