Job Description

The Senior Director of Information Security is responsible for maturing and maintaining the companywide information security program to ensure that information assets and associated technology, applications, systems, infrastructure and processes are adequately protected. This hands-on role is responsible for identifying, evaluating and reporting on cybersecurity risk to information assets, while supporting and advancing business objectives. The Senior Director will be responsible for running the enterprise information security program. Scope includes:

Develop an information security vision and strategy that is aligned to organizational priorities and enables the organization's business objectives, and ensure senior stakeholder buy-in
Facilitate an information security governance structure through the implementation of a hierarchical governance program, including an information security steering committee or advisory board
Translate IS-risk requirements and business needs into technical control requirements and spec’s
Oversee security awareness training program for all employees, contractors and approved system users, and establish metrics to measure the effectiveness of this security training program for the different audiences
Understand and interact with functional areas to ensure the consistent application of policies and standards across all technology projects, systems and services, including privacy, risk management, compliance and business continuity management
Provide clear risk mitigating directives for projects with components in IT, including the mandatory application of controls
Lead the information security function across the company to ensure consistent and high-quality information security management in support of the business goals
Oversight of business continuity, disaster recovery, IT change management/controls, and IT policy and procedures.

Personnel responsible for managing and operating IT infrastructure will report into other functional areas (for example, networking, servers, building security, HR new hire or database management), with their security-related activities coordinated by this role. This is a highly visible hands-on role balancing tactical, operational and strategic activities in support of sustaining Adaptimmune’s IS program.

KEY RESPONSIBILITIES

Strategic Support

• Work with Senior Leaders to implement and grow an Information Security program that addresses identified risks and business security requirements.

• Execute the process of gathering, analyzing and assessing the current and future threat landscape, as well as providing senior leaders with a realistic overview of risks and threats in the enterprise environment on a routine basis.

• Monitor and report on internal and 3rd party compliance with IS policies, procedures and methods, as well as the enforcement of IS requirements within the IT department and other functional areas (e.g. HR, Facilities).

• Own IS Policies, procedure and methods. Ensure controls are properly maintained and well defined for implementation by operational teams. Propose changes to existing policies to ensure operating efficiency and regulatory compliance. Execute IS responsibilities (e.g. verification) as outlined in policies and procedures.

Security Liaison

• Assist resource owners and IT staff in understanding and responding to security audit failures reported by internal and external auditors.

• Provide regular security communication, awareness and training for audiences, which may range from senior leaders to field staff.

• Work as a liaison with vendors and the legal and purchasing departments to establish mutually acceptable contracts and service-level agreements.

• Work with various stakeholders to identify information asset owners to classify data and systems as part of a control framework implementation.

• Work with IT and business stakeholders to define metrics and reporting strategies that effectively communicate successes and progress of the IS program.

• Provide support and guidance for legal and regulatory compliance efforts, including audit support.

Architecture/Engineering Support

• Consult with IT and business line staff to ensure that security is factored into the evaluation, selection, installation and configuration of hardware, applications and software, process and procedures, etc. Perform security assessments, and provide recommendations to close GAPs.

• Recommend and coordinate the implementation of technical controls to support and enforce defined security policies.

• Research, evaluate, design, test, recommend or plan the implementation of new or updated information security hardware or software, and analyze its impact on the existing environment; provide technical and managerial expertise for the administration of security tools.

• Work with the enterprise architecture team to ensure that there is a convergence of business, technical and security requirements; liaise with IT management to align existing technical installed base and skills with future architectural requirements.

• Develop a strong working relationship with the IT operations team to develop and implement controls and configurations aligned with security policies and legal, regulatory and audit requirements.

• Develops a common set of security tools. Defines operational parameters for their use, and conducts reviews of tool output. Administrate IS monitoring and verification tools and controls.

• Performs control and vulnerability assessments to identify control weaknesses and assess the effectiveness of existing controls, and recommends remedial action.

• Defines testing criteria for process and technical systems and applications.

• Is the primary individual responsible for the execution of IS risk assessment activities, analyzing the results of audits to produce recommendations of acceptable risk and risk mitigation strategies.

Operational Support

• Coordinate, measure and report on the technical aspects of security management.

• Manage outsourced vendors that provide information security functions for compliance with contracted service-level agreements.

• Manage and coordinate operational components of incident management, including detection, communication, response and reporting.

• Maintain a knowledgebase comprising a technical reference library, security advisories and alerts, information on security trends and practices, and laws and regulations.

Manage the day-to-day activities of threat and vulnerability management, identify risk tolerances, recommend treatment plans and communicate information about residual risk.

• Provide expert guidance on security matters for other IT projects.

• Design, coordinate and oversee formal documented security testing procedures to verify the security of systems, segregation of duties, networks and applications, and manage the remediation of identified risks.

• Respond to and, where appropriate, resolve or escalate reported security incidents.

• Investigate and resolve security violations by providing postmortem analysis to illuminate the issues and possible solutions.

Oversight of business continuity, disaster recovery, GMP and non-GMP IT change management / controls, and broader departmental IT policy and procedures.

Managing up to three people and external vendors

QUALIFICATIONS & EXPERIENCE

Required

A minimum of 20 years of progressive IT experience, with 5 years in a senior information security role and 10 years in a supervisory capacity, or equivalent experience.
A bachelor's degree in information systems or equivalent work experience; an M.B.A. or M.S. in information security is preferred.
Information Security certification based on industry best practices.

Desirable