The Information Security Manager for the Governance, Risk and Compliance function is responsible for maintaining Sidley's overall security risk management program, which is designed to ensure the Firm's Infrastructure and Applications are adequately protected. The Manager is responsible for identifying, analyzing, evaluating and reporting on information security risks. S/he works proactively with various IT and business departments to implement practices that meet Sidley's policies and standards for information security risk management.
The Information Security Manager is a proven thought leader and problem solver, as well as, an effective internal consultant, who will regularly advise business leaders on information security risk issues. S/he must possess domain competencies in a number of IT-risk-related disciplines, including security, disaster recovery, privacy and compliance.
Duties and Responsibilities
- Work with the Director of Information Security to manage all the risk-related activities of Sidley's IT organization, including planning, testing, reporting and recommending appropriate remediation measures.
- Manage a staff of information security professionals, which includes but is not limited to, recruiting, hiring and training new staff, conducting performance reviews and providing leadership and coaching for team members.
- Manage oversight and monitoring of risk mitigation via the coordination of information security management systems and controls.
- Manage the oversight of risk assessments, including but not limited to, vulnerability scanning, penetration testing, new infrastructure/applications and third party service provider reviews.
- Partner with appropriate staff within IT and other business departments to facilitate risk analysis and risk management processes to identify acceptable levels of residual risk.
- Remain current with industry best practices and monitor the legal and regulatory environment for developments that could require changes to Sidley's established policies, standards and practices.
- Provide security communication, awareness and training for audiences, which includes staff and lawyers.
- Work as a liaison with IT, legal and procurement to establish mutually acceptable contracts and service-level agreements, which should cover information security and disaster recovery content.
- Assist resource owners and IT staff with understanding and responding to security audit findings reported by internal and external auditors.
- Follow up on deficiencies identified in monitoring reviews, self-assessments, automated assessments and internal and external audits to ensure appropriate remediation measures are taken.
- Coordinate information security and risk management projects.
- Work with the Director of Information Security to develop budget projections based on short- and long-term goals and objectives.
- Work with the Director of Information Security and Information Security Manager for Architecture, Engineering, and Monitoring to define metrics and reporting strategies that effectively communicate successes and progress of the security program.
- Provide support and guidance for legal and regulatory compliance efforts, including leading client information security assessments and audits.
- Other duties, as assigned.
To perform this job successfully, an individual must be able to perform the Duties and Responsibilities (Duties) above satisfactorily and meet the requirements below. The requirements listed below are representative of the minimum knowledge, skill, and/or ability required. Reasonable accommodations will be made to enable individuals with disabilities to perform the essential functions of the job.
Education and/or Experience:
- Bachelor's degree or equivalent combination of education and/or experience.
- Minimum of 8 years of experience in IT risk management or a related discipline such as security, privacy, business continuity management or compliance, with at least 1 year in a leadership role.
- Experience with information risk assessment methodology development and application.
- Working knowledge ISO 27001/27002 with practiced program alignment and integration.
- Working knowledge of IT management frameworks such as National Institute of Standards and Technology (NIST), Control Objectives for Information and Related Technology (COBIT), and/or Information Technology Infrastructure Library (ITIL).
- Experience developing, deploying and integrating security policy and standards documentation.
- Experience in developing, managing or providing direct support for IT security vulnerability and threat management
- Certified Information Security Manager, Certified Information Systems Security Professional (CISSP) or equivalent
- Experience initiating cloud assessments
- Experience conducting senior/executive level presentations
Other Skills and Abilities:
The following will also be required of the successful candidate:
- Strong organizational skills
- Strong attention to detail
- Good judgment
- Strong interpersonal communication skills
- Strong analytical and problem solving skills
- Able to work harmoniously and effectively with others
- Able to preserve confidentiality and exercise discretion
- Able to work under pressure
- Able to manage multiple projects with competing deadlines and priorities.