CRISC - Certified in Risk and Information Systems Control
The City of Raleigh is seeking a proven Chief Information Security Officer (CISO) with a track record of implementing security best practices at the enterprise level. This position reports directly to the Chief Information Officer (CIO), and interfaces with City department executives and other IT division executives.
Raleigh is recognized frequently in the national media for a variety of measures of the health of our community. Some of those accolades include:
No. 1 Upcoming IT City in USA other than Silicon Valley CustomerThink, June 2020
No. 2 Best City for New Grads 2020 in the U.S. Zumper, May 2020
Top 10 City Best-Positioned to Recover from Coronavirus (Raleigh & Durham) Moody’s Analytics/Forbes, May 2020
No. 2 Fastest-Growing U.S. Metro from 2018-2019 in the U.S. U.S. Census, March 2020
No. 9 Most Recession-Resistant City in the U.S. SmartAsset, March 2020
No. 2 Very Large Metro in the U.S. for Overall Prosperity Index Brookings Institute, March 2020
No. 2 in 2020 Quality of Life Ranking Numbeo, January 2020
The City employs more than 4,100 staff to support its 450,000+ residents and is consistently ranked as one of the top locations in the nation to live, work and learn.
HIRING RANGE: $86,167.00 - $155,000.00 (Promotional range may vary)
The CISO will be responsible for the operations and enhancement of enterprise information security program. That will involve identifying, evaluating, and reporting on City’s Cyber Security Program, and address any risk to information assets, while supporting and advancing City objectives.
A key element of the CISO's role is working with executive management to determine acceptable levels of risk for the organization. He or she will proactively work with City departments and ecosystem partners to implement practices that meet agreed-on policies and standards for information security. The CISO should understand and articulate the impact of cybersecurity on (digital) business, and be able to communicate this to the department directors, City leadership and other senior stakeholders. The ability to collaborate and advise in a team environment is an absolute necessity. In addition, having the ability exhibit composure, maturity, and stability under pressure is essential. The CISO must be able to give and take constructive criticism.
The ideal candidate is a thought leader, a builder of consensus and of bridges between business and technology. He or she is an integrator of people, process and technology. While the CISO is the leader of the information security program, he or she must also be able to coordinate disparate drivers, constraints, and personalities, while maintaining objectivity and a strong understanding that cybersecurity is foundational for the City to deliver on its goals and objectives.
This key position plays an important part in the continued success of the City. The role manages a staff of four and is responsible for ensuring a framework is in place to protect and secure the City’s IT technology assets.
Essential Duties and Responsibilities (Not intended to be all inclusive): Establish Governance and Build Knowledge
Facilitates an information security governance structure through the implementation of a hierarchical governance program, including the formation of an information security steering committee or advisory board
Provides regular reporting on the current status of the information security program to City leadership including City Council, City Management and Department Directors, and peers.
Develops, socializes and coordinates approval and implementation of security policies
Works with the City’s legal and procurement team to ensure that information security requirements are included in contracts
Directs the creation of a targeted information security awareness training program for all employees, contractors and approved system users, and establishes metrics to measure the effectiveness of this security training program for the different audiences
Understands and interacts with related disciplines, either directly or through committees, to ensure the consistent application of policies and standards across all technology projects, systems and services, including privacy, risk management, compliance and business continuity management
Provides clear risk mitigating directives for projects with components in IT, including the mandatory application of controls
Embeds Cyber Judgement across a decentralized or distributed decision-making model
Leads the security champion program to mobilize employees in all locations
Lead Cyber Security Division in IT
Leads the information security function across the City to ensure consistent and high-quality information security management in support of the City goals
Leadership and judgement can be considered a key emphasis for this position. The CISO should be able to articulate ideas, build consensus, and work effectively with senior positions throughout the city as well as to technical and non-technical personnel.
Determines the information security approach and operating model in consultation with stakeholders and aligned with the risk management approach and compliance monitoring of non-digital risk areas
Manages the budget for the information security function, monitoring and reporting discrepancies
Manages the cost-efficient information security division in IT, consisting of direct reports and dotted line reports (such as individuals in business continuity and IT operations). This includes hiring, training, staff development, performance management and annual performance reviews
Mentor and direct Cyber Security Staff at the City
Build a succession plan for the Division
Set the Strategy
Develops an information security vision and strategy that is aligned to organizational priorities and enables and facilitates the organization's business objectives, and ensures senior stakeholder buy-in and mandate
Develops, implements and monitors a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy and recovery of information assets owned, controlled or/and processed by the organization
Assists with the identification of non-IT managed IT services in use and facilitates a Citywide IT onboarding program for Cyber Security function to bring these services into the scope of the IT function, and apply standard controls and rigor to these services; where this is not possible, ensures that risk is reduced to the appropriate levels and ownership of this information security risk is clear
Works effectively with departments to facilitate information security risk assessment and risk management processes, and empowers them to own and accept the level of risk they deem appropriate for their specific risk appetite
Develop the Frameworks
Develops and enhances an up-to-date information security management framework based on the following: ITIL, COBIT/Risk IT and National Institute of Standards and/or Technology (NIST) Cybersecurity Framework. City has adopted NIST framework for Cyber Security Operations.
Creates and manages a unified and flexible, risk-based control framework to integrate and normalize the wide variety and ever-changing requirements resulting from global laws, standards and regulations
Develops and maintains a document framework of continuously up-to-date information security policies, standards and guidelines. Oversees the approval and publication of these information security policies and practices
Creates a framework for roles and responsibilities with regard to information ownership, classification, accountability and protection of information assets
Facilitates a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitates appropriate resource allocation, and increases the maturity of the information security, and reviews it with stakeholders at the executive and board levels
Build the Network and Communicate the Vision
Responsible for IT Policy program at the City
Creates the necessary internal networks among the information security team, compliance, audit, physical security, legal and HR management teams to ensure alignment as required
Builds and nurtures external networks consisting of industry peers, ecosystem partners, vendors and other relevant parties to address common trends, findings, incidents and cybersecurity risks
Liaises with external agencies, such as law enforcement and other advisory bodies, as necessary, to ensure that the organization maintains a strong security posture and is kept well-abreast of the relevant threats identified by these agencies
Liaises with the enterprise architecture team to build alignment between the security and enterprise (reference) architectures, thus ensuring that information security requirements are implicit in these architectures and security is built in by design
Operate the Function
Creates a risk-based process for the assessment and mitigation of any information security risk in the ecosystem consisting of partners, vendors and any other third parties
Works with legal and department staff to ensure that all information owned, collected or controlled by or on behalf of the City is processed and stored in accordance with applicable laws and other global regulatory requirements, such as data privacy
Collaborates and liaises to ensure that data privacy requirements are included where applicable
Defines and facilitates the processes for information security risk and for legal and regulatory assessments, including the reporting and oversight of treatment efforts to address negative findings
Ensures that security is embedded in the project delivery process by providing the appropriate information security policies, practices and guidelines
Oversees technology dependencies outside of direct organizational control. This includes reviewing contracts and the creation of alternatives for managing risk
Manages and contains information security incidents and events to protect City’s IT assets, intellectual property, regulated data and the reputation
Monitors the external threat environment for emerging threats, and advises relevant stakeholders on the appropriate courses of action
Develops and oversees effective disaster recovery policies and standards to align with the enterprise business continuity management (BCM) program goals, with the realization that components supporting primary business processes may be outside the City’s perimeter
Coordinates the development of implementation of incident response plans and procedures to ensure that business-critical services are recovered in the event of a security event; provides direction, support and in-house consulting in these areas
Facilitates and supports the development of asset inventories, including information assets in cloud services and in other parties in the organization's ecosystem
Education and Experience: Bachelor's Degree in in a technical concentration (Information Technology) or field directly related to assignment and eight years of infrastructure, Network, Cyber Security or related program management in a complex organization that includes two or more years in leading security operations experience. The ideal candidate will have proven skills in leadership of a significant IT organization, with a track record in delivering committed results in a complex and diverse environment. OR An equivalent combination of education and experience sufficient to successfully perform the essential duties of the job such as those listed above, unless otherwise subject to any other requirements set forth in law or regulation.
Licensing/Certifications: One or more of the following certifications are required for this position: Maintains a Certified Information Systems Security Professional (CISSP), Certified Chief Information Security Officer (CCISO), Certified Information Systems Manager (CISM), or Certified Information Systems Risk & Control (CRISC) certification.
Preferred Qualifications: Advanced degree in Business Management (MBA), Information Assurance, Information Security, or related field.
Telecommuting is allowed.
Internal Number: 2021-00706
About City of Raleigh
The City of Raleigh's mission is to build a stable platform of evolving services for our community through which we champion positive and sustainable growth and realize visionary ideas for all. At the City of Raleigh, we pursue world-class quality of life by actively collaborating with our community towards a fulfilling and inspired future for all.