Job Description:

Title: Chief Information Security Officer (CISO)

Location: Remote - USA

Reports to: Chief Technology Officer

The Role:

JD Power is seeking an enterprise-level security leader to serve as Chief Information Security Officer (CISO). As a member of the Technology Leadership Team, the CISO is the enterprise-wide owner of global cyber security, information risk, and resilience, providing strategic leadership across all regions to protect clients, systems, data, intellectual property, and brand reputation.

The CISO defines and executes the global security strategy, leads security operations and governance, ensures compliance with international regulations and standards, and acts as the organization's senior authority on cyber risk

The Impact You Will Have in This Role:

As Chief Information Security Officer, you will be the driving force behind protecting JD Power's clients, systems, data, and brand across every region. By defining and executing the global security strategy, maturing governance and security operations, and embedding a strong security culture, you will reduce enterprise risk while enabling the business to innovate and grow with confidence. You will serve as the organization's senior authority on cyber risk-providing the CTO, Operating Team, Board, regulators, and customers with assurance that security is a strategic enabler rather than a barrier.

What You'll Be Doing in This Role:

Global Security Strategy & Leadership

• Own Global Security Strategy: Define and own the global cyber security strategy, aligned to business objectives and risk appetite.
• Advise Senior Leadership: Provide senior-level leadership and act as a trusted advisor to the CTO, Operating Team, Board Cybersecurity Committee, and senior leaders.
• Lead Planning & Investment: Lead global planning, budgeting, capability development, and vendor strategy for all security domains.
• Build a Security Culture: Promote a strong security culture across all regions, embedding secure behaviors and accountability.

Governance, Risk Management & Compliance

• Operate the ISMS: Lead the design, implementation, operation, and continuous improvement of the Information Security Management System (ISMS) aligned to ISO 27001, SOC2, TISAX, and other relevant frameworks.
• Manage Enterprise Risk: Oversee global risk management, including risk assessments, control selection, and enterprise risk reporting.
• Compliance: Ensure compliance with global cyber security regulations and industry standards.
• Maintain Policies & Standards: Lead the development and maintenance of global security policies, standards, and guidelines.
• Govern Third-Party Risk: Oversee third-party and supply-chain security, including vendor assessments and due diligence.

Security Operations, Threat Management & Incident Response

• Lead Security Operations: Lead global Security Operations (SecOps), including monitoring, detection, threat intelligence, and vulnerability management.
• Mature CSIRT/CSOC Capabilities: Establish and mature global CSIRT/CSOC capabilities, ensuring 24/7 coverage where required.
• Command Major Incidents: Act as executive incident commander for major cyber events, ensuring effective response, communication, and recovery.
• Drive Continuous Improvement: Maintain incident playbooks, escalation paths, and post-incident reviews to drive continuous improvement.

Cloud, Application & Product Security

• Define Secure Architecture: Define and oversee secure architecture, cloud security standards, and identity & access management (IAM).
• Embed Security in the SDLC: Embed security into the software development lifecycle (SDLC), including secure coding, DevSecOps, and product security reviews.
• Partner with Engineering: Partner with Engineering and Technology teams to ensure secure design, encryption, and access controls across all platforms.

Regulatory, Customer & External Engagement

• Represent Security Externally: Act as the senior representative for cyber security with regulators, auditors, customers, and partners.
• Manage Security Assessments: Oversee responses to customer and partner security assessments and due-diligence requests.
• Track Regulatory Change: Monitor global regulatory developments and translate them into actionable controls and programs.

People Leadership & Organizational Development

• Lead Global Teams: Lead and develop global teams across security operations, governance, risk, compliance, and resilience.
• Build Organizational Capability: Build organizational capability, succession planning, and specialist talent pipelines.
• Foster High Performance: Foster a collaborative, high-performance culture across regions and functions.

Qualifications of this Role:

• 10+ years of experience in information security, cybersecurity, with at least 5+ years in a senior leadership role
• Proven track record of incident response leadership and crisis management.
• Relevant certifications such as CISSP, CISM, CISA, ISO 27001 Lead Auditor
• Experience leading large-scale enterprise security programs and managing global teams, including leaders of leaders.
• Strong knowledge of modern enterprise security practices, including identity and access management, cloud security, endpoint security, DevSecOps, threat detection, and vulnerability management.
• Understanding of emerging AI security risks and controls, including securing AI-enabled workflows and enterprise AI platforms.
• Experience securing modern cloud and development environments across platforms such as AWS, Azure, or GCP.
• Familiarity with modern security frameworks and standards such as NIST, ISO 27001, PCI, or OWASP.
• Demonstrated ability to communicate complex security topics to executive leadership and nontechnical stakeholders.
• Experience with risk management, compliance, and regulatory requirements relevant to enterprise software companies.
• Strong business acumen, particularly in aligning security investments with financial and operational priorities.

This position has a starting salary range of $250,000 - $275,000 USD per year. This is the range we reasonably and in good faith expect to pay for the role at the time of posting. An employee's pay within the range is determined by a number of factors, including relevant skills, education, qualifications, experience, performance, business or organizational needs, and geographic location.