Dir IT Security (Risk & Compliance)
About the Job
As part of a cross-functional Information Security & Compliance team, The Director IT Security (Risk & Compliance) leads the general information risk, governance, and compliance initiatives and activities to ensure internal and external cyber regulatory compliance and appropriately manage risk while securing information assets. This role leads the development and continuous improvement of policies, process, and governance. The Directors primary responsibility is to direct the execution of prioritizing risk for the business, overseeing risk assessments, security audits and serves as an ambassador to stakeholders in the Business Units, Legal, HR, and IT. Additionally, this role is responsible for strategically managing the information risk posture of the company and reporting it to executive management.
- Create and manage an IT compliance and risk assessment framework and regularly assess the regulatory and organizational risk to drive decisions on appropriate risk management responses of mitigation, acceptance or transfer.
- As the liaison to stakeholders, enable the business through broad leadership inspiring staff and influencing peers across IT and Business Leadership to understand and manage risk, improve regulatory compliance and implement appropriate security technology and process.
- Manage internal and external security regulatory compliance and audit processes (e.g. PCI, HIPAA, GLBA, etc).
- Manage, guide, grow, coach, and support direct reports, including establishing and measuring performance against clear objectives to achieve success.
- Lead strategic security planning in balancing business goals and prioritization of risk mitigation initiatives, ultimately driving the technical and process improvement roadmap.
- Manage 3rd party risk process for business partners, affiliates, subsidiaries, and review contracts to ensure appropriate data safeguards are included.
- Partner with internal and external designers, engineers and management to ensure AEG system requirements for applications, data, infrastructure, and cloud services are developed securely.
- Manage the creation and maintenance of a comprehensive education and awareness program.
- Collaborate with leaders across the organization to share solutions and best practices.
- Manage the development and implementation of security policies practices and standards.
- A minimum education level of: BA/BS Degree (4-year) Information Technology, CS/Engineering, Economics, Business (Advanced Degree Preferred)
- A minimum of 7-10 years of related work experience, including 3 years demonstrated leadership experience
- Proven track record and experience in developing and maintaining information security policy, standards and guidelines
- Strong written and verbal communications skills with the ability to create and present technical and risk recommendations to executive management as well as influence and persuade others
- Conceptual understanding with deep and broad expertise over multiple security subject areas and significant applied experience
- Experience with PCI compliance and related process, operations and compliance reporting
- Diverse technical background in Security and Risk Management combined with significant organizational and industry awareness and knowledge
- Experience managing multiple projects of diverse scope and effectively collaborating in a cross-functional team environment
- Experience with security industry standards (ISO 27001, NIST Cybersecurity Framework, PCI)
- Proficiency with Microsoft Office Suite (Outlook, Word, Excel, Office 365); and ability to learn all required business systems
- Knowledge and understanding of relevant legal and regulatory requirements, such as Sarbanes-Oxley Act (SOX), General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry/Data Security Standard (PCI-DSS) and Personally Identifiable Information (PII).
- Strong project management and organizational skills with the ability to manage multiple projects simultaneously
- Experience in developing or formalizing enterprise risk management (ERM)
- Ability to combine strategic business and technical direction and translate concepts into actionable implementation plans.
- IT security certifications (CISSP, CISM, CISA, GIAC, CEH or similar)
AEG reserves the right to change or modify the employee's job description whether orally or in writing, at any time during the employment relationship. AEG may require an employee to perform duties outside his/her normal description.