Chief Information Security Officer

Chemonics International is seeking a Chief Information Security Officer within the Global Technology Infrastructure Division. The Chief Information Security Officer (CISO) is responsible for implementing and running the enterprise information security and service management programs. The CISO is responsible for establishing and maintaining the information security program to ensure that information assets and associated technology, applications, systems, infrastructure and processes are adequately protected. They are also responsible for establishing and running the information security service management program, working on business proposals and hiring contractors as needed to support the business projects. The CISO will work with executive management to determine acceptable levels of risk for the organization and proactively work with others to implement practices that meet agreed-on policies and standards for information security. They will be knowledgeable about both internal and external business environments and ensure that information systems are maintained in a fully functional and secure mode and are compliant with legal, regulatory and contractual obligations. The CISO will serve as a thought leader, a builder of consensus and of bridges between business and technology. They will coordinate disparate drivers, constraints and personalities, while maintaining objectivity and a strong understanding that cybersecurity is foundational for Chemonics to deliver on its business goals and objectives. Additionally, the CISO will report directly to the CIO.

Principal Duties and Responsibilities (Essential Functions):

Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

• Defines and facilitates the processes for information security risk and for legal and regulatory assessments, including the reporting and oversight of treatment efforts to address negative findings
• Creates and manages a unified and flexible, risk-based control framework to integrate and normalize the wide variety and ever-changing requirements resulting from global laws, standards and regulations
• Provides clear risk mitigating directives for projects with components in IT, including the mandatory application of controls
• Leads the information security function across the company to ensure consistent and high-quality information security management in support of the business goals
• Develops and enhances an up-to-date information security management framework
• Manages cost efficiently the information security team
• Monitors the external threat environment for emerging threats, and advises relevant stakeholders on the appropriate courses of action
• Facilitates and supports the development of asset inventories, including information assets in cloud services and in other parties in the organization's ecosystem
• Creates a framework for roles and responsibilities about information ownership, classification, accountability and protection of information assets
• Works to ensure that information security requirements are included in contracts by liaising with compliance and procurement departments
• Creates a risk-based process for the assessment and mitigation of any information security risk in the ecosystem consisting of supply chain partners, vendors, consumers and any other third parties
• Manages the budget for the information security function, monitoring and reporting discrepancies
• Creates, manages, and leads the company’s information security structure (Hiring staff as needed in missing areas
• Ensures that the cybersecurity requirements necessary to protect the organization's mission and business processes are adequately addressed in all aspects of enterprise architecture
• Determines the information security approach and operating model in consultation with stakeholders and aligned with the risk management approach and compliance monitoring of non-digital risk areas
• Develops, socializes and coordinates approval and implementation of security policies
• Builds and nurtures external networks consisting of industry peers, ecosystem partners, vendors and other relevant parties to address common trends, findings, incidents and cybersecurity risks
• Provides input for the IT section of the company's code of conduct
• Facilitates an enterprise information security governance structure including enterprise rules and standards for interoperability between Corporate and the local business offices
• Works with other compliance staff to ensure that all information owned, collected or controlled by or on behalf of the company is processed and stored in accordance with applicable laws and other global regulatory requirements, such as data privacy
• Coordinates the development of implementation of incident response plans and procedures to ensure that business-critical services are recovered in the event of a security event; provides direction, support and in-house consulting in these areas
• Manages and contains information security incidents and events to protect corporate IT assets, intellectual property, regulated data and the company's reputation
• Directs the creation of a targeted information security awareness training program and establishes metrics to measure the effectiveness of this security training program for the different audiences
• Develops and oversees effective disaster recovery policies and standards to align with the enterprise business continuity management
• Ensures that security is embedded in the project delivery process by providing the appropriate information security policies, practices and guidelines
• Creates the necessary internal networks among the information security team and line-of-business executives, corporate compliance, audit, physical security, legal and HR management teams to ensure alignment as required
• Implements Chemonics information security vision, strategy, and three year roadmap that is aligned to Chemonics Business and IT strategies, enables Chemonics' business objectives, and ensures senior stakeholder buy-in and mandate
• Works effectively with business units to facilitate information security risk assessment and risk management processes, and empowers them to own and accept the level of risk they deem appropriate for their specific risk appetite
• Provides as needed information security directions, guidance and support in the realization of business contracts
• Provides regular reporting on the current status of the information security program to enterprise risk teams senior business leaders, and the board
• Collaborates and liaises with the data privacy officer to ensure that data privacy requirements are included where applicable
• Facilitates a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitates appropriate resource allocation, and increases the maturity of the information security, and reviews it with stakeholders at the executive and board levels
• Liaises with external agencies, such as law enforcement and other advisory bodies, as necessary, to ensure that the organization maintains a strong security posture and is kept well-abreast of the relevant threats identified by these agencies
• Delivers and monitors Chemonics strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy and recovery of information assets owned, controlled or/and processed by Chemonics
• Develops and maintains a document framework of continuously up-to-date information security policies, standards and guidelines. Oversees the approval and publication of these information security policies and practices

Qualifications:

To perform this job successfully, an individual must be able to perform each essential duty and responsibility satisfactorily. The qualifications listed below are representative of the required knowledge, skills, and/or abilities needed to perform the principal duties.

• Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC) or other similar credentials preferred
• Excellent stakeholder management skills
• Strategic leader and builder of both vision and bridges, and able to energize the appropriate teams
• High degree of initiative, dependability and ability to work with little supervision while being resilient to change
• Established key elements of tactical and operational plans, with a focus on short-to mid-term operational plans (1-3 years)
• A master of influencing entities and decisions in situations where no formal reporting structures exist, but achieving the desirable outcome is vital
• Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate information security and risk-related concepts to technical and nontechnical audiences at various hierarchical levels, ranging from board members to technical specialists
• Knowledge and understanding of relevant cybersecurity legal and regulatory requirements, such as GDPR and Health Insurance Portability and Accountability Act (HIPAA)
• Demonstrates Master knowledge and skills in Information Security
• Developed budgets, schedules and performance requirements
• A critical thinker, with strong problem-solving skills
• Strong problem-solving and trouble-shooting skills
• Demonstrated leadership, versatility and integrity
• Self-motivated and possessing of a high sense of urgency and personal integrity
• Poise and ability to act calmly and competently in high-pressure, high-stress situations
• Prior experience working for a US government contractor is a plus
• Excellent writing skills and strong experience writing information security documents and reports
• Project management skills including financial/budget management, scheduling and resource management
• Demonstrated experience and success in leadership roles in risk management, information security, and information technology security
• Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT as well as those from NIST, including 800-53 and Cybersecurity Framework
• High level of personal integrity, as well as the ability to professionally handle confidential matters and show an appropriate level of judgment and maturity
• Excellent communication skills and strong experience facilitating events or training
• Sound knowledge of business management and a working knowledge of information security risk management and cybersecurity technologies
• Expert at Data Security including string knowledge of encryption, data labeled and marked ( right controls), sensitivity of the data. The candidate needs to have expertise at what CISO can do to realize the data security implementation
• Past experience implementing cyber security in Network, End Point protection, Cloud security, AD/ Access Management highly required
• More than 15 years of relevant experience, including five years in a leadership role
• Managed multiple direct reports and team teams, multiple projects and/or portfolio of projects
• Excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives
• Experience with contract and vendor negotiations
• Expert level understanding of the Microsoft security solution
• Demonstrated broad management knowledge to lead project teams in one department
• Degree in a technology-related field

Physical Requirements:

• Regular attendance and availability during normal Chemonics Washington business hours are required
• Occasionally lift and/or move up to 25 pounds
• Ability to work in a normal office environment

Work Conditions:

• Ability to travel and work abroad in less developed countries for at least 4 to 8 weeks a year
• Occasional exposure to environmental conditions include exposure to hot, cold, wet, humid, or windy conditions caused by the weather
• Normal office environment; usually moderate noise level

Equal Employment Opportunity

Chemonics is an equal opportunity/Affirmative Action employer and does not discriminate in its selection and employment practices. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, political affiliation, sexual orientation, gender identity, marital status, disability, protected veteran status, genetic information, age, or other legally protected characteristics. Military veterans, AmeriCorps, Peace Corps, and other national service alumni are encouraged to apply.

Pay Transparency Nondiscrimination Provision
Chemonics will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant. However, employees who have access to the compensation information of other employees or applicants as a part of their essential job functions cannot disclose the pay of other employees or applicants to individuals who do not otherwise have access to compensation information, unless the disclosure is (a) in response to a formal complaint or charge, (b) in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by Chemonics, or (c) consistent with Chemonics legal duty to furnish information. 41 CFR 60-1.35(c)