Chief Information Security Officer

ADVANCEMENT OPPORTUNITIES

Chief Information Officer (CIO)

POSITION SUMMARY

Under the general direction of the Chief Information Officer (CIO), the Chief Information Security Officer (CISO) plans, assigns, and directs the cybersecurity activities for both Operational Technology and Information Technology (IT) functions. The CISO is responsible for establishing and maintaining the enterprise vision, strategy, architecture, and a multi-year roadmap that ensures that the company’s information assets are adequately protected.

A key element of this role is communicating security at a strategic level to Executive Management and the Board of Directors and championing cybersecurity across the Authority to drive adoption of best practices.

The CISO will manage a small team of dedicated resources and a larger team of matrixed resources to manage cybersecurity response and achieve favorable outcomes. 

ESSENTIAL DUTIES

1.  Serves as the principal advisor to Authority executives and the Board on cybersecurity risk, vulnerabilities, and mitigation strategies.

2.  Manages and develops the Authority’s long-term cybersecurity strategy and roadmap across the Authority to include policy development, procedures, standards, and guidelines, and oversees their approval, dissemination, implementation, and maintenance.

3.  Provides effective leadership and management of cybersecurity operations. including selection, scheduling, supervision, retention, and evaluation of employees in the department.  Develop and mentor staff across the organization on cybersecurity and information security.

4.  Champions cybersecurity program across the organization. Provides training, development, and mentoring of staff across the Authority including senior leaders and executives.

5.  Manages cybersecurity risk program and establishes rapport with senior leaders across the business to assess and communicate acceptable levels of risk.  Oversees and leads the creation, communication, and implementation of a process for managing vendor risk and other third-party risks.

6.  Identifies, evaluates, and reports on information security risks, practices, and projects to the Executive Committee and the Board of Directors, and provides subject matter expertise and direction on security standards (NIST, ISA, ISO, etc.) and best practices (FFIEC, Dodd-Frank, SOX, PCI, etc.).  

7.  Manages the Authority Intrusion Detection and Vulnerability Management programs.  Reviews internal and external systems for appropriate cybersecurity controls and oversees all required fixes.

8.  Oversees incident response planning and the investigation of security breaches, and assists with any associated disciplinary, public relations, and legal matters.  Establishes relationships with local, state, and federal law enforcement and other advisory bodies (CISA, AWWA, WEF, Water-ISAC, etc.) to ensure that the organization maintains a strong security posture.

9.  Manages and directs the evaluation, selection, and implementation of information security solutions that are innovative, cost-effective, and minimally disruptive.  Partners with engineering teams for Capital Improvement Projects, enterprise architecture, infrastructure, and applications teams to ensure that technologies are developed and maintained according to security policies and guidelines.

10.  Serves as the acting CIO and exercises authority and interfaces with executive leadership across the Authority on security, IT, or OT issues in their absence.

11.  Essential personnel are required to report to work when scheduled during departmental and/or emergency situations, including, but not limited to, extended periods of inclement weather when travel may be difficult.  This position is essential because, in the absence of sufficient personnel, the plant cannot operate safely.

SUPERVISORY RESPONSIBILITIES

Regularly has full personnel management responsibilities, including approving time, selection, discipline, grievances, and formal performance evaluations for a position’s direct and indirect reports.

FINANCIAL RESPONSIBILITY

Provides management planning and execution oversight of the section budget.  Approves departmental purchases of up to $15,000. 

QUALIFICATIONS

EDUCATION

BS or BA in Cybersecurity, Computer Science, Information Systems, Electrical Engineering, or a related field.  Advanced degree preferred.

EXPERIENCE

Minimum of 10 years of IT experience, 7 years of cybersecurity experience, 5 years of ICS-specific experience, 5-years management experience, proven track record of successful project management and team leadership.  Preferred experience in the water sector.

CERTIFICATES, LICENSES, REGISTRATIONS

1.  Certified Information Systems Security Professional, Certified Information Systems Manager, or equivalent certification approved by CIO (Required) 

2.  Certified Automation Professional or equivalent as approved by CIO (Preferred)

3.  Valid Texas Driver’s License (Required)

4.  Additional IT / ICS / Cybersecurity / Project Management Certifications (Preferred)

KNOWLEDGE

Must have knowledge of IT and ICS to include cybersecurity, networks, hardware, software, system analysis and design, project management, and their specialized budgeting and procurement procedures.

SKILLS AND ABILITIES

Must have excellent written and verbal communication and organization skills.  Ability to communicate security and risk-related concepts to both technical and non-technical audiences, including executive and board level.  Extensive knowledge of business risk, risk assessment, and risk-based decision making.  Must be able to understand and operate IT management and project management software and tools.  Must possess the ability to inspire, influence, and build coalitions as well as direct the work of others and positively interact with senior and executive management.

GUIDANCE RECEIVED

Typically receives general direction about assignments and work results to be attained. Requires judgment to determine which methods apply and what data/information should be considered. Position must think through how issues can be addressed within existing policies and procedures, and may assist others with more complex work methods and problems.

PHYSICAL DEMANDS

This position requires minimum physical exertion with daily lifting requirements generally under 30 pounds.  Occasional installation activities require movement of equipment in excess of 50 pounds. 

WORKING CONDITIONS

Work is generally conducted within an office environment with periodic field visits.  Travel to industrial facilities is required, and periodic exposure to loud noise, hazardous chemicals, and heights may be required.  Periodic work outside of normal duty hours is required, which may include weekends/holidays. 

TOOLS AND EQUIPMENT USED

Office equipment, including personal computers, printers, copiers, and Authority vehicles.  Specialized software and test equipment for IT equipment and small tools.