Director of Global Information Security, Risk, Compliance and Privacy
The Director of Global Information Security, Risk, Compliance & Privacy is a business/technology executive who will be responsible for providing leadership in a comprehensive Security program and ensuring compliance. The successful candidate will oversee and coordinate CareerBuilder's Risk program as part of the security organization. This person is responsible for providing expertise in the areas of compliance, IT audit, risk management, third party vendor management, privacy, security training and awareness, policy management, monitoring, identifying and investigating security threats and incidents, information security metrics, data protection, software security, oversight of the data protection program, and monitoring the effectiveness of the security risk management and third party management functions, as well as constructing, implementation, oversight and advisory activities at an enterprise level for fraud risk management. They will also assist with sales-related inquiries according to priorities.
The Director has accountability for maintaining, executing, and directing the cyber security, digital security, and data privacy initiatives across the organization to mitigate risk. This role is both tactical and strategic. It is responsible for managing the reporting, investigation, and resolution of data security incidents. In addition, the role provides guidance and direction on best practices for the protection of data and information and ensuring compliance with regulations and privacy laws.
The Director will maintain and improve CareerBuilder's holistic approach to governance risk and compliance by applying and integrating industry best practices into the top-level business processes at CareerBuilder. It will develop and drive remediation for critical issues by leading process redesign where necessary. It will also create formal networks with key decision makers and serve as an external spokesperson for the organization on matters related to security and maintaining overall information security customer facing documents.
- Maintain and improve a scalable, sustainable, and robust cyber risk management program including governance, assessment, monitoring, and reporting procedures
- Build a cross-functional team of Security, Risk and Compliance & Privacy experts and mature the team's capabilities.
- Adopt defensive secure development practices to help the development and engineering teams build secure products and services.
- Leads ISRCM strategy, with a roadmap of key deliverables and timelines, and delivers consistently
- Measure and maintain a security controls framework that consists of standards, measures, practices, and procedures that provides assurance of compliance to regulatory requirements (NIST CSF & 800-53, ISO 27001, PCI, GDPR, CCPA, SSAE18, Hitrust and SOX)
- Facilitates the fraud risk assessment to ensure(s) comprehensive coverage of internal and external fraud as well as ensures adequacy of coverage for end-to-end processes that span multiple business lines
- Tracks and validates existing fraud risk strategies and design new proprietary fraud detection strategies
- Responsible for partnering with global teams to ensure successful cross-functional Security needs are met including Incident Response, Identity and Access Management, Threat and Vulnerability Management and alerting and monitoring
- Directly responsible for procedures and controls to assure compliance with applicable regulatory and legal requirements as well as good business practices as part of a controls assurance program
- Deploys and maintains an internal and external IT/Security audit program
- Oversees the formal risk analysis and self-assessments program for various Information Services systems and processes
- Deploys and maintains a 3rd party vendor security management program
- Assists the sales organization in the pre-sales process with partners and customers
- Assists in the design and measurement of privacy controls
- Oversees the security policy, standards and policy exceptions management process, coordinates approval, and updates with appropriate parties. Involves relevant parties for security risk and compliance issues that span legal, compliance and regulatory requirements.
- Monitors the effectiveness of the security risk management and third party management functions, including assessing the level and quality of service provided by professional services, including software security and security controls assessment services.
- Contributes expertise to help determine requirements and functional specifications for entire organization
- Manages, coaches, leads, and develops a staff of information Security professionals
- Plan and execute of the global information security divisional budget
- Improves and maintains the CareerBuilder's information security controls framework
- Improves and maintains the CareerBuilder's information security compliance framework
- Improves and maintains the CareerBuilder information security risk framework
- Maintains security policy framework
- Performs compliance related activities including attaining and maintaining certifications
- Acts as a key member of the CISO staff and assists with other duties as required
The above statements represent a general outline of principal job functions and should be not be construed as a complete description of all aspects and requirements inherent in this job.
- Demonstrated experience dealing with security challenges and issues confronting a large, geographically distributed, departmentally diverse, global, public-facing organization
- 7-10 year experience in privacy regulations (e.g. GDPR, HIPAA, CCPA, PIPEDA etc) and demonstrable experience in the interpretation of and compliance with such regulations in a complex business environment.
- 7-10 years' in IT, or Audit, including specialization in IT Security and/or a combination IT Compliance, IT Audit, and Information Security
- 7-10 years' experience managing IT Compliance programs and monitoring, with specific emphasis on NIST/ ISO/ HIPAA/PCI/ SSAE-18 related requirements.
- Subject matter expertise with security and compliance lifecycles and industry frameworks, standards, and guidelines (NIST, FISMA, ISO, COBIT, ITIL)
- Experience and expertise in the development, execution, and maintenance of HITRUST compliance or equivalent HIPAA Experience.
- Bachelor's degree in Computer/Information Science (or related BS degree).
- Must be able to build and leverage internal and external relationships, facilitate decisions and results at all levels of the enterprise, and drive strategies and projects to solution.
- Be able to provide manage a wide range of compliance issues relating information security; coordinate remediation efforts throughout the enterprise, analyze risks and implement mitigation actions;
- Demonstrated analytical and problem-solving skills applied to both technical and business challenges.
- Knowledge of applicable practices and laws relating to data privacy and protection.
- Knowledge of basic software programming paradigms and best practices inclusive of, but not limited to, Privacy by Design and OWASP.
- General knowledge of hardware systems and architectures, both traditional data center and public-cloud.
- Ability to relate regulatory or framework requirements to multiple parties including engineering staff of both hardware and software.
- Experience in strategic planning, budgeting, consulting, and general industry experience.
- Proficient ability to effectively utilize resources throughout the organization as well as external vendors.
- Demonstrated effective leadership and communication skills.
- Experience working in a team-oriented, collaborative environment.
- Demonstrated results orientation, initiative, attention to detail, and customer service orientation.
- Obtained or demonstrates an active pursuit of one or more of the following certifications: CISM, CISA, CGEIT, CRISC certifications, Project Management Professional (PMP) or other related certifications.
This position will work with confidential and proprietary information that requires a signed Employee Non-Disclosure Agreement upon hire.