Chief Information Security Officer (Manager 210) - Information Services
West Chester University of PA
Location: West Chester, Pennsylvania
Type: Full Time
Preferred Education: Masters
Salary: Salary is commensurate w/exp
Starting salary is commensurate with experience. Excellent benefits package includes tuition fee waiver for self and dependents.
Internal Number: 22-63
Join a vibrant campus community whose excellence is reflected in its diversity and student success. West Chester University of Pennsylvania’s Information Services invites applications for the position of Chief Information Security Officer (CISO).
West Chester University, a member of the Pennsylvania State System of Higher Education, is a public, comprehensive institution committed to offering high-quality undergraduate education, selected post-baccalaureate and graduate programs, and a variety of educational and cultural resources for its students, alumni, and citizens of southeastern Pennsylvania. The University offers more than 100 graduate and undergraduate programs in the sciences and mathematics, business and public management, arts and humanities, health sciences, education and social work, music, and interdisciplinary studies. WCU is a community of educators dedicated to developing graduates who succeed personally and professionally and contribute to the common good.
The CISO is responsible for establishing and maintaining a strategic and comprehensive University-wide information protection, IT risk, and cybersecurity management program to ensure that information assets are adequately protected and available. This individual is responsible for identifying, monitoring, and countering threats as well as other risks and exposures that threaten the privacy, confidentiality, operational integrity, and high availability of WCU networks, systems, research operations, and information assets. This position has chief institutional responsibility for protecting and maintaining the confidentiality, integrity, and availability of authorized access to WCU information assets. This is the senior institutional position in charge of identifying and responding to events involving information asset misuse, loss or unauthorized disclosure, including incident investigation and forensics. This individual will also play an important role in helping plan, maintain, secure, optimize, expand and protect a growing information technology infrastructure at WCU. The CISO will work with executives across the University to ensure that security systems are working smoothly to reduce the organization's operational risks in the face of a security attack. This position is responsible for identifying, evaluating, and reporting on information security risks in a manner that meets compliance and regulatory requirements and aligns with and supports the risk posture of the Institution. The CISO position requires a visionary leader with sound knowledge of both business and technical practices.
The Chief Information Security Officer (CISO) reports to the Chief Information Officer, is a member of the CIO leadership team and serves a key role in university leadership, working closely with senior administration, academic leaders, and the campus community. The CISO is an advocate for WCU’s total information security needs and is responsible for the development and delivery of a comprehensive information security strategy to optimize the security posture of the university. The CISO leads the development and implementation of a security program that leverages collaborations and campus-wide resources, facilitates information security governance, advises senior leadership on security direction and resource investments, and designs appropriate policies to manage information security risk. The complexity of this position requires a leadership approach that is engaging, imaginative, and collaborative, with a sophisticated ability to work with other leaders to set the best balance between security strategies and other priorities at the campus level.
University and Program Leadership
Provide the strategic leadership of the University’s information security program.
Provide guidance and counsel to the CIO and key members of the university leadership team, working closely with senior administration, academic leaders, and the campus community in defining objectives for information security, while building relationships and goodwill.
Work with campus leadership to oversee the formation and operations of university-wide information security resources organized toward a common cause in information security. Promote collaborative, empowered working environments across campus, removing barriers and realizing possibilities.
Manage institution-wide information security governance processes to support campus-wide information security program and project priorities.
Lead information security planning processes to establish an inclusive and comprehensive information security program for the entire institution in support of academic, research, and administrative information systems and technology. Establish annual and long-range security and compliance goals, define security strategies, metrics, reporting mechanisms and program services; and create maturity models and a roadmap for continual program improvements.
Stay abreast of information security issues and regulatory changes affecting higher education at the state and national level, participate in national policy and practice discussions, and communicate to campus on a regular basis about those topics. Engage in professional development to maintain continual growth in professional skills and knowledge essential to the position.
Provide leadership philosophy for the Information Security Team to create a strong bridge between organizations, build respect for the contributions of all and bring groups together to share information and resources and create better decisions, policies and practices for the campus. Mentor the Information Security Team members and implement professional development plans for all members of the team.
Represent the university on committees associated with PASSHE and in national and regional consortiums and collaborations.
Implement a formal Identity and Access Management (IAM) program. This program should begin with a comprehensive analysis of all business functional requirements and include the development and deployment of processes and workflows as well as required systems and services.
Perform special projects and other duties as assigned.
Policy, Compliance and Audit
Lead the development and implementation of effective and reasonable policies and practices to secure protected and sensitive data and ensure information security and compliance with relevant legislation and legal interpretation.
Lead efforts to internally assess, evaluate and make recommendations to administration regarding the adequacy of the security controls for the University's information and technology systems.
Work with Internal Audit, PASSHE, Office of the State System CITO and outside consultants as appropriate on required security assessments and audits. Responsible for coordinating and tracking all information technology and security related audits including scope of audits, colleges/units involved, timelines, auditing agencies and outcomes. Work with auditors as appropriate to keep audit focus in scope, maintain excellent relationships with audit entities and provide a consistent perspective that continually puts the institution in its best light. Provide guidance, evaluation and advocacy on audit responses.
Work with university leadership, Legal Counsel and relevant responsible compliance department leadership to build cohesive security and compliance programs for the university to effectively address state and federal statutory and regulatory requirements. Develop a strategy for cohesively dealing with audits, compliance checks and external assessment processes for internal / external auditors, PCI, HIPAA, and other applicable standards.
Outreach, Education and Training
Work closely with IT leaders, technical experts and college and other administrative leaders across campus on a wide variety of security issues that require an in-depth understanding of the IT environment in their units, as well as the research landscape and federal regulations that pertain to their unit’s research areas.
Create education and awareness programs and advise operating units at all levels on security issues, best practices, and vulnerabilities.
Work with campus groups such as Information Services & Technology, advisory committees, department liaisons and technical organizations in Business Affairs, Academic Affairs, University Affairs and Student Affairs to build awareness and a sense of common purpose around security.
Pursue student security initiatives to address unique needs in protecting identity theft, mobile social media security and online reputation program.
Risk Management and Incident Response
Keep abreast of security incidents and act as primary control point during significant information security incidents. Convene an Incident Response Team (IRT) as needed, or requested, in addressing and investigating security incidents.
Develop, implement and administer technical security standards, as well as a suite of security services and tools to address and mitigate security risk.
Provide leadership, direction and guidance in assessing and evaluating information security risks and monitor compliance with security standards and appropriate policies.
Examine impacts of new technologies on WCU’s overall information security. Establish processes to review implementation of new technologies to ensure security compliance.
A Bachelor’s degree in Management Information Science or related field
A minimum of seven (7) years of cybersecurity experience
Master's Degree in Computer Science or related field
Demonstrated experience as an Information Security Officer, developing and administering an information security program in a complex higher education environment
Demonstrated success in working with Internal Audit, System Auditors, outside consultants in a lead capacity to coordinate representation of institutional technology systems and practices
Demonstrated experience in computing and information security, network security issues, and security incident response and recovery in a higher education environment
Knowledge and experience working with one or more of the following Cybersecurity Frameworks: NIST Cybersecurity Framework; ISO 27001; CIS Critical Security Controls
Electronic application allows for cover letter, resume and a list of three references with contact information (required). Applicants must successfully complete the interview process to be considered as a finalist.
All offers of employment are subject to and contingent upon satisfactory completion of all pre-employment background checks.