The Senior Director of Information Security, who serves as Northwestern University's Chief Information Security Officer (CISO) and HIPAA Security Officer, is responsible for the ongoing development and delivery of a comprehensive, University-wide information security strategy and program that adequately protects information assets, aligns with and supports the risk posture of the University, and meets related compliance and regulatory requirements. Reporting to the Vice President of Information Technology (VPIT) and functioning as a senior leader of Northwestern Information Technology, the CISO advocates for the University's total information security needs, and works with business and technology leaders across the University to assess and manage risks while balancing security strategies with other University priorities.
Information Security Leadership.
- Provides vision and leadership to ensure that the University's information security program adequately protects information assets, appropriately balances security strategies and University priorities, consistent with the risk posture of the University, and incorporates evolving directions and best practices in information security.
- Accountable for the campus-wide information security environment, including: adoption of standards-based programs; development of policy, standards, and guidelines; assessment of information technology controls; and leadership of related activities.
- Advises the VPIT and other senior University leaders on information security short- and long-term directions, policy, and resource requirements.
- Establishes a roadmap for continual program improvements, metrics to track progress, and related reporting mechanisms.
- Reports to University senior management on the status of the information security program, education awareness, events and incidents, and information security trends.
- Stays abreast of information security issues and trends, emerging security solutions, and regulatory changes, especially those affecting higher education, and incorporates all into strategic direction-setting.
- Establishes and maintains an active University information security committee with representation from schools and departments to collaborate on the direction of IT security policy and technology, and to re-enforce security responsibilities in the decentralized University environment.
- Maintains a close working relationship with key University Offices (e.g., the Offices of the General Counsel, Compliance, Human Resources, Research, University Police) to review security programs in light of legal and other business considerations.
- Sets priorities for, and directs the investigation and implementation of, new information security solutions that have campus-wide impact.
- Collaborates with colleagues in Nortwestern IT and in the schools and departments on information security issues related to the development, implementaiton, and maintenance of Univesity technology services, hosted locally or in the Cloud.
- Establishes teams to lead in the investigation and resolution of information security privacy considerations related to research and intellectual property.
- Serves as a subject matter expert for regulatory requirements and compliance issues as applied to technology (e.g., PCI, HIPAA, HITECH, FISMA, FERPA, etc.).
- Develops and maintains strong working relationships to collaborate and partner with key University stakeholders (VPs, AVPs, faculty, school administration, IT Governance, etc.) and external solution providers to advocate for appropriate security practices.
- Advises University administrators and technical staff in schools and departments on risk management.
Information Security Management
- Manages the overall direction and priorities of the information security program, including information security policy development, awareness, school and department security risk assessments, vendor risk assesments, risk mitigation, network traffic analysis, and regulatory compliance.
- Provides guidance and direction to the information security staff of Northwestern IT, schools and departments instilling in them the need for technological excellence and a professional approach to handling confidential matters while maintaining a customer-focused attitude.
- Advises University personnel on managing effective security practice.
- Performs various management functions related to Information security, including budgeting, procurement, contract negotiations, and personnel evaluations and actions.
Security Incident Management
- Manages security incidents across the University and acts as the primary control point during information security incidents.
- Communicates progress to the University community, as appropriate, in managing security incidents.
- Interfaces with law enforcement agencies and other government agencies to address secrity lapses and respond to information security issues.
- Establishes and maintains an appropriate network of professional contacts.
- Maintains currency with professional organizations and participates in national groups to share experiences, learn best practices from others, and influence policy formulation.
- Represents the University and the Northwestern IT organization externally in areas of IT leadership and information security.
- Performs other duties as required and directed.
- BS degree in a technical discipline (e.g., Information Technology, Information Systems, Computer Science, Engineering) or equivalent combination of training, education and experience from which comparable skills can be acquired. Ten years of experience in information security operations. Seven years of experience in managing a team of information security specialists. Experience as a leader and/or developer of a comprehensive security plan. Excellent communication and presentation skills; written and verbal skills; solid analytical skills; strong interpersonal skills.
Minimum Competencies: (Skills, knowledge, and abilities.)
- A strong background in developing and managing an information security program, and a proven track record of implementing organization-wide solutions that adequately protect information assets.
- A solid understanding of information security concepts, threats, and technologies, including industry standards and best practices.
- Knowledge and understanding of relevant legal and regulatory requirements related to data and information.
- Proficiency in developing information security policies and procedures that adequately balance security concerns with the organization's practices and priorities.
- A proven track record in recruiting, directing, motivating and guiding the development of a team of information security professionals.
- Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate security and risk-related concepts to technical and no technical audiences, including University senior management.
- Poise and ability to act calmly and competently in high-pressure, high-stress situations.
- Ability to establish and maintain respectful and effective relationships with management, co-workers, and customers.
- Demonstrated ability to analyze problems from multiple points of view, to lead consensus building within groups with differing views in a decentralized institution, and to translate the final agreement into cooperative planned action.
- Ability to act on own initiative to further organizational and University goals.
- Past experience in developing and implementing information security practices in a university, or a highly-decentralized corporate, environment.
- Advanced degree in information technology.
- Information Security certifications: CISSP, CISM, CIPP.
Preferred Competencies: (Skills, knowledge, and abilities)
- An understanding of university business and academic technology approaches and requirements.