Vice President Chief Information Security Officer – CISO

Reports To
The CISO reports to the CIO and leads 3 direct reports with a total staff of 15 – 25 people across; Security Operations, IT Audit, and Business Continuity.The CISO will also interface with Enterprise Emergency Team and Internal Audit.

Accountability
The Chief Information Security Officer (CISO) is responsible for leading, providing operational support and program management for the security of the CNA IT environment by following, implementing and refining security best practices and regulatory requirements.

The CISO will implement IS/IT security policies; gather, analyze and organize technical information about the security posture of CNA’s applications and infrastructure, existing security products and ongoing security initiatives; perform risk assessments, conduct analyses and prepare evaluation reports; and plan, coordinate and implement CNA’s information security policy and procedures, risk assessments and compliance support. Lead security team’s strategy and planning efforts in identifying current security and compliance requirements and recommend security solutions or actions.

The CISO will have a wide range of knowledge, will independently assess the information security posture of the organization using applicable tools, assess information network threats such as computer viruses, operate vulnerability assessment equipment in support of penetration analyses, prepare evaluation reports, and recommend remedial action.

Leadership


Serve as the IT security subject matter expert for the CNA Enterprise


Represents the security team on enterprise level project teams, at executive management meetings, and with external organizations


Ensures all documentation is sufficient for successful Board of Director approvals


Determine the acceptable level of information security risk in conjunction with senior management. Reviews and evaluates the security impact of changes to the CNA environment


Advise senior management on information security risks and appropriate course of action


Acts as liaison with IS/IT business partners to ensure full understanding of data flow, data integrity, and system security


Lead CNA’s Security Team and serve on the Business Continuity/Disaster Recovery Team, the Crisis Management Team and the Change and Configuration Management Teams


Establish and foster a culture that considers information security in day to day Insurance operations




Lead and develop a staff of 15 – 25 people


Pursues professional development opportunities, including external and internal training and professional association memberships




Programs


Establishes, documents, implements and monitors the Security, Information Assurance and Risk Remediation programs and related procedures to ensures the IT environment is operational and secure and complaint with applicable federal and state regulations


Lead the development, enforcement, and maintenance of policies, procedures, measures, and mechanisms to protect the confidentiality, integrity and availability of information and to prevent, detect, contain, and correct information security breaches by aligning information security standards and compliance with statutory and regulatory requirements


Ensures the logical and physical security and integrity of all systems and data. Ensures systems are developed, operated and maintained per company policies


Prepares, disseminates and maintains plans, instructions, policies and Standard Operating Procedures (SOPs) concerning IT security


Assesses information technology control elements to mitigate security risks regarding the confidentiality, integrity, and availability of business information


Participate in the evaluation, selection and implementation of security products and technologies


Monitoring


Conducts threats and vulnerability assessments to properly analyze the risks to information security and determines appropriate measures to effectively manage those risks


Implements and maintains Host-based and Network-based intrusion prevention systems




Manages on-going information security monitoring of systems, networks, applications, the workforce, and training programs. Monitors for and reports actual or suspected security incidents and technical vulnerabilities


Manage the investigation of security breaches or potential breaches and assist with disciplinary and legal matters associated with such breaches


Monitors and certifies users and security profiles on a periodic basis. Ensures all personnel have the appropriate security clearance, authorization and need-to-know prior to granting access to the network



Audits


Works collaboratively with the internal audit department on the planning, scope and execution of IS/IT audits


Performs, prepares and maintains IT risk assessment process and assists in the development of the annual audit plan


Oversee the development of IT audit documentation (i.e., control framework, work flows (if applicable), test plans, controls testing and preparation of compliance reports


Supports audits pertaining to the pre and post implementation of key IS/IT system and project initiatives




Reviews and maintains system audit data and provides auditing reports and system patch compliance


Goals

Emerge as a visible thought leader both internally and externally
Develop world class IT security program
Develops a security awareness program and ensures all levels of the organization receive appropriate system-specific and general security awareness training

Overview
The CISO will be a “hands-on” leader/driver with a strong background dealing with complex enterprise level security solutions issues across; the technical and non technical realms (relationship management, consulting and practice management).Further candidate must have a demonstrated success working in a matrix environment capable of functioning and adding value as a key member on the IT Leadership team.Tacitly candidate must have high quality leadership skills and a demonstrated executive presence.

The CISO must possess the skills to identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems. The CISO must also possess the ability to assess the likelihood and potential damage to CNA and its customers of these threats.

The successful candidate will have a minimum of 15 years of experience in progressive enterprise level IT security roles ideally within the environment of similar size and scope or Tier I Professional Services Practice focused on IT security programs.Ideally, candidate should have experience working in a matrix environment capable of developing and fostering high quality relationships with all levels of the enterprise.

Education


Minimum Bachelors Degree, Advanced degree preferred in Computer Science, Information Technology, Electrical Engineering, or related discipline Value added certifications CISSP


Demonstrated success in environment of similar size and scope ideally with the insurance, financial or professional service verticals


Experience
The ideal candidate will have the following skills and experiences. Though each of the following items is not a requirement, a compelling combination of the following is a must:


Executive presence and professional image with consultative polish – excellent communication skills. Must project an image of competence, efficiency and complete professionalism


Strong leadership skills including negotiation, influence and conflict resolution - ability to win via compromise


Ability to translate between business and technical client requirements clearly and verbally to individuals of varying backgrounds


Understanding and experience in business applications/systems and how they are planned, specified, designed, built, tested, deployed and managed


Proven project management skills to manage projects from inception to implementation - ability to apply project development methodologies, reporting techniques, and measurement techniques


Must have functional knowledge of security applications, their reporting, monitoring and tuning


Works with cross-functional, multi-disciplined team to formulate, institute, and monitor security policies and procedures


Working knowledge of security policies and procedures relating to end-user situational awareness (securing private information, user ID / password protection, etc.)


Demonstrated ability to keep company/departmental goals in clear focus


Ability to prioritize work in a logical, consistent way and attention to detail


Strong interpersonal skills and a desire to promote team accomplishment.
Experience: he CISO will be a “hands-on” leader/driver with a strong background dealing with complex enterprise level security solutions issues across; the technical and non technical realms (relationship management, consulting and practice management). Further candidate must have a demonstrated success working in a matrix environment capable of functioning and adding value as a key member on the IT Leadership team. Tacitly candidate must have high quality leadership skills and a demonstrated executive presence.
Apply to this job