Head of IT Security & Infrastructure

Role: Head, IT Infrastructure & Security

Department: Information Technology

Location: 6300 Steeles West, Woodbridge

Highway 407 ETR is an all-electronic open-access toll highway located in the Greater Toronto Area in Ontario, Canada. The highway spans 108 kilometers from Burlington in the west to Pickering in the east.

407 International Inc. is the sole shareholder of 407 ETR and is owned by:

• Canada Pension Plan Investment Board (CPP Investments) through indirectly-owned subsidiaries (50.01%);
• Cintra Global S.E. which is a wholly-owned subsidiary of Ferrovial S.A. (43.23%); and AtkinsRalis, formerly known as SNC-Lavalin (6.76%).

Learn more at 407etr.com

407 ETR's Information Technology division is responsible for the infrastructure and software to enable the efficient operation of the highway-including toll capture, account management, financials, and data storage/analytics---as well as customer services including call-center, web, IVR and supporting workflows.

Position Summary:

Reporting to the CIO, the Head, IT Infrastructure & Security oversees the design, implementation, and maintenance of an organization's IT infrastructure while prioritizing robust security measures, ensuring the confidentiality, integrity, and availability of data by leading a team to manage network systems, servers, storage, and security controls, aligning technology with business objectives and mitigating cyber risks across the enterprise.

Duties and Responsibilities:

• Develop and execute a comprehensive IT infrastructure and security strategy aligned with business goals, including cloud adoption, data center optimization, and security architecture roadmaps
• Oversee the design, deployment, and maintenance of IT infrastructure components such as servers, networks, storage systems, and data centers, ensuring high availability and performance
• Develop and implement an infrastructure roadmap aligned with business objectives, ensuring scalability, reliability, and cost-effectiveness
• Oversee the design, deployment, and maintenance of infrastructure solutions, adhering to industry best practices and standards
• Oversee and manage the IT Major Incident Response processes based on ITIL and ITSM frameworks
• Establish and enforce robust security policies, procedures, and standards to protect against cyber threats, including vulnerability management, incident response plans, access controls, and data encryption
• Monitor changes or advancements in emerging technologies to gain competitive advantage within the IT security domain
• Oversee the creation and management of annual operating and capital budgets for Infrastructure & IT Security groups
• Collaborate with the Corporate Security Group to establish a data security and compliance framework, chair cross-functional meetings, liaise with shareholders to develop global security best practices and reporting standards, and create metrics to measure and enhance the effectiveness of the IT security and compliance program
• Prepare and deliver security and compliance program updates and awareness sessions to an array of stakeholders including but not limited to the Board of Directors, Senior Management, Leadership, and IT Teams
• Provide strategic leadership and direction to infrastructure and security team members as well as external partners delivering IT security services. Foster a collaborative environment, set clear objectives, and drive accountability to ensure the team operates cohesively in safeguarding the organization's IT security posture
• Accountable for design, measure, monitor, assess, and enhance system and network IT security processes and controls covering in conjunction with relevant stakeholders; control areas include but are not limited to security monitoring and incident response, threat intelligence, malware management, vulnerability management, identity and access management, secure development, information protection, governance and compliance, vendor risk management, and business continuity
• Oversee the IT Security Incident Response processes, coordinate security incidents investigations and representing IT on the corporate Breach Response Team
• Oversee the creation and maintenance of IT Security-related policies, standards, baselines, guidelines and procedures, ensuring alignment with designated security frameworks
• Oversee vulnerability assessments, audits, risk management activities, incident response testing, annual risk assessments, system control evaluations, and disaster recovery planning
• Collaborate closely with the Corporate Security Group, Internal Audit, and other stakeholders to ensure comprehensive auditing, coordinate IT audit activities, manage the IT risk register and remediation efforts, while maintaining accountability for the overall IT security and compliance posture

Qualifications:

• 10+ years' experience in Information Technology, Cybersecurity or Information Security environment
• College Diploma or University Degree in Computer Engineering or Computer Science required
• One or more of the following certifications required:
  • CompTIA Security+
  • GIAC Information Security Fundamentals
  • Certified Information Systems Auditor (CISA)
  • Certified Information Systems Manager (CISM)
  • Certified Information Systems Security Professional (CISSP)
• Expertise in developing strategic technical roadmaps, processes and controls based on strong knowledge of IT security supporting technologies including but not limited to next generation firewalls, vulnerability management platforms, malware management technologies, identity and access management platforms, and security event and incident management technologies
• Extensive experience with the following IT Security Frameworks required: Payment Card Industry Data Security Standards (PCI DSS), ISO 27001 / 27002, Control Objectives for Information and Related Technology (COBIT)
• Experience in designing or redesigning best lean, practice-based IT security processes in a dynamic fast-moving organization required
• Experience in management of Vulnerability Assessments and IT Security Audits required
• Working knowledge of software development practices and languages, including Secure Development Lifecycle practices
• Understanding of IT security and compliance-related vendor requirements, including but not limited to procurement, legal and operational considerations
• Understanding of networking, operating system, compute / storage, cloud, and application technology design and security related best practices
• Familiarity with Agile methodologies such as Lean, Scrum and Kanban preferred
• Strong ability to communicate and document clearly and effectively
• Ability to follow processes and guidelines
• Ability to work with all levels of staff
• Ability to take personal initiative and observe confidentiality
• Ability to work with internal and external vendors in a professional manner
• Ability to multi-task in a fast-paced environment

Note: At 407 ETR, we are committed to fostering a diverse, equitable, and inclusive work environment. We value the unique perspectives and backgrounds of all individuals, and we firmly believe that our individual differences make us stronger as a whole.

Our commitment to inclusion extends beyond recruitment and encompasses an inclusive workplace culture through raising awareness, ongoing training, and encouraging feedback. We aim to create a safe and supportive environment where all employees can thrive.

Accommodation for disabilities or other grounds protected by human rights legislation are available upon request for candidates taking part in all aspects of the employment selection process.