**Description:**
Position Summary:
The Chief Information Security Officer (CISO) position provides leadership and oversight in the strategic planning, execution, and assessment of all company cyber security strategies, policies, procedures and guiding practices to be implemented at ELC. The CISO establishes and maintains a comprehensive information security program to insure that all information assets are adequately protected against current/future internal/external threats. The position is responsible for identifying, directing, coordinating, evaluating, and reporting on information security risks in a manner that meets compliance and regulatory requirements while enabling the Company to develop an anticipatory response to minimize information security risk. The CISO position acts as the key liaison and focal point for all information security communications and projects, and coordinates the necessary alignment of internal staff, other GIS areas. The position is also responsible for security budgeting, project prioritization, advice to the executive team in matters of cyber security.
Key Responsibilities:
The CISO serves as the budget authority for IT security Initiatives. They may indirectly influence additional IT expenditures in equipment purchases as needed.
Strategic Planning 30% of Time
Provides executive leadership, vision and managerial oversight in the development and implementation of the cyber security strategy to define state-of-the-art policies and processes that enable the Company to establish consistent, effective information security practices and minimize risk. The CISO determines projects and priorities for all information security issues. Establishes short and long range business plans to achieve the security vision defined in the Company’s strategic plan.
Tasks:
· Determines enterprise-wide vision for information security issues, policies, standards, priorities and projects.
· Identifies security protection goals, objectives and metrics consistent with strategic plan and priorities
· Determines information security resources including budget, staff, training needs and resource allocation.
· Evaluates proposed project plans and determines priorities for major initiatives and insures proper implementation of programs and projects.
· Insures that the department is compliant with current with global legislation; provides vision and anticipates potential legislation at a federal and state level, determines proactive responses.
· Continually educates management on changes in information security as well as threats on a global level.
· Reviews standards for information security from multiple sources including National Institute Standards and Technology (NIST), Pay Card Industries (PCI), ISO.
· Plans for incident-specific responses as well as disaster recovery planning.
· Uses an integrated risk management approach to create executive level perspectives and status reports regarding all security risks that the Company may encounter; this includes risks in physical security, access and control issues, data security and contingency planning.
· Serves as the ELC “champion” to promote information security disciplines and new information security technologies; insures that state-of-the-art approaches used.
· Acts as primary change agent to facilitate improvements in information security
Security Oversight 40% of Time
Oversees daily cyber security activities for the entire company to manage risk at an appropriate level, ensure effective response to incidents, and optimize secure data access and utilization.
Tasks/:/
· Serving as CISO, determines enterprise-wide information security policy, procedures, standards, and guidance consistent with departmental and federal requirements.
o Development/Drafting of ELC Information Security Policies
o Shepherding Policies and Standards through governance processes for formal approval
o Ensure that Executive Branch entities are acting to comply with Information Security Policies
· Ensures the completion of reviews to ensure that all systems have effective, quality information security documentation in place including:
o Proper access controls and identity verification in place
o Risk assessment and mitigation plan for all information security issues within the enterprise.
o Qualitative risk assessments conforming to NIST and other appropriate standards
o Current and effective IT security plans that integrate into all stages of the system life cycle
o Ongoing system self-assessments
o Current certification and accreditation that conforms to NIST and other appropriate standards
· Already stated in strategic planning, the CISO monitors compliance with State and Federal regulations for information security of employee data and financial information, responses to identity theft, and other compliance issues such as HIPAA, PCI, SOX, FISMA, Cyber Security Act of 2009 (as proposed).
· Coordinates enterprise-wide information system access control including identity verification system.
· Responds to data security breaches and leads the development of appropriate tracking / reporting systems.
· Arranges for training, technical assistance and implementation services as needed, particularly with smaller affiliates.
· Provides sound fiscal management including budgetary role for proper staffing and expenditures.
Technical Advisor 10% of Time
Directs the communication and dissemination of information security standards, and advises the company regarding internal or external data security potential threats; provides testimony and technical guidance to legislators and the judiciary, serves as media relations liaison.
Tasks:
· Establishes and enforces a process to ensure that all users receive appropriate information security training to perform duties along with periodic information security awareness training; insures appropriate levels of information security awareness and personal responsibility.
· Provides subject matter expertise to the ELC executive management team, legislators and the judiciary
.
· Determines appropriate certification requirements for enterprise information security personnel.
· Approves policies, standards and procedures to deal with information security threats that can be implemented by the various security teams and local information resources.
· Determines appropriate metrics, tools and processes for local agencies.
· Develops a process to brief key constituencies (e.g., legal, executive management, and information security staff) on key issues, reports and significant attacks/threats.
· Serves as liaison and spokesperson to print and electronic news media on information security issues.
· Acts as key liaison and technical resource to brief judiciary and legislative body on matters pertaining to information security; testifies before appropriate committees.
· Chairs the Cyber Security Advisory Team
· Conducts research on information security issues and changing legislation as well as threats.
Threat Assessment and Response 10% of Time
Manages information security team to proactively analyze and directly respond to internal and external threats to system stability including unauthorized access such as vulnerability assessments, record attempts; minimizes/mitigates risk to information and systems.
Tasks:
· Oversees evaluation and final approval of company information security procurement.
· Evaluates and purchases software and develops automated systems to maintain state of the art vulnerability assessment.
· Insures continuous monitoring and tracking all company systems against potential threats including hackers, software flaws, viruses, spyware, phishing and self-adaptive or mutating computer threats.
· Develops effective communication system to quickly disseminate information and solutions to manage potential threats and mitigate risk.
· Receives continual updates on potential threats and implement patches or responses within hours.
· Develops contingency plans to respond to potential threats and security breaches.
· Develops and annually tests disaster recovery plans; conducts “what if” analysis and response scenarios.
· Manages incident security incident response team to handle intrusion detection including digital forensics in activities such as:
o Intrusion detection assessment
o Risk identification, severity evaluation, potential impact analysis and solution generation
o Determines appropriate response and disseminates information
o Works with law enforcement (State or Federal) to preserve evidence and assist with prosecution including federal Cybercrimes Task Force.
Functional Management 10% of Time
Provides leadership, direction, oversight and support to the ELC organization and represents it to external constituents. Manage the human resources activities of Information Security in accordance with established policies, procedures, and labor contracts
Tasks:
· Provides leadership to foster a culture of customer service, disciplined business conduct, and healthy communication
· Directs and manages implementation of established policies and procedures
· Optimizes resource use and foster linkages with other business units within ELC
· .
· Oversees development of fair and effective hiring processes to assess the qualifications of candidates to perform job duties
· Defines the work and roles of subordinate staff, and establish performance goals and standards for each function
· Conducts performance reviews for subordinate staff and provides coaching and staff performance feedback
· Directs employees in the successful execution of job responsibilities to achieve their annual work plan objectives
Additional Considerations
Relationship Building
This position requires the ability to create, manage and maintain effective relationships with a wide range of individuals and groups to provide technical and managerial counsel, and to influence others with a broad array of information. The position also requires the building of relationships with managers, supervisors and professional staff in other organizations within ELC.
The position requires the ability to manage staff who possess highly technical skills and abilities, and who function in a rapidly changing environment.
The position requires advanced knowledge of:
· Information security technologies, markets and vendors including firewall, intrusion detection, assessment tools, encryption, certificate authority, web, and application development
· Information systems industry and best practices in network, application and hardware platform security
· Audit and assessment methodologies, procedures and best practices that relate to information networks, systems, and applications
· Application security, database technologies used to store enterprise information, directory services, financial information, and information systems auditing
· Identity and access management, security program policies, processes, standards, requirements and procedures and various supporting security technologies
· The position must possess well-developed skills in:
· Managing advanced information security technical staff within the environment
· Understanding business objectives and the planning processes to achieve them as well as legislative and political processes that influence them
· Communicating technical issues to non-technical employees
· Motivating and supporting staff to achieve business goals
· Communicating industry standards, best practices, testing techniques, and the interpretation of assessment, and testing results for customers
· Interpreting industry best practice information and assessment results to provide consultative direction to clientele
· Providing assistance in the identification, prioritization and remediation of information systems vulnerabilities to diverse users
· Managing large and complex projects to plan, manage and coordinate diverse enterprise technical projects
· Leading complex projects, establishing priorities, allocating resources / workloads in a team environment
· Developing collaboration among the internal stakeholders and groups and to motivate them to act on requirements and recommendations for change
The position must demonstrate the ability to:
· Apply in-depth critical and analytic thinking skills to unique problems and projects to provide effective assessment and solution generation; models or solutions are not readily available
· React quickly and effectively to daily threats from external and internal sources on a 24/7 basis
· Lead the development of response options, and quickly dissemination technical plans/solutions for varied audiences; these solutions may include automated response systems
· Oversee fiscal and budgetary controls; advise management on the current and planned needs
Problem Solving And Creativity:
· Problem solving and creativity are critical to this position to resolve complex issues of a time sensitive managerial, technical, administrative, legal, political, diplomatic and operational nature. The CISO is responsible for responding to 30-50 new vulnerabilities daily, often with little guidance and few predetermined solutions. Given the nature of internet threats and rapid infiltration on a global basis, the position oversees a 24/7 monitoring operation and the critical review of vulnerabilities and responses. Working with other CISO’s, vendors and federal organizations, the position directs staff in the proactive assessment of daily threats, establishes new standards, reacts effectively to documented threats with unique solutions for which defenses must be quickly evaluated, tested and implemented across multiple platforms and systems.
· The CISO also leads the effort to set the corporate strategy to address cyber security threats and coordinate activities with internal departments including legal, HR and Internal Control.
**Qualifications:**
Qualifications:
· Bachelor's Degree
· Minimum of 10 years related experience
· 10 - 15 years of information technology experience including
· 5 years of management experience with solid background in information security and privacy, protection key function areas with enterprise-wide administration expertise highly preferred.
· Combination of education, experience and training must qualify the candidate as an information security expert.
· Current security certifications, including CISSP, CISA or CISM are highly desired
*EEO*
We are an equal opportunity employer. Minorities, women, veterans, and individuals with disabilities are encouraged to apply.
**Organization:** Estée Lauder Companies Corporate Departments
**Primary Location:** Americas-United States-New York-Melville
**Schedule:** Full-time
**Shift:** 1st (Day) Shift
**Travel:** Yes, 25 % of the Time
**Job Type:** Standard
**Req ID:** 142332