| Web Announcement |
Chief Information Security Officer & Assistant Vice President
George Mason University, Information Technology Services (ITS)-located in Fairfax, Virginia-is seeking a Chief Information Security Officer (CISO) & Assistant Vice President (AVP) to ensure that Mason has the right culture, leadership, processes, technology, and tools to effectively meet today’s and tomorrow’s information security threats. The CISO/AVP will provide vision and leadership to oversee and enhance an information security program for the university, including its central and its decentralized computing environments. The CISO/AVP will report to Mason’s Vice President for Information Technology and Chief Information Officer (CIO) and will be a member of the ITS leadership team. The CISO/AVP will also dotted line report to Mason’s Senior Vice President for Administration & Finance.
George Mason University has a strong institutional commitment to the achievement of excellence and diversity among its faculty and staff, and strongly encourages candidates to apply who will enrich Mason’s academic and culturally inclusive environment.
Responsibilities:
The CISO/AVP will provide leadership for the development and implementation of information security strategy, policy, standards, architecture, processes, and assessments to ensure that information assets and critical processes are adequately protected with acceptable levels of controls. The CISO/AVP will build and implement a broad-based strategic roadmap for security. The CISO/AVP will have substantial influence and direction over IT Security, Network Security, and the budget issues that arise in determining necessary information security steps. The CISO/AVP will be responsible for managing the Information Technology Security Office (ITSO), including its seven staff; evolving the overall information security management program; enforcing adoption of standards and practices across the university; and balancing information security requirements with other business objectives.
Specific Responsibilities include:
Policy & Program Leadership
-
Develop, communicate, and oversee the implementation of a strategic, comprehensive information security and risk program roadmap for the university. Provide leadership across the university in information technology security processes, policies, practices, and services.
-
Engage executives and university members, including leadership, faculty and administrators in Mason’s schools, departments and research organizations, to adopt and foster a culture of data
protection and information security awareness and responsibility, including at the individual level.
-
Work with Mason leadership to identify risks to the confidentiality, integrity, and availability of university systems and data.
-
Provide leadership in the development and enforcement of security and associated policies, standards and practices.
-
Provide leadership to the ITSO in the analysis, discussion, and development of security governance and framework, and guide the acquisition of advanced security technologies.
-
Provide guidance and influence the university with regard to network and computing security needs in selecting hardware and software technologies, choosing between commercial and open
source software, and determining whether services should be local or cloud-based.
-
Collaborate with and support IT colleagues, both centrally and in distributed spaces, to monitor, assess, and test security solutions.
-
Report regularly the status of information security risks and program maturity to executives and the Board’s Audit Committee.
-
Serve as a representative of Mason and ambassador of its security program to external forums, consortiums and industry events.
-
Attract and recruit top talent, motivate the team, delegate effectively, celebrate diversity within the team, and manage performance; be widely viewed as a strong developer of talent.
Compliance, Audit & Standards:
-
Develop and implement an enhanced information security governance framework to guide Mason’s information security efforts related to compliance, audit, and regulatory standards.
-
Coordinate and track information security related audits at all internal, state, and federal levels and provide guidance, evaluation, and advocacy on institutional audit responses.
-
Ensure that the ITSO provides timely and documented responses to security concerns of IT projects via Mason’s Architectural Standards Review Board or project management processes as part of a holistic risk management program.
-
Develop and implement plans (in cooperation with other departments) to ensure compliance with applicable laws, regulations, and requirements, including, but not limited to: FERPA (Family Educational Rights and Privacy Act), GLBA (Graham-Leach-Bliley Act), HIPAA (Health Insurance
Portability and Accountability Act), PCI-DSS (Payment Card Industry Data Security Standard), the DMCA (Digital Millennium Copyright Act), GDPR (the European Union’s General Data Protection Regulation), and CUI (Controlled Unclassified Information).
-
Ensure that IT Security policies are up to date and provide appropriate protections for Mason.
-
Regularly assess implemented control activities for effectiveness in comparison with Mason security policy and nationally recognized frameworks. Report results and track remediation efforts towards sustainable implementation.
Risk Management & Incident Response:
-
Manage a broad range of complex security and risk-related issues in the university’s central and its decentralized computing environments.
-
Continually evaluate risks and act expeditiously in making decisions and recommendations, while considering the technology environment as well as the varying needs and viewpoints of the university community and its unique requirements.
-
Evaluate Mason’s security environment and provide strategic risk guidance for technical controls to implement appropriate defenses and safeguards.
-
Lead and coordinate institutional responses to security incidents, providing timely reports during the incident and remediation, as well as propose solutions to prevent or mitigate future incidents.
-
Track security incidents and administer a Mason-wide IT Security Risk Management Program.
-
Work with IT and communications teams to address communication needs associated with security incidents, from isolated phishing attacks to security breaches.
-
Manage Mason staff who are deploying enterprise-level security tools such as FireEye, Splunk and others.
-
Assist in establishing best practices and procedures for information assurance, disaster recovery and business continuity.
-
Provide consultation, guidance, and investigation regarding information security, policy and security education and training.
-
Document and publish security standards, processes and procedures that the university
community is expected to meet and uphold.
-
Develop and enhance an information security and risk management awareness training program for all employees, contractors, and approved system users.
-
Provide recommendations on security best practices and designate approved security software for Mason use.
-
Perform IT security risk assessments, including vendor assessments. Report results and track remediation efforts towards sustainable implementation.
Required Qualifications:
-
A Master’s degree in Computer Science, Information Systems Management, Business Administration or a related field; or equivalent combination of education and experience;
-
Certification as a Certified Information Security Systems Security Professional (CISSP), Certified Chief Information Security Officer (CCISO), or Certified Information Security Manager (CISM);
-
Demonstrated experience with security policy and administration, at least 10 years is preferred;
-
Demonstrated experience with evolving state-of-the-art information security technologies and approaches;
-
Demonstrated leadership experience (at least 10 years preferred);
-
Demonstrated accomplishments in program leadership, policy development, and project management;
-
Experience and skill in developing and administering policy and procedure in a complex and decentralized environment;
-
Experience with information system auditing including security reviews, control selection, and evaluation of systems using a risk-based approach;
-
Demonstrated strong interpersonal and communications skills, plus the ability to achieve goals through influence, collaboration, and cooperation;
-
Demonstrated ability to communicate technical concepts and solutions to both technical and non-technical audiences;
-
Demonstrated ability to work with senior university staff and senior technical personnel;
-
Expertise in risk management approaches to assess and address security and other types of Information Technology-related risks;
-
Knowledge of computer forensic investigation methodology and investigation tools to collect, analyze, and preserve electronic evidence;
-
Integrity and high standards of personal and professional conduct;
-
Knowledge and experience with security related regulatory compliance topics;
-
Experience with IT security standards or frameworks such as NIST 800; and
-
Must be eligible to work in secure computing environments including International Traffic in Arms Regulations (ITAR) and Controlled Unclassified Information (CUI).
Preferred Qualifications:
- Direct experience in the specific technical areas of systems administration, applications development, database administration, network operations, or data center operations; and
- Experience working in a higher education or a research environment.
Mason is assisted in this search by Russell Reynolds Associates, a leading global executive search and leadership advisory firm. Inquiries, nominations and applications are invited. Interested candidates should submit confidentially, in electronic form (Microsoft Word or Adobe PDF files preferred), a curriculum vitae and letter of interest to
GMU.CISO@russellreynolds.com
All materials and inquiries will be held in strict confidence until the completion of the search.
|