VP Information Security & Chief Information Security Officer in Chicago, IL
Vice President Chief Information Security Officer – CISO
Reports To
The CISO reports to the CIO and leads 3 direct reports with a total staff of 15 – 25 people across; Security Operations, IT Audit, and Business Continuity.The CISO will also interface with Enterprise Emergency Team and Internal Audit.
Accountability
The Chief Information Security Officer (CISO) is responsible for leading, providing operational support and program management for the security of the CNA IT environment by following, implementing and refining security best practices and regulatory requirements.
The CISO will implement IS/IT security policies; gather, analyze and organize technical information about the security posture of CNA’s applications and infrastructure, existing security products and ongoing security initiatives; perform risk assessments, conduct analyses and prepare evaluation reports; and plan, coordinate and implement CNA’s information security policy and procedures, risk assessments and compliance support. Lead security team’s strategy and planning efforts in identifying current security and compliance requirements and recommend security solutions or actions.
The CISO will have a wide range of knowledge, will independently assess the information security posture of the organization using applicable tools, assess information network threats such as computer viruses, operate vulnerability assessment equipment in support of penetration analyses, prepare evaluation reports, and recommend remedial action.
Leadership
Serve as the IT security subject matter expert for the CNA Enterprise
Represents the security team on enterprise level project teams, at executive management meetings, and with external organizations
Ensures all documentation is sufficient for successful Board of Director approvals
Determine the acceptable level of information security risk in conjunction with senior management. Reviews and evaluates the security impact of changes to the CNA environment
Advise senior management on information security risks and appropriate course of action
Acts as liaison with IS/IT business partners to ensure full understanding of data flow, data integrity, and system security
Lead CNA’s Security Team and serve on the Business Continuity/Disaster Recovery Team, the Crisis Management Team and the Change and Configuration Management Teams
Establish and foster a culture that considers information security in day to day Insurance operations
Lead and develop a staff of 15 – 25 people
Pursues professional development opportunities, including external and internal training and professional association memberships
Programs
Establishes, documents, implements and monitors the Security, Information Assurance and Risk Remediation programs and related procedures to ensures the IT environment is operational and secure and complaint with applicable federal and state regulations
Lead the development, enforcement, and maintenance of policies, procedures, measures, and mechanisms to protect the confidentiality, integrity and availability of information and to prevent, detect, contain, and correct information security breaches by aligning information security standards and compliance with statutory and regulatory requirements
Ensures the logical and physical security and integrity of all systems and data. Ensures systems are developed, operated and maintained per company policies
Prepares, disseminates and maintains plans, instructions, policies and Standard Operating Procedures (SOPs) concerning IT security
Assesses information technology control elements to mitigate security risks regarding the confidentiality, integrity, and availability of business information
Participate in the evaluation, selection and implementation of security products and technologies
Monitoring
Conducts threats and vulnerability assessments to properly analyze the risks to information security and determines appropriate measures to effectively manage those risks
Implements and maintains Host-based and Network-based intrusion prevention systems
Manages on-going information security monitoring of systems, networks, applications, the workforce, and training programs. Monitors for and reports actual or suspected security incidents and technical vulnerabilities
Manage the investigation of security breaches or potential breaches and assist with disciplinary and legal matters associated with such breaches
Monitors and certifies users and security profiles on a periodic basis. Ensures all personnel have the appropriate security clearance, authorization and need-to-know prior to granting access to the network
Audits
Works collaboratively with the internal audit department on the planning, scope and execution of IS/IT audits
Performs, prepares and maintains IT risk assessment process and assists in the development of the annual audit plan
Oversee the development of IT audit documentation (i.e., control framework, work flows (if applicable), test plans, controls testing and preparation of compliance reports
Supports audits pertaining to the pre and post implementation of key IS/IT system and project initiatives
Reviews and maintains system audit data and provides auditing reports and system patch compliance
Goals
Emerge as a visible thought leader both internally and externally
Develop world class IT security program
Develops a security awareness program and ensures all levels of the organization receive appropriate system-specific and general security awareness training
Overview
The CISO will be a “hands-on” leader/driver with a strong background dealing with complex enterprise level security solutions issues across; the technical and non technical realms (relationship management, consulting and practice management).Further candidate must have a demonstrated success working in a matrix environment capable of functioning and adding value as a key member on the IT Leadership team.Tacitly candidate must have high quality leadership skills and a demonstrated executive presence.
The CISO must possess the skills to identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems. The CISO must also possess the ability to assess the likelihood and potential damage to CNA and its customers of these threats.
The successful candidate will have a minimum of 15 years of experience in progressive enterprise level IT security roles ideally within the environment of similar size and scope or Tier I Professional Services Practice focused on IT security programs.Ideally, candidate should have experience working in a matrix environment capable of developing and fostering high quality relationships with all levels of the enterprise.
Education
Minimum Bachelors Degree, Advanced degree preferred in Computer Science, Information Technology, Electrical Engineering, or related discipline Value added certifications CISSP
Demonstrated success in environment of similar size and scope ideally with the insurance, financial or professional service verticals
Experience
The ideal candidate will have the following skills and experiences. Though each of the following items is not a requirement, a compelling combination of the following is a must:
Executive presence and professional image with consultative polish – excellent communication skills. Must project an image of competence, efficiency and complete professionalism
Strong leadership skills including negotiation, influence and conflict resolution - ability to win via compromise
Ability to translate between business and technical client requirements clearly and verbally to individuals of varying backgrounds
Understanding and experience in business applications/systems and how they are planned, specified, designed, built, tested, deployed and managed
Proven project management skills to manage projects from inception to implementation - ability to apply project development methodologies, reporting techniques, and measurement techniques
Must have functional knowledge of security applications, their reporting, monitoring and tuning
Works with cross-functional, multi-disciplined team to formulate, institute, and monitor security policies and procedures
Working knowledge of security policies and procedures relating to end-user situational awareness (securing private information, user ID / password protection, etc.)
Demonstrated ability to keep company/departmental goals in clear focus
Ability to prioritize work in a logical, consistent way and attention to detail
Strong interpersonal skills and a desire to promote team accomplishment.
Experience: he CISO will be a “hands-on” leader/driver with a strong background dealing with complex enterprise level security solutions issues across; the technical and non technical realms (relationship management, consulting and practice management). Further candidate must have a demonstrated success working in a matrix environment capable of functioning and adding value as a key member on the IT Leadership team. Tacitly candidate must have high quality leadership skills and a demonstrated executive presence.
Apply to this job