Job Specifications
JOB PURPOSE
The Head of Information Security/CISO provides the leadership and oversight to ensure the confidentiality, integrity, and availability of CanDeal’s IT assets and electronic information by managing and mitigating risks to systems and environments, developing and maintaining enforceable policies and supporting procedures, and ensuring compliance with regulatory requirements. The incumbent is accountable for the enterprise information security program, collaborates with senior leadership from other departments, including the evaluation and procurement of internal and third-party products, and deployment of security-related solutions and coordinates information security awareness and education programs.
PRIMARY RESPONSIBILITIES
Leads information security function and accountable for the enterprise information security program.
Creates/contributes information security strategies, both short-term and long-range, in support of business strategic goals and IT strategies.
Collaborates with senior leadership from other departments to provide oversight, operational expertise and direction to the organization and operational teams.
Reviews IT and security governance structures, processes and procedures to prevent security breaches, major incidents and non-compliance with regulatory requirements.
Monitors and conducts ongoing assessments of security standards, policies and controls, in accordance with recognized frameworks such as ISO, NIST and COBIT, necessary for breach prevention, data loss prevention, detection and remediation, and continuous improvement.
Assesses security infrastructure, cloud environments, changes and new additions to existing systems including identity and access management, data protection, vulnerability assessment, testing and recommendations for improvement.
Provides reports and recommendations to mitigate risks to the senior management by communicating in non-technical, cost/benefit terms and in a format relevant to senior management so decisions can be made to ensure the security of information systems and information entrusted to CanDeal.
Oversees all ongoing activities related to the development, implementation, and maintenance of CanDeal’s information security policies and procedures by ensuring these policies and procedures encompass the overall security of electronic information at rest or in motion within CanDeal environment and assisting departments in local process and procedure development.
Provides mentorship, staff development, and assists other departments to ensure regulatory compliance in areas such as OSC, OSFI, PIPEDA, GDPR to ensure full compliance in securing Privacy Information (PII).
Chairs the Information Security Committee (ISC) and coordinates the activities of ISC so that security decisions do not interrupt business processes while maintaining the confidentiality, integrity, and availability of CanDeal information.
Develops information security awareness training and education programs, works with other CanDeal’s groups to present them to staff, as appropriate.
Acts proactively to prevent potential disaster situations by ensuring that proper protections are in place, such as detection and prevention systems, secured networking systems, secured cloud hosting CanDeal’s electronic information, and effective physical safeguards, and provides for the availability of computer resources by ensuring a business continuity/disaster recovery plan is in place to offset the effects caused by intentional and unintentional acts.
Evaluates security incidents and determines what response as per incident response plan is needed and leads CanDeal responses, including technical incident response teams, when sensitive information is breached.
Assesses, evaluates and coordinates with Vendor Management Office on internal and third-party products, services and solutions.
Manages and supports other initiatives as required.
QUALIFICATIONS
Education & Experience
Post-secondary education in IT.
Minimum 10 years of related information security experience including, but not limited to, IT security architecture, cloud environments, security tools, network security, vulnerability management and assessment, anti-malware, endpoint security, secured software development, regulatory compliance, security program management and governance.
Professional/industry certifications such as CISSP, GIAC, CISA, CISM, or similar.
Knowledgeable in frameworks such as COBIT 5, ISO 27001, NIST and ITIL in assessing IT control gaps in organizations.
Knowledge, Skills & Abilities
Strong understanding of security architecture and methodologies.
Ability to develop and maintain policies and procedures relating to IT/security governance.
Ability to keep current with IT security developments and vulnerabilities.
Proven experience in relationship and stakeholder management.
Effectively manage multiple concurrent projects and to reason analytically.
The ability to work with and train people possessing differ