Consultant IT Security & Risk Management

Job Summary

We are looking for a hands-on technical information security leader. This individual needs to understand the technical facets of information/cyber security including security architecture, security engineering, risk management, governance risk & compliance, and incident response while having the leadership and project management skills necessarily to effectively manage people.

Primary responsibilities include:

• Directing outsourced IT Security to execute information security projects and activities.
• Defining security requirements including security policies, standards, plans, methodologies, and guidelines.
• Creating and executing project plans to ensure the timely execution of security projects.
• Reviewing the security of technologies, systems, networks, and applications.

Areas of Responsibility:

IT Security & Risk Management's responsibilities include a variety of activities including strategic, tactical, and operational such as:

• Strategic Support
• Security Liaison
• Security Architecture & Engineering Support
• Operational Support

Strategic Support:

• Work with the Director to develop an information security program and security projects that address identified risks and business security requirements in alignment with the risk tolerance of the organization.
• Manage the process of gathering, analyzing, and accessing information security threats.
• Partner with the Director to develop budget projections based on short- and long-term goals and objectives.
• Monitor and report on compliance with security policies and enforce security policies.
• Propose changes to existing policies and procedures to ensure the protection of Purdue systems, efficient operations, and regulatory compliance.
• Work with IT Security, IT, and business stakeholders to build metrics and reports that effectively communicate risks, progress, and areas of opportunity.

Security Liaison:

• Assist resource owners and IT staff in understanding and responding to reported security audit failures.
• Advocate information security with the organization and ensure that personnel are trained on information security best practices.
• Review the security of systems, networks, applications, and resources; identify risks; and provide security recommendations.
• Work with stakeholders to ensure that asset owners are identified, and systems are appropriately classified.
• Serve as an active and consistent participant in the information security governance process.
• Provide support and guidance for legal and regulatory compliance efforts, including audit support.
• Keep up-to-date with information security threats, risks, and vulnerabilities.
• Ensure that vulnerabilities are addressed in line with their criticality and agreed upon SLAs.

Security Architecture & Engineering Support:

• Consult with IT and security staff to ensure that security is factored into the evaluation, selection, installation, and configuration of hardware, applications, and software.
• Recommend and coordinate the implementation of technical security controls.
• Research, evaluate, design, test, recommend, and plan the implementation of technical information security controls and analyze its impact on the existing environment.
• Direct the administration of security tools and controls.
• Work with IT to ensure that there is a convergence of business, technical, and security requirements.
• Proactively identify areas of improvement in technical security architecture and processes.

Operational Support:

• Create, develop, and execute KPIs, metrics, and reports.
• Manage outsourced vendors that provide information security functions for compliance with contracted service-level agreements.
• Manage the day-to-day activities of threat and vulnerability management & risk management including the recommended treatment plans, status, and residual risks.
• Manage security projects and provide expert guidance on security matters.
• Assist and guide the disaster recovery planning team in the selection of recovery strategies and the development, testing, and maintenance of these disaster recovery plans.
• Ensure audit trails, system logs and other monitoring data sources are reviewed periodically and are in compliance with policies and audit requirements.
• Design, coordinate and oversee security testing procedures to verify the security of systems, networks, and applications, and manage the remediation of identified risks.

Education and Experience Requirements:

• BS / MS / Equivalent Training and 8+ years of relevant experience.
• Experience managing a small team and outsourced IT personnel.
• Strong hands-on technical system and network security skills.
• Experience with information security governance, risk, and compliance.
• Professional certification, such as CISM or CISSP is preferred.

Necessary Knowledge, Skills, and Abilities:

IT Security & Risk Management must have the following:

• Experience reviewing security architecture and defining security requirements.
• Management skills including experience managing outsourced personnel.
• Experience developing and maintaining policies, procedures, standards, and guidelines.
• Experience with common information security management frameworks, such as ISO 27001, NIST.
• Familiarity with applicable legal and regulatory requirements, including, but not limited to SOX, HIPPA, GPDR, and CCPA.
• Strong project management skills and experience in creating and managing project plans.
• Proficiency in performing risk, business impact, control, and vulnerability assessments, and in defining treatment strategies.
• Strong analytical skills to analyze security requirements and relate them to appropriate security controls.
• Ability to communicate with technical and non-technical stakeholders at all levels.
• Strong written and verbal communication skills.

Please include below skill matrix on top of resume.

Skill Matrix

Security Domain

Rating (1 5) (1 = Novice & 5 = Expert)

Security Architecture

Security Engineering

System Security

Network Security

Application Security

Dev Sec Ops (nice to have)

Access Controls

Risk Management

Policy & Compliance

Incident Response

Digital Forensics (nice to have)

Firewalls

IPS/IDS

SIEM

Vulnerability Management Systems

Microsoft Windows

Linux

Azure or AWS

General Skills

Project Management

Matrixed Resource Management

Scripting (nice to have)

Programming (nice to have)

Managers note:

• Looking for technical person with management as well as technical skills
• Some People Management
• IT Security Architecture and Solutions