Chief Information Security Officer ("CISO")
The chief information security officer ("CISO") is responsible for maintaining, enhancing and overseeing an information security program, including the governance, management, and advising on or coordinating as appropriate, the information security efforts across the organization. This position reports to the Chief Information Officer and will be a member of the Information Security Management Leadership team. Working with senior management and the General Counsel in the Legal Department , the CISO will maintain and enhance as needed, a firm -wide information security strategy and vision. The CISO oversees the maintenance and enhancement of information security policies and procedures, leads security risk assessment efforts, and drives information security awareness and training programs. He or she also advises and collaborates on development of business continuity and disaster recovery plans, audit, vendor management, and regulatory compliance practices. The candidate will work closely with the CIO, technology security partners, and business stakeholders to ensure the information security program follows industry best practices, SEC, FINRA, NFA, and other regulatory and legal requirements, and aligns with company business objectives.
The CISO will provide leadership and work in partnership with the business and individuals across the organization to maintain and enhance security policies and procedures, assess security risk, and establish strategic direction. The CISO will be responsible for maintaining and enhancing existing standards and practices to manage the confidentiality, integrity and availability of assets and data. The CISO will oversee the governance and management of the information security program, and will advance its overall mission to identify and mitigate any information security-related risks that could potentially create inappropriate exposure to the business or its clients' data.
Specific Responsibilities include:
- Provides risk assessments, risk reports, strategy and operating model, program updates, and advises the Risk Management Steering Committee on all matters pertaining to information security and their potential impact on the firm.
- Accountable for the maintenance, enhancements, and monitoring of a strategic, risk management based, information security program to ensure the availability, integrity and confidentiality of information across the company and at its service providers.
- Collaborates with the Chief Privacy Officer on maintaining, enhancing, and monitoring the identity theft program.
- Provide leadership in the analysis and discussion of security policies, standards and practices, and guides the acquisition of advanced security controls.
- Responsible for employee information security education and awareness.
- In conjunction with colleagues from Legal and Compliance, evaluate and disseminate regulatory information security rules, laws, and best practices,and collaborate with internal and external counsel as needed.
- Collaborates with the Vendor Management Committee on identifying and addressing 3rd party service provider security risks.
- Responsible for threat intelligence and information sharing activities through participation in industry security groups and collaborates with internal technology partners.
- Evaluates security risk and acts expeditiously in making decisions and recommendations, while considering the business impact.
- Leads and coordinates, internally and externally, responses to security incidents, providing timely reports during the incident and remediation, as well as proposing solutions to anticipate, prevent, or mitigate future incidents.
- Creates or enhances security policies, standards, processes and procedures.
- Responsible for maintaining and enhancing, as applicable, the Firm's Incident Response Policy and protocol.
- Collaborates with senior business representatives in the RIM Committee to develop and review new security policies relevant to changing conditions and priorities.
- Enhances and maintains information security risk mitigation plans, including leading the security incident response team in prevention, investigation, mitigation and reporting activities.
- Oversees outside consultants for independent security audits, engagements and monitoring, including regular penetration and vulnerability testing.
- Stays up-to-date on information security and safety protocols.
- Balances information security needs with the organization's strategic business plan, identifies risk factors with evolving business plans, and proposes mitigating solutions.
- Collaborates with Human Resources and Operations on best practices for physical security.
- Provides information security program updates and risk assessments and analysis to senior management and external constituencies, including fund boards, consultants, and clients.
- Performs other duties as assigned.
- A degree in Computer Science, Information Systems Management, Business Administration, Risk Management, or a related field.
- Certification as a Certified Information Security Systems Security Professional (CISSP), Certified Chief Information Security Officer (CCISO), or Certified Information Security Manager (CISM).
- Knowledge of information security frameworks and standards, such as NIST and ISO 27002.
- Demonstrated experience with information security policy and governance.
- Demonstrated leadership experience as evidenced by successful program adoption in the asset management or finance space.
- Demonstrated accomplishments in program leadership, policy development, management, and risk assessments.
- Demonstrated strong interpersonal and communications skills, plus the ability to achieve goals through influence, collaboration and cooperation.
- Demonstrated ability to work with senior management and technology partners.
- Knowledge of incident response planning and forensics investigations.
- Integrity and high standards of personal and professional conduct.
- Demonstrated knowledge of data classification and protection strategies / controls, including data leakage and monitoring best practices.
- Strong knowledge of regulatory rules and standards that govern information security practices in the financial services industry, such as SEC, FINRA, CFTC/NFA, and state and federal privacy laws.
- Strong written and oral communication skills, including the ability to interact directly with business partners who do not have a security background.
- Advanced degree in the field of information security or security studies.
- Direct experience in the information security risk management and governance.
- 10+ years of experience with information security policy and program management.
- 5+ years of CISO demonstrated leadership experience.
- Experience working in the financial services industry, preferably for an asset management company.