Manager – Information Security & Compliance

Job Title: Manager – Information Security & Compliance

Roles & Responsibilities:

We are seeking an experienced Information Security and Compliance Manager to lead and oversee the development, implementation, and management of our information security and business continuity programs. This role is crucial in safeguarding our organization's sensitive data, ensuring business resilience, and maintaining compliance with regulatory requirements.

Roles & Responsibilities:

- Develop, implement, and monitor short- and long-term enterprise information security, IT risk management, and data protection programs to ensure the integrity, confidentiality, and availability of information owned, controlled, or processed by the organization.
- Develop, maintain, and publish up-to-date information security policies, standards, and guidelines. Oversee the approval, training, and dissemination of security policies and practices.
- Lead the implementation of ISO27001/17, PCI-DSS, ISO 20000 standards, and privacy programs.
- Ensure company employees and vendors adhere to information security policies and procedures.
- Ensure that security programs comply with relevant laws, regulations, and policies to minimize or eliminate risk and audit findings.
- Develop and manage information security and risk management awareness training programs for all employees and contractors.
- Manage security incidents and events to protect corporate IT assets, including intellectual property, regulated data, and the company's reputation.
- Manage day-to-day activities of threat and vulnerability management, identify risk tolerances, recommend treatment plans, and communicate information about residual risk.
- Develop and oversee effective disaster recovery policies and standards to align with enterprise business continuity management program goals. Coordinate the development and implementation of plans and procedures to ensure business-critical services are recovered in the event of a security event. Provide direction, support, and in-house consulting in these areas.
- Create, communicate, and implement a risk-based process for vendor risk management, including assessment and treatment of risks from partners, consultants, and other service providers.
- Manage outsourced vendors providing information security functions for compliance with contracted service-level agreements.
- Work directly with business units to facilitate IT risk assessment and risk management processes. Collaborate with stakeholders throughout the enterprise to identify acceptable levels of residual risk.
- Establish a metrics and reporting framework to measure program efficiency and effectiveness, facilitate resource allocation, and increase security maturity.
- Assist resource owners and IT staff in understanding and responding to security audit failures reported by auditors.
- Collaborate with stakeholders to identify information asset owners for data classification as part of a control framework implementation.
- Recommend and coordinate implementation of technical controls to support and enforce defined security policies.
- Develop a strong working relationship with the security engineering team to implement controls and configurations aligned with security policies and legal, regulatory, and audit requirements.
- Monitor the external threat environment for emerging threats and advise relevant stakeholders on appropriate actions.
- Manage and coordinate operational components of incident management, including detection, response, and reporting.
- Maintain a knowledgebase comprising a technical reference library, security advisories and alerts, information on security trends and practices, and laws and regulations.
- Ensure audit trails, system logs, and other monitoring data sources are reviewed periodically and comply with policies and audit requirements.
- Design, coordinate, and oversee security testing procedures to verify system, network, and application security and recommend remediation of identified risks.

Desired Candidate Profile:

Requirements, Experience, and Qualifications

- Minimum of seven years of IT experience, with at least five years in an information security role and two years in a supervisory capacity.
- Bachelor's degree in Information Security, Computer Science, or a related field. A master's degree is preferred.
- Professional certifications such as CISSP, CISM, PCI-DSS, GDPR, ISO 27001 LA, CBCP, ITIL are highly desirable.
- Experience with common information security management frameworks, and knowledge of relevant legal and regulatory requirements.
- Strong leadership skills with the ability to collaborate effectively with business managers, IT engineering, and IT operations staff.
- Effective communication skills, with the ability to convey complex technical concepts to non-technical stakeholders.
- Proficiency in performing risk assessments, business impact analysis, control assessments, vulnerability assessments, and defining treatment strategies.

Employment Type:

- Full Time