Responsible for directing the overall firmwide information security programs. Accountable for leading the security team, which includes the Cyber Incident Response and Information Security teams, within the IT organization and is responsible for all aspects of Information Security across IT, including strategy, architecture, roadmaps, security policies, security initiatives and education. Provides vision and design oversight for all security initiatives, direction of staff activities involving the reactive detection and response of security incidents along with the proactive planning and implementation of security controls. Work with business and technology leaders to establish appropropriate information security governance for the firm. Primary objective is to provide leadership in protecting the firmwide network and electronic assets of the firm through policy, procedure, education, security operations, and ensuring the appropriate controls and controls testing are in place to protect intellectual property, client data, and electronic assets of the firm.
- Direct CIRT and Information Security staff in the process of gathering, analyzing and assessing the current and future threat landscape, as well as providing the IT Leadership with a realistic overview of risks and threats in the enterprise environment. Maintain and improve the cyber incident response vision, strategy and plans across the firm. Oversee threat and vulnerability management as well as security governance. Ensures that international, national and local Information Security and Privacy regulations are addressed.
- Work with IT and firm leadership, line of business leaders and national office of risk management (NORM) to maintain and continually develop a national security program, request funding, and appropriate security projects/investments that prioritize and address identified risks. Develop plans to address business security requirements, including legal and legislative compliance to protect intellectual property, client data, and electronic assets.
- Manage a staff of highly technical information security professionals, hire professional staff, conduct performance reviews, and provide leadership and coaching, including technical and personal development programs for team members.
- Responsible for the firm's Information Security Policy, and other procedures, systems, and practices to ensure operating efficiency and continuous protection of intellectual property, client data, and electronic assets. Provides consultation, guidance, and ongoing education to board members, leadership, and associates on Information Security issues
- Provide leadership to the advisory committees co-chaired by the CIO and CRO, chair a cross-functional workteam of internally-facing and externally-facing RSM security and risk professionals, and sit on the firmwide Incident Response Task Force to help provide top-down oversight of the firmwide information security program.
- Monitor and report on compliance with security policies. Establish and maintain monitoring/reporting/enforcement of policies across the firm and within the IT organization. Ensure the appropriate security awareness training and identity management practices, are in place and followed across the firm.
- Work with the appropriate functional areas and lines of business representatives to ensure the Information Security roadmaps align with existing and planned technology roadmaps.
- Other duties as assigned.
Bachelor of Science or equivalent experience in an information security/technology leadership role - Required
CISSP - Required
CISM, CISA, CEH, GIAC - Preferred
Masters of Science - Preferred
- Strong analytical skills to analyze security requirements and relate them to appropriate security controls.
- An understanding of operating system internals and network protocols.
Familiarity with the principles of cryptography and cryptanalysis.
Experience in system technology security testing (vulnerability scanning and penetration testing).
Experience in application technology security testing (white box, black box and code review).
Strong project management skills and experience in creating and managing project plans, including budgeting and resource allocation.
- 10 years experience in a technology security role
- 7 years experience working with legal, audit and compliance staff.
- 5 years experience developing and maintaining policies, procedures, standards and guidelines.
- Subject Matter Expert in applicable industry rules (including knowledge of the security and privacy provisions of a variety of regulations and standards such as PCI, NERC/CIP, SOX, HIPAA/HITECH, FFIEC, and EU Privacy Laws), and expertise in Information Security best practices and implementing Information Security Frameworks
- Experience presenting to C-level executive and Board of Director levels
- Experience with multiple information security management frameworks, such as the NIST Cyber Security Framework, International Standards Organization (ISO) 2700x, NIST 800 series, the IT Infrastructure Library (ITIL) and Control Objectives for Information and Related Technology (COBIT) frameworks.
- Proficiency in performing and reporting risk, business impact, control and vulnerability assessments, and in defining treatment strategies. Knowledge of and experience in developing and documenting security architecture and plans, including strategic, tactical and project plans.
- Experience managing IT emergency response, identity management and security awareness programs
- Strong leadership skills and the ability to work effectively with business managers, IT engineering and IT operations staff.
- Ability to influence without authority.
- Ability to build strong relationships across lines of business, functional areas, and outside vendors.
- Understands and is able to articulate business imperatives as well as the business impact of security tools, technologies and policies.
- Excellent verbal, written and interpersonal communication skills, including the ability to communicate effectively across the entire organization.
- Ability to be seen as a leader and SME of technology security on project and application development teams, management and business personnel.
- In-depth knowledge and understanding of information risk concepts and principles as a means of relating business needs to security controls; an excellent understanding of information security concepts, protocols, industry best practices and strategies.
Please note that this position can be located in any RSM office in the U.S.
You want your next step to be the right one. You've worked hard to get where you are today. And now you're ready to use your unique skills, talents and personality to achieve great things. RSM is a place where you are valued as an individual, mentored as a future leader, and recognized for your accomplishments and potential. Working directly with clients, key decision makers and business owners across various industries and geographies, you'll move quickly along the learning curve and our clients will benefit from your fresh perspective.
Experience RSM US. Experience the power of being understood.
RSM is an equal opportunity/affirmative action employer. Minorities/Females/Disabled/Veterans.