Binghamton University is seeking an experienced, energetic, engaging and collaborative individual to lead the information security efforts and initiatives of the institution.
The information assets of the institution are diverse and highly distributed. Therefore, information security has become a critical aspect of every facet of institutional business. As such, it is critical to develop, implement, and maintain appropriate strategies, policies, protocols, and procedures regarding these information assets.
The CISO will be responsible for collaborating with university leadership to develop, propose, and implement the overall information security posture, strategy, policies and procedures, and best practices. The overall information security strategy must balance the necessary protections and risk mitigation approaches against the ever increasing security threat landscape and academic values and mission of Binghamton University. The CISO will have the primary responsibility in keeping abreast of security threats and changes and advise and recommend the necessary adjustments. Additionally, the incumbent will collaborate with the SUNY System and other SUNY campuses as appropriate in achieving their objectives. The incumbent will be responsible for information security outreach, education and training of central and distributed IT units, as well as university constituency at large. The incumbent will be responsible for and is the primary point of contact for information security risk management and incident response. Finally, the incumbent will be responsible for leadership and supervision of the Information Security Unit within Information Technology Services.
The CISO reports to the Associate Vice President and Chief Information Officer and is a member of the CIO’s leadership team.
University and Program Leadership:
Provide guidance and counsel to the CIO and university leadership, working closely with senior administration, academic leaders, and the campus community in defining objectives for information security, while building relationships and goodwill.
Promote collaborative, empowered working environments across campus, removing barriers and realizing possibilities related to information security.
Lead information security planning processes to establish an inclusive and comprehensive information security program for the entire institution in support of academic, research, and administrative information systems and technology.
Establish annual and long-range security and compliance goals, define security strategies, metrics, reporting mechanisms and program services; and create maturity models and a roadmap for continual program improvements.
Stay abreast of information security issues and regulatory changes affecting higher education at the state and national level. Participate in national policy and practice discussions, and communicate to campus on a regular basis about those topics. Engage in professional development to maintain continual growth in professional skills and knowledge essential to the position.
Represent the university on SUNY System committees and in national and regional consortiums and collaborations.
Policy, Compliance and Audit:
Lead the development and implementation of effective and reasonable policies and practices to secure protected and sensitive data and ensure information security and compliance with relevant federal and state laws; SUNY and Binghamton University regulations and policies.
Lead efforts to internally assess, evaluate and recommend changes and improvements to university leadership regarding the adequacy of the security controls for the current and proposed information and technology systems.
Coordinate and track all information technology and security related audits including scope of audits, units involved, timelines, auditing agencies and outcomes. Work with auditors, as appropriate, to keep audit focus in scope while providing a consistent perspective that continually puts the institution in its best light. Provide guidance, evaluation and advocacy on audit responses.
Work with university leadership and relevant responsible compliance department leadership to build cohesive security and compliance programs for the university to effectively address state and federal statutory and regulatory requirements, including FERPA, HIPAA, ITAR, PCI, FISMA, and the current NIST standards.
Outreach, Education and Training:
Create education and awareness programs and advise academic and operating units at all levels on security issues, best practices, and vulnerabilities.
Implement security awareness solutions for the university constituency to comply with SUNY policies and requirements.
Work with campus distributed technology groups to build awareness and a sense of common purpose around security.
Inform and educate the university community regarding current and ongoing security threats and how to avoid them.
Inform and educate the university community on how to develop useful security related behavior patterns.
Risk Management and Incident Response:
Develop, implement and administer technical security standards, as well as a suite of security services and tools to address and mitigate security risk.
Provide leadership, direction and guidance in assessing and evaluating information security risks and monitor compliance with security standards and appropriate policies.
Review any proposed data and information technology investment from a security viewpoint. Assure relevant security and risk mitigation provisions are incorporated into acquisition considerations.
In collaboration with staff in the Information Security Unit, develop strategies, methodologies, and tools to quickly recognize and efficiently resolve a security breach or threat.
Develop action protocols to address when a breach or threat materializes.
Communicate with appropriate members of administration in case of a breach or threat.
Provide a post-mortem analysis, relevant reports, and communicate as necessary once the incident is resolved. Also, assure the current risk mitigation policies and protocols are updated as necessary.
Provide leadership philosophy for the Information Security Unit to create a strong bridge between organizations, build respect for the contributions of all and bring groups together to share information and resources and create better security and information decisions, policies and practices for the campus.
Supervise the Unit including workload assessment, work distribution, staffing, and annual assessment.
Mentor the Information Security Unit team members and implement professional development plans for all members of the team.
Perform special projects and other duties as assigned.
Provide on-call coverage outside of business hours as needed.
Bachelor’s Degree in Computer Science, Information Systems/Sciences, or a related field.
Minimum of eight years of relevant information security experience.
Minimum of three years of experience in Information Security leadership and/or management.
Demonstrated hands-on knowledge and experience in state-of-the-art information security technologies and forensic investigation methodology and investigation tools.
Demonstrated experience in development and deployment of information security policies, procedures, risk mitigation approaches, and various information security tools.
Demonstrated curiosity, interest, and ability in keeping abreast of technology and methodology advancements in information security.
Familiarity with federal and state information security and related compliance laws, regulations, and standards.
High degree of personal integrity and standards of professional conduct.
Experience and ability to interact with senior management.
Ability and experience in a fast-paced environment with minimal to no direct supervision.
Proven ability to engage simultaneously in multiple projects and bring them to successful completion.
Excellent decision making and problem solving skills and effectiveness in getting things done collaboratively.
Ability to interact effectively with a wide variety of users with different expectations and backgrounds.
Ability to lead and manage a technically diverse staff.
Experience in a complex and diverse organization.
Excellent interpersonal and communication skills, strong analytical skills, and ability to deal with ambiguity in a changing business environment.
Excellent customer service skills.
An advanced degree in Computer Science, Information Systems/Sciences, or a related field.
Certified Information Security Systems Security Professional (CISSP), Certified Information Security Manager (CISM) or similar certifications.
Experience in higher education or a research environment.