The Director, Business Information Security is responsible for leading a team of Business Information Security Advisors (BISAs) for Retail Solutions business areas, including Digital Retailing, F&I, RTS, CMS, DDS, DMS, HomeNet, vAuto, and common Retail Solutions services. With their team, they lead information security and risk management initiatives to align with the Cox Automotive Corporate Security Standards. This position will be the security leader and subject matter expert working with technology, business, and legal teams to develop secure solutions and will hold overall responsibility for coordinating security projects for products and solutions for the business. These projects may include: coordination of infrastructure and application security vulnerability remediation efforts, providing security guidance for new business projects, oversight of critical security access reviews, validating disaster recovery documentation & test activities, and coordinating the remediation of all security audit findings. The Director, Business Information Security also helps the business comply with all legal, regulatory, & contractual security obligations, assists with the development & implementation of security process improvements, and champions security & risk mitigation. The Director, Business Information Security may also be involved in certain aspects of security operational tasks, such as approving security requests or helping with the business context in incident response exercises.
- Set strategic security direction and accountability for a team of Business Information Security Advisors (BISAs).
- Represent measures, risk, and recommendations to Retail Solutions leaders.
- Works under the guidance of the head of the Business Information Security Office to ensure adoption and compliance with Cox Automotive Corporate Security Standards while enabling business success.
- Coordinates vulnerability remediation efforts for software and system vulnerabilities. Reports on progress and risks. Makes recommendations for strategic improvements.
- Assists with applications that are moving to the cloud, reviews controls for new or moving applications, and provides guidance for secure transitions to the cloud.
- Provides security guidance for new projects and products to ensure security best-practices are implemented and that projects are developed in compliance with Cox Automotive Corporate Security Standards.
- Assist with subpoena requests and handling depositions working with internal/external Legal Counsel.
- Oversees the maintenance of disaster recovery plans and procedures for systems and software. Assists with disaster recovery testing efforts when needed.
- Meets and partners with broad stakeholder groups (e.g. Engineering, Product, Architecture, Operations, Legal) to provide leadership updates and reporting on security issues.
- Periodically helps perform risk assessments of the business applications, systems, and processes to verify compliance with the Cox Auto Security Standards and prioritizes the remediation of gaps based on risk to the organization.
- Coordinates efforts to remediate and mitigate issues from access & firewall reviews, audit findings, and risks.
- 6+ years' experience in IT Security, Risk, Compliance or equivalent
- Experience leading teams, setting strategy, and coaching for growth and success
- Strong Vulnerability Management background
- Understanding of web applications, cloud technologies, system infrastructure, and enterprise architecture
- Experience conducting or responding to audits
- Ability to work in a fast-paced and dynamic environment
- Ability to work in a team and independently to fix issues with little or no supervision
- Excellent organizational, project management, and follow-up skills
- Ability to build and maintain strong working relationships at all levels of the organization
- Excellent communication, presentation, and reporting skills
- Familiarity with Cox Automotive products and technologies
- BA/BS Degree, preferably formal studies in Computer Science, Information Systems, or equivalent
- CISA, CISSP, CISM, or other security certification(s)