University of Michigan Information and Technology Services
October 1, 2018
Ann Arbor, Michigan
Full Time - Experienced
Executive Level Management
4 Year Degree
A comprehensive job posting/description of the Chief Information Security Officer is available for review on the U-M careers.umich.edu website.
The Chief Information Security Officer (CISO) is the highest level executive dedicated to IT security at the University of Michigan. Secure access to information assets is critical to achieve business objectives. The CISO is responsible for establishing and maintaining the information security program to ensure that information assets and associated technology, applications, systems, infrastructure and processes are adequately protected in the digital ecosystem in which we operate. The CISO is responsible for collaboratively identifying, evaluating and reporting on legal and regulatory, IT and cybersecurity risk to information assets, while supporting and advancing business objectives.
The CISO position requires a visionary leader with sound knowledge of business management and a working knowledge of cybersecurity technologies in the university's digital ecosystem. The CISO will proactively work with business units and ecosystem partners to implement practices that meet agreed-on policies and standards for information security. He or she should understand IT and must oversee a variety of cybersecurity and risk management activities related to IT to ensure the achievement of business outcomes where the business process is dependent on technology. The CISO will be responsible for implementing and running the enterprise information security program.
The CISO is responsible for the security and protection of information, technology and communication resources used in conduct of the research, education, clinical care and administration missions of the University. Using an enterprise risk approach, the CISO will work with University leaders to develop strategies, programs, policies and procedures to achieve an appropriate level of assurance in an increasingly threat-based world.
This role requires a high level of engagement and interaction with university leaders, IT governance groups and department leaders to ensure alignment with critical strategies and objectives. This position requires technical knowledge and extensive subject-matter expertise to develop and implement the security program for a complex organization with competing business requirements.
The CISO has direct management oversight for a group of security professionals and works in partnership with the larger security community from departments across the University and in Michigan Medicine, as well as other privacy, risk and compliance stakeholders. The position reports to the Vice President of Information Technology and Chief Information Officer and works closely with Information and Technology Services (ITS) leadership and all departments across the university. The CISO provides services as needed to respond to incidents or provide consultation to university leadership in Michigan Medicine or on any of the three (3) University of Michigan campuses.
The CISO should understand and articulate the impact of cybersecurity on (digital) business and be able to communicate this to the Board of Regents and other senior stakeholders. A key element of the CISO's role is working with executive management and other stakeholders to determine acceptable levels of risk for the organization.
Bachelor's degree in computer science engineering, information technology or a related field or the equivalent experience is required
A minimum of ten (10) years of experience in a combination of risk management, information security and IT or OT jobs where at least five (5) years must be in a leadership role
A minimum of eight (8) years of supervisory experience which includes recruiting, mentoring, career development, performance management, leadership and team building and a proven ability to lead a team to meet customer expectations
Proven track record and experience in developing information security programs, policies and procedures, as well as successfully executing programs that meet the objectives in a dynamic environment
Proven success in strategy development and execution
Demonstrated ability to implement general security concepts and methods such as vulnerability and risk management, privacy, incident response, policy creation and enterprise security strategies
Experience with information security regulatory and compliance management
Experience developing and administering information security standards, guidelines and best practices
Knowledge and understanding of relevant legal and regulatory requirements
Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT and NIST, including 800-53 and Cybersecurity framework
Excellent written and verbal communication skills, interpersonal and collaborative skills
Ability to effectively and clearly communicate security and risk-related concepts to technical and nontechnical audiences
Poise and ability to act calmly and competently in high-pressure, high-stress situations
Must be a critical thinker with strong problem-solving skills, project management skills: financial/budget management, scheduling and resource management
A strong solution orientation with a penchant for not only identifying problems but also finding ways of solving them within typical business constraints
Ability to lead and motivate cross-functional, interdisciplinary teams to achieve strategic goals
Demonstrated strong management or supervisory experience that includes recruiting, mentoring, career development and performance management, leadership and/or team building
Ability to professionally handle confidential matters and show an appropriate level of judgment and maturity
High degree of initiative and ability to work with little supervision
Proven ability to lead project teams to meet customer expectations
Proven strategic planning based on customer feedback and projected needs along with the ability to track and sometimes predict trends in markets, technology and the industry; influences direction to meet changing customer needs
IT security in a higher education environment
Certified Information System Security Professional (CISSP), Information Security Management Professional (ISMP) or Certified Information Security Manager (CISM)
Other security-related certifications
Additional Salary Information: Salary is commensurate with skills and experience.