$250K — $500K+*
The Senior Director of Information Security is responsible for maturing and maintaining the companywide information security program to ensure that information assets and associated technology, applications, systems, infrastructure and processes are adequately protected. This hands-on role is responsible for identifying, evaluating and reporting on cybersecurity risk to information assets, while supporting and advancing business objectives. The Senior Director will be responsible for running the enterprise information security program. Scope includes:
Personnel responsible for managing and operating IT infrastructure will report into other functional areas (for example, networking, servers, building security, HR new hire or database management), with their security-related activities coordinated by this role. This is a highly visible hands-on role balancing tactical, operational and strategic activities in support of sustaining Adaptimmune’s IS program.
• Work with Senior Leaders to implement and grow an Information Security program that addresses identified risks and business security requirements.
• Execute the process of gathering, analyzing and assessing the current and future threat landscape, as well as providing senior leaders with a realistic overview of risks and threats in the enterprise environment on a routine basis.
• Monitor and report on internal and 3rd party compliance with IS policies, procedures and methods, as well as the enforcement of IS requirements within the IT department and other functional areas (e.g. HR, Facilities).
• Own IS Policies, procedure and methods. Ensure controls are properly maintained and well defined for implementation by operational teams. Propose changes to existing policies to ensure operating efficiency and regulatory compliance. Execute IS responsibilities (e.g. verification) as outlined in policies and procedures.
• Assist resource owners and IT staff in understanding and responding to security audit failures reported by internal and external auditors.
• Provide regular security communication, awareness and training for audiences, which may range from senior leaders to field staff.
• Work as a liaison with vendors and the legal and purchasing departments to establish mutually acceptable contracts and service-level agreements.
• Work with various stakeholders to identify information asset owners to classify data and systems as part of a control framework implementation.
• Work with IT and business stakeholders to define metrics and reporting strategies that effectively communicate successes and progress of the IS program.
• Provide support and guidance for legal and regulatory compliance efforts, including audit support.
• Consult with IT and business line staff to ensure that security is factored into the evaluation, selection, installation and configuration of hardware, applications and software, process and procedures, etc. Perform security assessments, and provide recommendations to close GAPs.
• Recommend and coordinate the implementation of technical controls to support and enforce defined security policies.
• Research, evaluate, design, test, recommend or plan the implementation of new or updated information security hardware or software, and analyze its impact on the existing environment; provide technical and managerial expertise for the administration of security tools.
• Work with the enterprise architecture team to ensure that there is a convergence of business, technical and security requirements; liaise with IT management to align existing technical installed base and skills with future architectural requirements.
• Develop a strong working relationship with the IT operations team to develop and implement controls and configurations aligned with security policies and legal, regulatory and audit requirements.
• Develops a common set of security tools. Defines operational parameters for their use, and conducts reviews of tool output. Administrate IS monitoring and verification tools and controls.
• Performs control and vulnerability assessments to identify control weaknesses and assess the effectiveness of existing controls, and recommends remedial action.
• Defines testing criteria for process and technical systems and applications.
• Is the primary individual responsible for the execution of IS risk assessment activities, analyzing the results of audits to produce recommendations of acceptable risk and risk mitigation strategies.
• Coordinate, measure and report on the technical aspects of security management.
• Manage outsourced vendors that provide information security functions for compliance with contracted service-level agreements.
• Manage and coordinate operational components of incident management, including detection, communication, response and reporting.
• Maintain a knowledgebase comprising a technical reference library, security advisories and alerts, information on security trends and practices, and laws and regulations.
Manage the day-to-day activities of threat and vulnerability management, identify risk tolerances, recommend treatment plans and communicate information about residual risk.
• Provide expert guidance on security matters for other IT projects.
• Design, coordinate and oversee formal documented security testing procedures to verify the security of systems, segregation of duties, networks and applications, and manage the remediation of identified risks.
• Respond to and, where appropriate, resolve or escalate reported security incidents.
• Investigate and resolve security violations by providing postmortem analysis to illuminate the issues and possible solutions.
Oversight of business continuity, disaster recovery, GMP and non-GMP IT change management / controls, and broader departmental IT policy and procedures.
Managing up to three people and external vendors
QUALIFICATIONS & EXPERIENCE
Valid through: 3/16/2021