Job Requisition ID:Time Type:Full time
Employee Group:Staff
Job Category:IT Security
Employment Type:Permanent
Department:Information Systems and Technology
Hiring Range:$157,251.41 - $196,564.26
Posting Information:This posting is for an existing vacancy.
The internal posting deadline for this position is Thursday, May 7, 2026 at 11:59PM.
Job Description:Primary PurposeThe Chief Information Security Officer (CISO) is the University's senior cybersecurity leader, responsible for enterprise-wide cyber strategy, risk management, and incident preparedness. The role oversees core information security services-including monitoring, vulnerability management, log management, and identity and access management-ensuring they evolve with institutional priorities and the threat landscape. The CISO leads incident response, policy alignment, and campus-wide risk governance while advising senior leadership and representing the University provincially and nationally.
Key Accountabilities
Strategic Leadership- Establishes the direction and priorities for the Information Security Services group
- Serves as an integral member of both IST's Senior Leadership and Management Teams
- Participates in the development of the long-term vision and planning for IT both in IST and across campus
- Develops the Information Security Services group's annual plans and priorities and is a key contributor to the creation and execution on strategic planning for both IST and IT on campus.
People & Resource Management- Ensures the effective utilization, deployment, and development of human and capital resources
- Oversees hiring and overall management of the Information Security Services group.
- Deploys staff to meet the goals and objectives of the Information Security Services group most appropriately.
- Coaches, trains, and develops employees to enable their professional development.
- Reviews and approves ongoing information security expenses.
- Approves annual performance plans and conducts regular reviews with direct reports.
IT Leadership Collaboration- Works with the CIO, IST Senior Leaders to intake IT requests, develop strategy, assess emerging technologies, and maintain tactical roadmaps.
- Intake requests for new IT initiatives and ongoing support from the campus community.
- Lead IT strategy development across the University aligned to the institution's strategic plan.
- Assesses emerging technologies and implement technology solutions to drive innovation.
- Conduct yearly reviews and implement tactical roadmaps to sustain the IT annual and strategic plans.
- Support a collaborative and coordinated model of IT governance, including with IT representatives in the faculties, the VP Administration and Finance and the Provost's office, senior management, and Associate Deans of Computing or equivalent, where applicable.
- Work with peer institutions and both participate in, and identify new opportunities for IT alliances, in conjunction with Canadian and international groups and alliances.
Cybersecurity Monitoring and Incident Response (Cyber Operations)- Accountable for the development and maintenance of the University's cybersecurity incident response procedure.
- Leads the response to cybersecurity incidents, coordinating relevant stakeholders in an emergency situation to protect the university's network and digital assets, and escalating to senior management as appropriate.
- Maintains enterprise central log management systems and implements techniques for the detection and response to malicious activity and unauthorized access.
- Administers the University's cyber vulnerability management program.
- Shares and receives threat intelligence with/from other institutions, government agencies, and law enforcement to strengthen cybersecurity posture of higher education in Canada.
- Further participates as the university's key representative in various Ontario and Canada-wide committees related to cybersecurity in both higher education and in the broader public sector.
Identity and Access Management (IAM)- Establishes institutional identity and access management principles and standards
- Responsible for the development, maintenance, and operation of the University's identity management system (WatIAM) and designated access management systems (Grouper, 2FA, Shibboleth).
- Ensures integration with systems of record and target information systems and technology infrastructure.
- Ensures appropriate delegation of administration of campus identities.
- Oversees and manages processes and tracking of access requests to university user accounts in exceptional circumstances (involuntary terminations, next-of-kin)
Legal, Privacy, and Records Management- Oversees Information Risk Assessments in collaboration with IST Senior Leaders.
- Assists LIS with Privacy Impact Assessments and related procedures.
- Assists IST Senior Leaders, the CIO, and other stakeholders with developing and interpreting University Records Management procedures.
Cybersecurity Risk Management (GRC, Governance Risk Compliance)- Leads the University's cybersecurity awareness program.
- Assists the University's Office of Risk and Compliance to ensure congruence of policies and procedures related to Cyber and Information Security.
- Supports Finance to ensure the University complies to PCI DSS standards.
- Conducts cybersecurity and privacy risk assessments of information technology initiatives to ensure appropriate management of risks.
- Assists the Office of Research with ensuring research activities are compliant with contractual obligations, as well as supporting the Office of Research Ethics with cybersecurity risk assessments of research activities, as appropriate.
- Oversees the cybersecurity management of Advanced Research Computing facilities hosted by the University, as part of national digital research infrastructure services.
- Assists Secretariat and the CIO in developing University-level Policy regarding IT and IT security.
- Accountable to the CIO, the Vice Presidents and President, and the Board of Governors for information security audits and related risk management.
- Act as an approachable resource and trusted advisor for IT leadership and researchers in securing research information while preserving academic openness.
Investigative Support- Supports Associate Deans with Policy 71 investigations relating to computing infrastructure.
- Assists the University of Waterloo Special Constable Services with investigations as appropriate.
- Assists with workplace investigations led by Human Resources or Conflict Management & Human Rights involving a cyber component.
- Responds to court orders for monitoring and identity information collected by services managed by Information Security Services, in consultation with Legal and Immigration Services.
Required QualificationsEducation- University degree or equivalent post-secondary education and/or experience required.
Experience- 10+ years of progressive cybersecurity experience including significant leadership experience and a proven track record of achievement and success in a complex higher education environment.
Knowledge/Skills/Abilities- Knowledge of common information security management frameworks (NIST CSF).
- Knowledge of common information security standards (PCI DSS, NIST SP 800-53, CIS, OWASP).
- High level of personal integrity.
- Ability to effectively present risks, strategies and plans in an objective manner to senior administration of the University.
- Excellent verbal and written communication skills.
- Ability to communicate technical concepts to both technical and non-technical audiences.
- Stays calm in a crisis.
- Strong leadership skills are essential, with a demonstrated positive track record of leading a cohesive team with common goals and measurable outcomes in a complex IT environment.
- Demonstrated ability to influence, negotiate, and develop relationships at senior levels and across a wide range of personalities and functions
- Strong organizational and problem-solving skills combined with excellent analytical and planning abilities.
- Experience with identification and cost-effective treatment of cybersecurity risks in an open, collaborative academic environment is strongly preferred.
- Professional information security management certification (e.g., CISSP/CISA) is preferred.
