Chief Info Security Officer (7394)

Secure your FUTURE with SEPTA today! 

The Southeastern Pennsylvania Transportation Authority (SEPTA) is the sixth largest transportation system in the United States, with a vast network of fixed route services including bus, subway/elevated, trackless trolley, light rail, and commuter rail serving a 2,200 square mile service region. SEPTA has become an integral force in the economic success of the Philadelphia region, providing an efficient and reliable source of transportation. 

We are seeking candidates for the position of Chief Info Security Officer (7394) in the I T - Administration.   

Opening Date: 09/27/2024

Closing Date: 10/11/2024

Job Grade: SAM 45

Salary Range: Min: $166,426.00 - Mid: $208,026.00 - Max: $249,626.00 

OVERALL DESCRIPTION

SEPTA is in search of a Chief Information Security Officer (CISO) to take the lead in all aspects of our enterprise cyber security strategy. The CISO will be responsible for managing and developing strategies to protect our physical and digital assets, applications, product portfolios, infrastructure, and computing environments. This role will work closely with other leaders in the organization, including technology, legal, and finance, to define standards, governance, and the overall information security and risk management posture of the enterprise. The Chief Information Security Officer reports to SEPTA's Chief Technology Officer.  

This role's responsibilities are not just managing security policies and frameworks, leading security incident response, and guiding the information security team. These responsibilities also include ensuring the privacy and security of SEPTA customer data, establishing compliance with relevant legislation, selecting 3rd party security vendors, designing security programs, assisting with architecture reviews, and leading the organization in identifying, developing, and improving processes to manage enterprise risks. This is an opportunity for the successful candidate to impact SEPTA's technology security posture significantly.

The successful candidate possesses experience leading a team of cybersecurity experts in information and operational technology security, cloud and on-premises environments, digital marketing platforms, application security and code review, vulnerability testing, and leading enterprise-level cyber risk management programs.

SPECIFIC RESPONSIBILITIES

1. Leads the information security function across the company to ensure consistent and high-quality information security management in support of the business goals
2. Develops, implements, and monitors a strategic, comprehensive information security program aligned to organizational priorities to ensure appropriate confidentiality, integrity, availability, safety, privacy, and recovery of information assets owned, controlled, or processed by the organization.
3. Leads the execution of a comprehensive security strategy that aligns with company objectives, including identifying and prioritizing security risks, establishing security controls, and providing compliance with relevant regulations and standards.
4. Assists with identifying non-IT managed services in use ("citizen IT") and facilitates a corporate IT onboarding program to bring these services into the scope of the IT function and apply standard controls and rigor to these services.
5. Leads the implementation of robust data protection measures, including encryption, access control, and data classification, to safeguard customer information from unauthorized access or breaches.
6. Leads cyber security incident response efforts across the organization, including establishing procedures, conducting investigations, implementing remediation, and managing post-incident reviews.
7. Architects and implements a comprehensive Devsecops and security automation strategy and security education, focusing on source code analysis, web application security, compliance monitoring, threat investigation, threat intelligence, vulnerability assessments, and risk analysis.
8. Protects the security of SEPTA customer data platform(s) and validate compliance with all security and data privacy requirements.
9. Establishes and validates the organization's compliance with data protection standards, such as NIST or GDPR.
10. Manages and tracks security across the Authority's digital products, including custom-built and third-party solutions.
11. Monitors the external threat environment for emerging threats and advises relevant stakeholders on the appropriate courses of action
12. Collaborates with the Legal department to provide alignment with all published data and privacy policies while validating the referenced technology.
13. Establishes, communicates, and enforces security policies, procedures, and guidelines throughout the organization across employees, contractors, and third-party vendors, and maintain compliance with established security protocols.
14. Participates in the procurement process by reviewing vendor contracts, identifying security and data-related risks, and initiating the creation of alternatives for managing cybersecurity risk.
15. Assesses and mitigates cybersecurity risks, proactively identify vulnerabilities, and implement appropriate controls.
16. Collaborates with cross-functional teams throughout the Authority to align security initiatives with our business objectives and legal requirements.
17. Produces and presents comprehensive reporting on all aspects of our Information Security Program.
18. Stays current with the latest industry trends, emerging threats, and standard methodologies in information security.
19. Additional responsibilities as assigned.

QUALIFICATIONS AND EXPERIENCE

• Master's Degree and 15+ years’ experience in information security or risk management, with a resume that demonstrates progressive career development managing multifaceted projects while performing regular activities; prior experience as a cyber security officers CISO or equivalent role required.
• Minimum 10+ Years of leadership in the cybersecurity field with progressively increased responsibility leading large scale, complex, and matrixed organizations.
• Formal industry certification such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM),) or other similar credentials required.
• Understanding of relevant legal, regulatory and privacy requirements such PCI DSS, ISO 27001, SOC2, FEDRAMP, CMMC etc.
• In-depth knowledge of various information security frameworks, standards, methodologies, and best practices (e.g., NIST, ISO, SANS, OWASP).
• Demonstrated experience in implementing a security-first culture where security is embedded in the project delivery process by providing the appropriate cybersecurity policies, practices and guidelines
• Strong understanding of security technologies, trends, and best practices.
• Ability to manage multiple projects and initiatives in a fast-paced environment. Proven track record of developing and implementing successful information security programs.
• Strong security architecture background with experience building and driving a cybersecurity strategy and framework, with initiatives to secure the organization's cyber and technology assets.
• Proven track record of developing and implementing secure processes and systems used to prevent, detect, mitigate, and recover from cyberattacks with strong exposure to various technology-based safeguards.
• Strong understanding of information security principles, practices, and technologies, including network security, application security, cloud security and endpoint security.

QUALIFICATIONS AND EXPERIENCE CONT'D

• Excellent leadership, communication, and interpersonal skills.
• Effective organizational, time management and interpersonal skills: Analytical mindset with creative and innovative problem-solving skills, Ability to adapt to change and embrace ambiguity, Excellent verbal & written communication skills.
• Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT as well as those from NIST, including 800-53 and Cybersecurity Framework
• Sound knowledge of business management and a working knowledge of cybersecurity risk management and cybersecurity technologies
• Demonstrated experience and success in senior leadership roles in risk management, cybersecurity, and IT or OT security
• Experience in leading a team of cybersecurity experts in monitoring

BENEFITS 

SEPTA offers a comprehensive benefits and retirement program: 

• Medical – Minimal annual premium contribution 

Benefit plans with No Employee annual premium contribution: 

• Prescription 

• Dental 

• Vision 

Additional benefits we offer: 

• Defined Benefit Pension Plan 

• Voluntary Governmental 457B Deferred Comp Plan, with available Financial Advice and Planning Services 

• Life Insurance 

• Paid Parental Leave

• Tuition Reimbursement 

• SEPTA Transportation Pass – FREE travel on all SEPTA modes of transportation 

• SEPTA employees qualify for the Public Service Loan Forgiveness (PSLF) program 

• Generous Vacation Allowance

• Dependent Care Flexible Spending Account

SEPTA is committed to creating a diverse environment and is proud to be an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, gender, gender identity or expression, sexual orientation, national origin, genetics, disability, age, or veteran status.