The role of the VP of Information Security is to provide the leadership and guidance necessary for an organization to manage the risks to the confidentiality, integrity, and availability of the organization's intellectual property and information technology assets.
Reporting to the Chief Information Officer, this IT Leader will be dedicated to Information Security and compliance. The position is responsible for the development and enforcement of Revlon’s security compliance policies, strategies, and Revlon’s adherence to legal requirements and IT standards. The position oversees and directs information security programs and security efforts across the company, encompassing information technology, and communications, legal, intellectual, and personnel data and systems. The position is also responsible for some level of physical security, such as data center access and protection, as well as the design and implementation of preventative security standards, procedures, and programs.
The VP of Information Security is also responsible for establishing and enforcing policies and protocols that protect the organization's digital and physical assets and leads a team of IT security professionals who investigate possible cyber-crime or data breaches and monitor information security risks. The candidate will also direct the response to security incidents through policy and process and conduct the investigation of security breaches. This IT leader will work with the Vice President, Technology, Security & Infrastructure, Chief Compliance Officer, the head of Global Security, senior Human Resources partners, and department heads with regards to communications and disciplinary actions related to internet and computer discretions, crimes, and cyber-fraud.
This strategic role will bridge the technical and business worlds and is accountable for driving and supporting the creation, enhancement, and implementation of internal security systems strategy for key business functions and the overall planning, execution, and success of systems projects across the company.
Essential Duties and Responsibilities:
- Establish and maintain global security policies, standards, guidelines, metrics, and implement processes and procedures to ensure an acceptable risk level is maintained with adherence to a recognized framework.
- Information protection responsibilities will include network security architecture, network access, and monitoring, data access and monitoring, identity and access management, employee education, and awareness. Physical protection responsibilities will include asset protection, access control systems, and video surveillance (where applicable).
- Review and approve security and compliance policies and controls to manage risk, such as but not limited to, data loss prevention, identity and access management, fraud prevention, intrusion and penetration management, privacy and compliance, and business continuity planning.
- Oversee a team of IT security professionals, whose mandate is to manage risk and safeguard the company’s assets, intellectual property, and computer systems and adhere to any legal compliance requirements.
- Identify and, approve the selection and design of security, processes, systems, tools, and devices, and maintain ongoing support and currency of such processes, systems, tools, and devices.
- Establish and manage the Information Security, Cyber Security, and Risk Management Strategy, inclusive of the Incident Response Policy and Process.
- Oversee incident response planning as it pertains to the security and compliance landscape. Investigate security breaches and participate in disciplinary and legal matters associated with such breaches as necessary. Review investigations after breaches or incidents, including impact analysis and recommendations for avoiding similar vulnerabilities.
- Ensure the environment operates at the highest level of compliance with Sarbanes Oxley requirements, GDPR, PCI, PII, PFI & PHI compliance. Maintain currency with all levels of Information compliance on a global basis.
- Will participate as an active member of the Revlon Crisis Management team.
- Maintains current understanding of security standards and regulations and ensures compliance with the changing laws and applicable regulations; translates that knowledge to the identification of risks and actionable plans to protect the business.
- Maintains and communicates threat landscape for the industry and develop plans to address.
- Maintain technology currency and liaise with the external providers and services to identify opportunities to leverage technology to the benefit of the business.
- Develop and publish fact and data-driven reporting of security threats and incidents.
- Vendor management responsibilities including negotiation of contracts/renewals to ensure the best value (service levels vs. cost), including the RFP process to select providers/partners.
- Liaise with the global IT Application and Information Delivery teams to ensure that developments are consistent and compliant with Change Control, Software Development Life Cycle, and Risk Management policies and processes.
- Adhere to Problem management service level agreements.
- Operate according to the Company’s approved Methodologies and Policies.
- Identify protection goals, objectives, and metrics consistent with corporate risk management strategy.
- Schedule periodic security audits and penetration tests and track remediation of all issues identified.
- Ensures that security policies and procedures are communicated to all personnel and that compliance is enforced.
- Develop, execute and oversee security training of all global employees.
- Develop and oversee a global security communication plan inclusive of metrics and KPIs
- Ability to travel up to 30%
- Provide advice on key decision and strategy for the business related to all aspect of Information Security
- Responsible for providing information technology leadership to the business organization
- Support complex systems implementations or can be called upon to lead specific areas of implementation.
- Functions as consulting resource on system development plans and issues as required by management
- Works with business clients to resolve process and system issues as required
- As needed reviews cross-functional requirements and makes recommendations as they relate to information technology or as assigned.
- Recognizes and identifies potential areas where existing policies and procedures require change, or where new ones need to be developed, especially related to information security, cybersecurity, etc.
- Strive for Excellence: demonstrates a passionate desire to win in the marketplace and grow the business. Sets ambitious goals for the function and self
- Innovative: creates new and better solutions to ensure a competitive advantage
- Change Ready: demonstrates the ability to flex with changes within an organization and the capability to navigate through and champion change
- Collaborative: involves key partners appropriately and makes sure the right people are informed. Fosters teamwork and open communication at all levels of the organization.
- Self-Aware: demonstrates awareness of his/her strengths and weaknesses on a professional, technical and personal level.
- Job Knowledge: possess sufficient technical expertise and experience to perform assigned duties in a successful and competent manner
- Strong collaborative skills to work across multiple stakeholder groups to translate business strategies, initiatives, goals, and objectives
- Ability to communicate technical concepts and break down complex business problems into easily understood communications
- Leadership quality including the ability to motivate, inspire, counsel, and facilitate individuals and teams to take responsibility and accountability for the goals
- Transformational Leadership skills with a deep understanding and practical application of change management framework that will enable the continued transition of activities in alignment with our Revlon strategy
- Strategic thinking/problem solving
- Proven team leadership/coaching/mentoring
- Negotiation, facilitation, stakeholder management
- Cost/quality/schedule controls
- Must be able to disarm anger and constructively handle complaints. Ability to mediate differences among large numbers of organizational groups with differing and often conflicting goals and motives.
- Must have the ability to motivate and maintain good morale and productivity and create and maintain team spirit and harmony.
- Must have strong customer service and interpersonal skills, ability to coordinate and work with others to accomplish assigned tasks.
- Excellent ability to work collaboratively with individuals and groups from a wide variety of backgrounds and organizational levels, to incorporate their ideas, adapt to their needs, and form a consensus in appropriate situations.
- Excellent supervisory and leadership skills to coach and mentor direct reports to develop talent and next-generation leaders
- Skilled at conflict resolution and problem-solving to achieve win-win outcomes
Exceptional Communication Skills:
- Strong interpersonal and communication skills
- Influence, collaboration, and expectation management to work with Global Information Technology and business teams to deliver expected results
Education and Experience Required:
- 12-15 years of experience in Information Security and Risk Management with at least 5 years of leading
- Experience with contract and vendor negotiations and management including managed services.
- Experience with contract and vendor negotiations and management including managed services
- Experience with Cloud computing/Elastic computing across virtualized environments as it relates to information security.
- Bachelor’s degree in information technology or related discipline or equivalent from an accredited college or university (or an equivalent combination of education and business experience)
- Professional security management certification – CISSP / CISA
- Significant knowledge of common information security management frameworks, such as ISO/IEC 27001, GDPR, PCI, NIST, etc. is highly desired