Chief Information Security Officer

Reporting to the Global Chief Technology Officer, the Chief Information Security Officer (formerly known as the Global Security Officer) develops and maintains enterprise security and risk policies, oversees vendor management activities, and influences user behavior. The CISO is responsible for managing risks relating to information security, privacy, and technology compliance. The CISO directs the adoption and implementation of security & privacy policies, security technology and information risk procedures across all global entities.

This position has global responsibilities

ESSENTIAL RESPONSIBILITES:

Risk Management

• Responsible for the development and oversight of the company's information security and risk management methodologies, strategy, policies, awareness programs and security goals and metrics;
• Works with executives and senior management to identify, define and confirm the key threats to the firms information assets, internally and externally.
• Understands key business processes, systems, applications and the latest knowledge in information security techniques across multiple platforms and environments; Trusted Advisory for Senior Management, Infrastructure and Development, risk assessment staff, auditors, facilities and security departments, and other personnel to identify and plan for data security for data, software applications, hardware, telecommunications, and computer installations.
• Works with the Internal Audit to ensure that all policies and procedures are effectively implemented.

Secondary Operations and Reporting

• Responsible for Security Operations including threat prevention, detection and incident response strategy to include a formalized incident response process, declaring security incidents, coordinating and assisting in the investigation of potential incidents, assisting in the recovery from attacks, coordinating with legal, compliance and other stakeholders, law enforcement agencies (where applicable), and developing the post-response control strategy. Serves as the liaison to executive management, human resources, legal, compliance departments and other resources as directed by the CTO.
• Ensures that ongoing monitoring for information security controls is in place and develops action plans, schedules, status reports, budget and other management communications necessary to address gaps in security protocols or systems and recommends appropriate solutions to executive management.
• Develops a management control program that proactively identifies threats to the organization, conducts periodic risk assessment and information security reviews, and formulates the management response to audit and/or regulatory information security findings.
• Coordinates, documents, and reports on internal investigations of possible security violations.
• Works with law enforcement and legal representatives in investigations of possible security violations

Security Awareness and Training

• Develops security awareness procedures and training and ensures communication and compliance globally.

Compliance and Audits

• Responsible for the assessment of security posture and will ensure that global programs and policies comply with local governmental and industry regulatory standards to include, but not limited to, GLBA, EU DPD, L262 and Mass 201CMR17, SOX & HIPPA.
• Develops and submits regular reports to the PGAM Global Audit and Operating Committees to keep them apprised of the overall security of the firm's information assets as required by various regulatory entities and bodies, such as Law 262, GLBA, and EU Data Protection Directive.
• Coordinates the review and measurement of relevant security system logs and messages to identify and report on possible violations of security.

Security Architecture

• Co-ordinates cross-discipline IT teams to design, implement, test and operate critical network and security related systems furthering global defense in depth strategies.
• Defines security requirements in the procurement/retirement and/or development/deployment of hardware, software and application systems. Analyzes, selects, recommends, and coordinates installation of information security technology with all relevant stakeholders.
• Develops and implements tests of computer systems to monitor effectiveness of security through penetration and vulnerability assessments.
• Co-ordinates with Global Infrastructure Head on Identity Management strategies across the enterprise and on the Portfolio Project Delivery Lifecycle.

Business Enablement

• Works within the 3rd party Framework with relevant stakeholders to ensure that all new technology-related projects are reviewed for adequate security prior to implementation including Cloud Computing, SaaS Strategies, Mobile Technologies, BCP \ DR Processes and M&A activities.

SECONDARY DUTIES

• Creates an environment that encourages the participation of business managers, audit, insurance and legal staff in the Information Security Program. This involves being the focal point of contact for all departments and being actively involved in assisting with their information security needs.
• Assists the business units in implementing polices and standards to ensure that effective controls are in place. Leads the design, development, testing, integration, implementation and maintenance of security systems that protect key information assets.
• Works with department managers to conduct internal risk assessments, and to help develop action plans for dealing with security weaknesses.

SUPERVISORY RESPONSIBILITIES

Resource Management

• Manages 2 to 4 subordinate managers and/or supervisors who supervise employees in the Information Security. Carries out supervisory responsibilities in accordance with the organization's policies and applicable laws; Responsibilities include interviewing, hiring, and training employees; planning, assigning, and directing work; appraising performance; rewarding and disciplining employees; addressing complaints and resolving problems.
• Responsible for Return on Security Investment decision through proactive reporting of defense and reporting strategies. Business case development for future Security Portfolio investments.

REQUIREMENTS:

Education and Experience

• Bachelors or Masters degree in computer science, management information systems, business administration or related discipline
• And/or at least twelve years or more of related experience
• And/or training in running the information security office analyzing and applying information security, risk management, and privacy practices.
• Background in security Forensic Analysis and case management.

Skills/Knowledge

• Adaptable in global and complex environment, with good influencing skills
• Strong people management and interpersonal skills - ability to interact at all levels
• Delivery focused
• Strong analytical and problem solving skills
• Demonstrated ability as enabler and business builder