Job Seekers, Please send resumes to firstname.lastname@example.orgShort Description:
State of Michigan and Michigan Cyber Security has embarked on a pilot program to provide Security Consulting Services in Michigan for local government entities (Cities, Townships, Counties). This role report into the DTMB Michigan Cyber Security organize.
Collaborating with a variety of external strategic business and IT leaders this senior level consulting position must continually refine the organization’s IT Security & Risk Strategy, ensuring critical data, assets and infrastructure are secure by working to keep cyber defenses, operations and the overall organization prepared for current and ongoing threats. IT Security & Risk Strategy should align with the organization’s strategy / priorities and be communicated accordingly to executives and other stakeholders across the local government entities in State of Michigan. The CISO consultant is expected to periodically communicate strategy, critical updates, and measurable progress against industry maturity level targets to the IT leadership team. Additionally, the CISO consultant is expected to provide leadership and guidance following a prescribed framework and reporting to an appointed steering committee. He/She will be responsible for performing risk/security assessment, developing implementation plan and operationalizing it based on the organizational needs. Experience requirements for specific cybersecurity segments are listed below.
IT Risk Management
As a partner with the internal services, infrastructure, application and operational technology teams, the CISO will define risk measurement standards and repeatable ISO 27000 or equivalent framework for all components of IT risk, including but not limited to vendor, cloud, stability, supportability, regulatory, disaster preparedness, and security. The team will perform ongoing risk assessments and provide executive updates / escalation as necessary.
IT General Control (ITGC) Compliance & Audit Management
Define, measure and drive ITGC compliance including but not limited to defined regulatory requirements including but not limited to PCI and HIPAA. Partner with stakeholders to ensure compliance to PCI and HIPAA, and other applicable standards. Ensure all compliance activities are mapped to defined standards (e.g. ISO, NIST Executive Order, COBIT). Act as primary interface to Audit organizations, including review of all IT-related audit findings, follow-ups and management response commitments.
Security Training & Awareness
Continue to drive and expand organizational security training and awareness through repeatable and creative initiatives across an organization.
Responsible for the direction and oversight of matters governing appropriate access, security, privacy, and confidentiality of employee and other sensitive personal and organization information. Ensures organizational compliance with applicable statutory and regulatory requirements pertaining to the subjects of information security and privacy for the organization. Interfaces with Legal, HR and other appropriate departments.
Project Design & Delivery
Manage multi-vendor teams in the design, development, deployment and support of many critical security related projects as part of achieving overall improved maturity of IT security capabilities.
IT Security Operations
Responsible for defining, developing, and managing the organization’s IT Security Operations function.
- management of an internal security organization,
- alignment with county operational technology asset monitoring requirements,
- interfacing 3rd party Managed Security Services Providers for external network monitoring and cyber intelligence,
- measurement of incident handling performance, and
- working closely with external entities (industry, government) regarding current threats, indicators of compromise, or other intelligence. As a partner with the internal services, infrastructure, application and operational technology teams, the CISO will set the direction of and deliver the overall IT Security Architecture for the county being supported by this role.
Other Key Roles & Responsibilities:
- Responsible for managing the phases of the CISO as a Service framework (Assessment, implementation, operations) covering all aspects of IT Security function, including operations, new projects, third party vendors, managed services and other related costs.
- Conduct internal briefings with other senior leaders across the organization on a regular basis for broad based awareness of key updates such as cyber security operational performance, incidents or breaches, new strategic areas of focus and critical project updates.
- Define overall IT Security Strategy & Vision. Ensure IT Security Strategy clearly communicates future design and aligns to cyber security and risk objectives across each part of the organization.
- Present to audiences and forums internal and external to the organization on topics related to IT security, risk and compliance.
Education, Experience, & Skill Requirements:
- Must possess and exhibit a high level of integrity and passion for the disciplines of IT Security & Risk.
- Ten plus years overall of multi-disciplined IT background.
- Prefer minimum of 4 years of experience as CISO or equivalent position for medium sized organizations.
- Ability and experience working across multiple organization and IT organizations to develop an integrated organizational IT Security & Risk Strategy
- Experience designing organizational IT Security Architecture, infrastructure and applications.
- Strong knowledge and experience in managing complex project plans with interdependencies between many different projects and initiatives.
- Experience working with external cyber intelligence organizations, such as MS-ISAC (NERC), ISC-CERT (DHS), FBI.
- Familiarity with standard risk frameworks, including ISO 27000, SANS, NIST 800-53, and standard compliance frameworks.
- Prefer degrees in Computer Science, Business, Engineering or Information Systems.
- Current certifications such as CISSP, CISA, and/or others as relevant will be preferred.
- Professional IT process / methodology certifications a plus (e.g., ITIL, CobIT, LEAN, Six Sigma) with experience implementing rigorous and efficient process / methodology across an organization. Prefer experience as a business or IT consultant.
Required / Desired
Multi-disciplined IT background
Experience as CISO/CSO or equivalent position for medium to large size organizations
Degree(s) in Computer Science, Business, Engineering or Information Systems
Current Security or Audit certifications such as CISSP, CISA, and/or others as relevant
Professional IT process / methodology certifications (such as ITIL, COBIT LEAN, Six Sigma) with experience implementing processes and methodologies
Nice to have
Experience as a Business, Management or IT Consultant
Strong knowledge and experience in managing complex project plans with interdepedencies
Firm understanding of the CIS Controls
Firm understanding of the NIST Controls