Position Title:

Chief Info Security Officer

Position Type:

Regular

Salary Range:

$142,660-199,600; commensurate with experience

Pay Frequency:

Annual

A. POSITION PURPOSE

The Chief Information Security Officer (CISO) is responsible for maintaining and enhancing cybersecurity infrastructure deterrents and creating an information security-conscious culture across Santa Clara University. The CISO works collaboratively with the CIO, senior university executives, the Office of General Counsel, campus Information Services staff, and other members of the campus community to create an information security plan and vision; to develop, implement, communicate, and evaluate electronic security policies and practices to protect the university’s information assets; and to ensure the university complies with state and federal laws and regulations.

The CISO provides vision and leadership for the planning (strategic and tactical), budgeting, technology evaluation and selection, implementation and assessment of the University’s information security systems.  They facilitate the creation and implementation of policies, procedures, processes, and strategies for the adoption and utilization of the University’s security technologies.

The CISO provides leadership to and management of assigned staff, including hiring, training, managing, and establishing projects and resource priorities.  They manage direct reports to promote teamwork and to develop professional and technical qualities necessary in order to meet the goals and objectives of IS and the University.  They function as a member of the senior leadership team of the Information Services Division and act as directed as a representative of the Division to University and external constituencies.  They recommend, initiate, and implement improvements to cybersecurity, and contribute constructive suggestions for change or improvement in other IS areas.

The CISO will build consensus and develop collegial, collaborative working relationships with a broad range of constituencies in support of the IS mission.  They determine the most appropriate and effective means of successfully implementing cybersecurity technology solutions for the user community.  They coordinate their activities with the CIO in support of University priorities and strategic plans.

The CISO will have a passion for providing excellent customer service, and a focus on continual improvement across all units; a commitment to supporting innovative cyberinfrastructure technologies; and a desire to identify and deliver the best possible cybersecurity technology resources and services to meet the needs of the campus community. 

B.   ESSENTIAL DUTIES AND RESPONSIBILITIES

1. Management and Strategy

• Hire and manage performance and productivity of Information Security Office (ISO) personnel.
• Conduct annual performance reviews of staff.
• Cultivate organizational values and hold employees accountable for fostering these values for a healthy, professional, and productive work environment.
• Provide individualized consultation, guidance, and development to team members.
• Initiate and develop technologies and systems to support short-term and long-term strategic goals.
• Create an environment of technology innovation.

2. Coordination and Collaboration

• Work with the campus community, other campus technology support personnel, strategic IT vendors, other IS Departments, and off-campus service providers to coordinate the design and delivery of cybersecurity technologies to the campus community in an architecturally sound manner, and to identify information security goals, objectives and metrics consistent with industry best practice.
• Play an active role as a technical expert during the planning and implementation phases of new technologies, and participate in architecture brainstorming and design discussions with technical team members.
• Provide technical guidance on complex cybersecurity challenges to IS team members and other solution partners.
• Participate in IS management team decision-making processes to meet campus obligations.
• Promote and ensure a customer-service focus among staff members.
• Build consensus and enhance positive relationships based on trust, predictability, and communication.
• Collaborate with the CIO and other IS Directors and staff on campus-wide technology initiatives.

3. Resource Planning

• Determine Information Security Office priorities and allocate resources accordingly.
• Refine the organization and develop staff through job development and training, skills forecasting and development, direct report coaching and development, and staff engagement.
• Collaborate with the CIO and other IS Directors and staff on campus-wide technology initiatives, including serving on the Technology Advisory Committee.
• Participate in technology planning processes.

4. Service Delivery

• Lead and supervise the creation, planning, maintenance, and secure expansion of SCU’s cybersecurity infrastructure and services.  This includes, but is not limited to, local and hosted networking components, servers, switches, routers, LAN/WAN, IP, DNS, virtual appliances and devices, and storage.
• Ensure that cybersecurity principles and standards are consistently applied across the data center, computer, storage, and network services.
• Perform and commission information security risk assessments to identify open security hazards and monitor systems for compliance with information policies, guidelines and practices. Coordinate efforts with IS and impacted groups to mitigate any hazards or deficiencies detected.
• Collaborate with University Risk Manager and other IS staff to identify and ensure compliance with relevant state and federal regulations in areas related to electronic information, including GDPR, GLBA, FERPA, and HIPAA.
• Working closely with the Director of Enterprise Applications, the Director of Cyberinfrastructure Technologies, and Deputy CIO for Academic Technology, ensure all customer endpoints, desktops, laptops, and personal devices are configured appropriately for integration in a secure enterprise environment.
• Ensure maximum uptime for cybersecurity systems and services.
• Ensure the appropriate distribution of cybersecurity services to faculty, staff, and students.
• Ensure all key cybersecurity services are maintained with high-availability functionality.
• Create and document cybersecurity standards and practices regarding data center, compute, storage, and network services for use across the University.
• Create scalable, interoperable, and flexible cybersecurity solutions.
• Support assigned systems with on-call availability and respond within agreed upon timeframes.
• Establish, document and implement a standard routine and process for the application of patches/updates to cybersecurity systems, applications, and hardware and firmware to ensure all physical, virtual, and hosted systems are patched with the appropriate level of security and versioning.
• In coordination with the Director of Enterprise Applications, the Director of Cyberinfrastructure Technologies, and the Deputy CIO for Academic Technologies, manage disaster recovery and business continuity planning.
• Coordinate with IS staff in the areas of user identification and authentication, user account management, user privileges, configuration management, event and activity logging and monitoring, and other technical best practices
• Manage configuration, change, and release processes for cybersecurity systems.
• Manage ISO operating and capital budgets.
• Ensure optimal service delivery, availability, and capacity of cybersecurity systems.
• Serve as the liaison with hosted platform and third-party providers to monitor service level agreements and ensure that performance expectations and requirements are met.

5. Service Optimization

• Enhance existing cybersecurity frameworks in order to define, design, and implement simplified, standards-based system architectures. 
• Test and assess existing cybersecurity products and services against industry-standard internal and external benchmarks to insure optimal performance and service delivery.
• Participate in IT and information security audits and prioritize corrective actions and successful remediation of areas supervised to ensure that continuous improvements are made on an ongoing basis.
• Establish and audit appropriate tools and monitors to detect intrusion incidents and anomalies.
• Evaluate and pursue cybersecurity technology cost containment and reduction strategies.

6. Communication

• Add technical and strategic input during the planning phase of potential projects in the form of cybersecurity recommendations.
• Regularly communicate with ISO staff regarding IS and University issues, initiatives, and activities.
• Update the campus community as needed regarding ISO activities.
• Keep the CIO informed of current and potential cybersecurity issues, activities, operational outages, and any other risks that might jeopardize or degrade IT service delivery to the University community. Monitor information security activities and threats, and regularly report to senior management on performance, progress, and challenges.
• Conduct or arrange for cybersecurity training sessions for IS staff or individuals responsible for safeguarding data.
• Develop and deliver security-awareness presentations for students, faculty, and staff, including web page publications and security blogs.
• Actively participate with groups and/or departments on campus during technology acquisitions to recognize and address security issues pertaining to the acquisition.
• Act as liaison to the university community and law enforcement for information security management. Participate in campus response team to any information security incidents. Act as a campus advocate for information security best practices.

7. Leadership

• Consult and advise the CIO on cybersecurity trends, opportunities, strategy, solutions, resources, and compliance.
• Establish and foster partnerships with key stakeholders across the University to promote operational excellence.
• Build a strong network of peers at comparable institutions.
• Actively participate in University activities and initiatives.
• Collaborate with other colleges and universities to share information or resources, as necessary, to improve the overall security of the higher education sector.

8. Unit Administration - Information Security Office

• Provide leadership to develop, implement and maintain policies, guidelines and practices that secure access to the university’s information systems and networks, and to the data stored in or transmitted through those systems; and assure the integrity, confidentiality, and accessibility of university information.
• Identify applicable laws and regulations related to electronic resources with which the university must comply and coordinate with relevant campus groups and IS to verify compliance or to develop plans to come into compliance. Monitor the changing regulatory landscape for future compliance requirements and coordinate university response to satisfy those requirements.
• Develop and deliver awareness and training programs that help keep all faculty, staff and students aware of information security risks and best practices to minimize those risks for themselves and the university. Develop and deliver more intense and focused awareness and training programs for employees whose primary responsibilities involve working with university data and information systems.
• Actively participate with groups and/or departments on campus during technology acquisitions to recognize and address security issues pertaining to the acquisition.
• Establish security requirements for vendors of commercial software, applications, and technology solutions, and devise contract language to place responsibility for security on the application provider.
• Develop, implement, and maintain a written information security program that addresses people, process, and technology and contains administrative, technical, and physical safeguards
• Monitor information security trends, and the threat, vulnerability and control landscape, and advises relevant levels of university administration appropriately.
• Develop and periodically update information security policies and procedures that address areas such as individual employee responsibilities for information security practices.
• Develop and coordinate the implementation of systems to secure critical university information resources from intrusion and attacks
• Conduct and direct security audits and follow-on work to ensure the integrity, confidentiality and availability of university information is not compromised.

9. Other duties as assigned.

C.   PROVIDES WORK DIRECTION  

• Manage three full-time staff members in the Information Security Office.

D.   GENERAL GUIDELINES 

• Recommend initiatives and implement changes to improve quality and services.
• Identify and determine cause of problems; develops and presents recommendations for improvement of established processes and practices. 
• Maintain contact with customers and solicits feedback for improved services.
• Maximize productivity through use of appropriate tools; plan training and performance initiatives.
• Research and develop resources that create timely and efficient work flow.  
• Prepare progress reports; inform supervisor of project status and deviation from goals. Ensure completeness, accuracy and timeliness of all operational functions. 
• Prepare and submit reports as requested and required.
• Develop and implement guidelines to support the functions of the unit.

E.   QUALIFICATIONS

To perform this job successfully, an individual must be able to perform each essential duty satisfactorily. The items below are representative of the knowledge, skills, abilities, education, and experience required or preferred. 

This position requires the ability to effectively establish and maintain cooperative working relationships within a diverse multicultural environment.

1.   Knowledge, Skills and Abilities

General

• Knowledge of information technology, campus technology, and information security issues and trends in higher education, and ability to continually develop new knowledge regarding the same.

• Ability to listen and understand customer needs.

• Ability to plan, implement, and evaluate customer service initiatives.

• Ability to work in a collaborative environment, as either a member or leader of a team, to meet deadlines and achieve goals.

• Ability to manage a diverse workforce to provide excellent customer service.

• Self-motivated and shows initiative.

• Ability to successfully manage multiple projects simultaneously. 

• Proven track record in project planning and project management.

• Ability to exercise independent judgment and engage in critical thinking and problem solving.

• Ability to work effectively under pressure in a busy (often chaotic) and demanding information services environment, while maintaining a sense of humor. 

• Ability to explain technical issues and policies to non-technical people.

• Ability to give presentations on technical issues to a broad range of audiences.

• Ability to foster and maintain good working relationships with faculty, administrators, students, senior management, and other leaders.

• Ability to handle sensitive matters with diplomacy and the ability to mediate between competing parties.

• Ability to maintain confidentiality and manage confidential information.

• Must possess impeccable integrity.

• Ability to speak truth to power.

• Appreciation for the University’s mission, vision, values, priorities, procedures, and policies.

Position-specific

• Ability to plan and execute cybersecurity initiatives strategically, tactically, and expansively.

• Deep technical skills in one or more of the technical domains that they supervise.

• Experience managing cybersecurity systems delivery in a large, complex IT environment, involving multifaceted multi-year projects and technical teams.

• Experience developing plans for short- and long-range infrastructure projects, including strategies, budgets, and schedules.

• Experience developing and maintaining annual operational and capital budgets.

• Experience providing leadership and supervision of staff including position responsibilities, position planning, recruitment, retention, compensation, training/development, and evaluation; this also includes experience promoting and monitoring diversity in the recruitment process.

• Understanding of the full spectrum of cybersecurity technologies.

• Solid understanding of and experience with enterprise level IT security programs, best 
  practices, and/or standards.

• Solid understanding of IT security management systems and frameworks (NIST, ISO, etc.)

• Broad understanding and awareness of compliance issues related to information resources in a higher education environment, including GDPR, GLBA, FERPA, and HIPAA.

• Understanding of relational databases.

• Understanding of server virtualization environments, preferably VMware.

• Understanding of high availability, disaster recovery and data replication architectures, ideally both internally-hosted and cloud-based.

• Understanding of Microsoft Active Directory.

• Understanding of, and preferably experience working in, cloud-based computing environments, preferably Google Cloud (GCP).

• Experience leading the development and implementation of standard operating procedures and policies with an emphasis on maintaining and ensuring operational continuity and security of the University’s information assets.

• Experience with technical assessment, selection, and implementation of new infrastructure technologies.

• Understanding of, and preferably experience with, local and hosted networking components, servers, switches, routers, management tools, LAN/WAN, TCP/IP, Ethernet, DNS, virtual appliances and devices.

• Experience with Network Access Control (NAC) solutions.

• Varied and strong background that would include implementation of higher education cybersecurity systems.

• Specific understanding of industry trends and standards.

• Experience negotiating contracts with vendors.

Education

• Bachelor’s Degree from an accredited institution of higher education required. Advanced degree preferred.

Experience 

• Minimum of twelve years of experience, with a focus on providing excellent customer service to support technology in support of an organization’s mission.

F.   PHYSICAL DEMANDS

The physical demands described below are representative of those that must be met by an employee to successfully perform the essential functions of this job. In accordance with the Americans with Disabilities Act, as amended, the California Fair Employment & Housing Act, and all other applicable laws, SCU provides reasonable accommodations for qualified persons with disabilities.  A qualified individual is a person who meets skill, experience, education, or other requirements of the position, and who can perform the essential functions of the position with or without reasonable accommodation. 

• Considerable time is spent at a desk using a computer terminal.  

• Required to travel to other buildings on the campus.

• Required to attend conference and training sessions within Bay Area or in- or out-of-state locations.

• Required to travel to outside customers, vendors or suppliers.

G.   WORK ENVIRONMENT  

The work environment characteristics described below are representative of those an employee encounters while performing the essential functions of this job. 

• Typical office environment.

• Mostly indoor office environment with windows.

• Offices with equipment noise.

• Offices with frequent interruptions.

EEO Statement

​Equal Opportunity/Notice of Nondiscrimination

Santa Clara University is an equal opportunity/equal access/affirmative action employer fully committed to achieving a diverse workforce and complies with all Federal and California State laws, regulations, and executive orders regarding non-discrimination and affirmative action. Applications from members of historically underrepresented groups are especially encouraged. For a complete copy of Santa Clara University’s equal opportunity and nondiscrimination policies, see https://www.scu.edu/title-ix/policies-reports/

Title IX of the Education Amendments of 1972

Santa Clara University does not discriminate in its employment practices or in its educational programs or activities on the basis of sex/gender, and prohibits retaliation against any person opposing discrimination or participating in any discrimination investigation or complaint process internally or externally. The Title IX Coordinator and Section 504 and ADA Coordinator is Jenna Elliott, Interim Director of Equal Opportunity and Title IX, 408-551-3043, jrelliot@scu.edu , www.scu.edu/title-ix. Inquiries can also be made to the Assistant Secretary of Education within the Office for Civil Rights (OCR). 

Clery Notice of Availability

Santa Clara University annually collects information about campus crimes and other reportable incidents in accordance with the federal Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act. To view the Santa Clara University report, please go to the Campus Safety Services website. To request a paper copy please call Campus Safety at (408) 554-4441. The report includes the type of crime, venue, and number of occurrences.

Americans with Disabilities Act

Santa Clara University affirms its' commitment to employ qualified individuals with disabilities within the workplace and to comply with the Americans with Disability Act. All applicants desiring an accommodation should contact the Department of Human Resources, and 408-554-5750 and request to speak to Indu Ahluwalia by phone at 408-554-5750 or by email at iahluwalia@scu.edu.

***When applying, please note that you saw the job posted on the NOVAworks Job Board. If you need help with your resumé, please see a NOVAworks Career Advisor.