Job Description
Salary: Grade 20, Commensurate with experience starting at $153,222.00
Shift: Monday through Friday 8:00 AM - 5:00 PM - Hybrid 2 days a week onsite
Location: PHEAA Headquarters 1200 North 7th Street, Harrisburg, PA 17102
Department: Enterprise Security Office
JOB PURPOSE AND SUMMARY
This role is responsible for planning, developing, and operating reliable information security and privacy programs that support the integrity and availability of digital information, safeguards the Agency's digital assets, and implements effective and appropriately scaled security and privacy policies, practices, and technologies. Develop relationships with all levels of the organization to implement appropriate security and privacy standards and procedures. This position is responsible for monitoring compliance with the legislated requirements that impact information security and privacy for PHEAA in its roles as an independent state agency and a commercial enterprise.
PRIMARY DUTIES AND RESPONSIBILITIES
Security Leadership
Build an enterprise-wide cybersecurity culture that improves security awareness and instills a risk-aware culture in the Agency.
Develop, manage and set the vision, goals, and priorities for information security at PHEAA.
Advise and report to Agency executive leadership and Board as may be required or requested on current Agency cybersecurity strategy and cybersecurity risk.
Lead initiatives related to Information Security strategic planning.
Provide strategic oversight for the security execution of enterprise projects, initiatives, and organizational changes, ensuring effective leadership and alignment across security managers, team leads, and staff.
Drive and oversee execution of security projects and initiatives, empowering security managers, team leads, and staff.
Set and manage the budget for the Enterprise Security Office.
Consult with business and Information Technology stake holders to understand their business and technical plans and formulate an Information Security plan that allows the Agency to achieve its goals.
Define Information Security metrics and report them regularly as required by Agency processes.
Stay current on emerging technology, trends, legislation, and threats that impact the Agency's information security posture.
Information Security and Privacy Management
Lead the development and maintenance of the Agency's strategic cyber-security roadmap.
Oversee the development, implementation, and management of security strategy processes, along with related architecture and engineering standards.
Assist in the review of applications and technology environments during the development and acquisitions process.
Translate and interpret technical risks for a broad range of audiences including the Board and Executive Leadership.
Maintain current knowledge of applicable cyber-security and privacy laws and monitor advancements in information security and privacy to ensure Agency adaptation and compliance.
Define and drive compliance with the Agency's enterprise security and privacy policies and standards, and ensure the related controls are in place and operating effectively.
Security Risk Management
Lead the development and implementation of the information security policy, standards, guidelines, and procedures that balance business objectives with information security risk.
Identify protection goals, objectives, and metrics consistent with Agency goals and regulatory requirements.
Collaborate with stakeholders to gain alignment on the determination on acceptable levels of risk.
Prioritize security initiatives and spending aligned with overall Agency risk management and financial goals.
Identify requirements and oversee development of Agency cyber-security training.
Staff Management
Responsible for leading the Enterprise Security Office team in fulfilling the mission of the Agency's information security goals.
Develop and enhance employee competence and effectiveness by providing on-going guidance, mentoring, feedback, and motivation to staff.
Create a culture that fully engages employees and empowers others to suggest and make decisions for continuous improvement.
Responsible for assisting recruiting with attracting key talent.
Responsible for employee lifecycle including hiring, providing periodic feedback on performance including writing and delivering annual performance evaluations, promotions, and terminations.
Ensure that ESO has the appropriate tools and resources necessary to accomplish their assigned tasks.
Identify skill development needs and develop training programs.
Incident Response
Provide strategic vision and tactical execution for cybersecurity incident prevention, detection, and response
Oversee incident response planning as well as the investigation of security breaches and assist with disciplinary and legal matters associated with such breaches as necessary.
Set the strategy for the continuous monitoring and protection information systems including oversight of the Agency's Security Operations Center.
Evaluate suspected security breaches and recommend corrective actions (including incidents involving outside vendors).
Advise Executive Leadership during incidents as part of the Agency's Critical Incident Management team.
OTHER DUTIES AND RESPONSIBILITIES
Collaborate with internal and external auditors as appropriate for independent security audits.
Support Information Technology goals by providing leadership and guidance as directed over Information Technology roles not traditionally part of the Enterprise Security Office as well as provide strategic architectural guidance on cross functional solutions.
Other duties as assigned.
Required Skills
Bachelor's degree required in information security, computer science, or related field; experience of ten years in information/physical security, information technology, or risk management related field; and minimum of five years managing network, infrastructure or security staff or roles; or any equivalent combination of experience, training, and/or certification(s).
Experience implementing controls and mitigating risks related to information security and data privacy standards
Experience implementing cloud and other modern security technologies include encryption, network security, intrusion detection, and digital forensics
Experience with IT Risk Management, Information Security, IT control assurance in a central or business aligned support/control/audit functions.
Strong leadership, communication, and people management skills.
Demonstrated integrity and ability to maintain principles under internal and/or external pressure.
High-quality analytical skills, management experience, and exceptional relationship management competencies.
Demonstrated qualitative experience in strategic planning and/or policy development at a senior level.
Effectiveness in communicating recommended courses of action for innovative, business- oriented responses.
Passion for excellence and a demonstrable orientation toward successful staff development.
Must be an intelligent, articulate and persuasive leader who can serve as an effective member of the senior management team and who is able to communicate security-related concepts to a broad range of technical and non-technical staff.
Proven experience with business continuity and disaster recovery planning, auditing, and risk management, as well as contract and vendor negotiation.
Knowledge and experience in information privacy laws, access, release of information, and release control technologies.
Certified Information Security Management (CISM), Certified Information Systems Security Professional (CISSP) designation or relevant long-term experience required.
Essential Duties AND Responsibilities
Physical Requirements and Work Environment
Perform work required for this position in an office environment and/or via remote or hybrid arrangement.
Available 24/7 as needed.
Remain sedentary for moderate periods of time.
Must be able to communicate both written and verbal (i.e. speak in front of groups of people, email, editing and discussing contracts, etc.).
Must be able to use a personal computer.
Must be able to conduct detailed research.
Must be able to perform basic math skills.
Must be able to have regular and predictable on-site attendance; highly interactive role.
ADDITIONAL KNOWLEDGE, SKILLS, AND ABILITIES
Use logic and reasoning to identify the strengths and weaknesses of alternative solutions, conclusions or approaches to problems and make recommendations.
Ability to prioritize multiple, competing assignments at one time and work independently
Ability to develop a highly effective team
Strong influencing skills
Exceptional written and oral communications skills
Ability to build sustainable competitive advantages through pragmatic, innovative security solutions.
Ability to anticipate, influence, and assist the organization to assess and rapidly adjust to changing conditions and trends (internal and external) of importance to the direction of the organization.