Sr. Analyst - IT Policy Management and Security Awareness

Lincoln Electric is the world leader in the engineering, design, and manufacturing of advanced arc welding solutions, automated joining, assembly and cutting systems, plasma and oxy-fuel cutting equipment, and has a leading global position in brazing and soldering alloys. Lincoln is recognized as the Welding Expert™ for its leading materials science, software development, automation engineering, and application expertise, which advance customers' fabrication capabilities to help them build a better world. Headquartered in Cleveland, Ohio, Lincoln Electric is a $4.2B publicly traded company (NASDAQ:LECO) with over 11,000 employees around the world, with operations in 71 manufacturing and automation system integration locations across 21 countries and maintains a worldwide network of distributors and sales offices serving customers in over 160 countries.

 Location: Remote - Ohio - Cleveland, OH, United States (US)
Employment Status: Salary Full-Time
Function: Information Technology
Pay Range:  ($102,816.00 - $139,104.00)
Target Bonus: 25.0%
Req ID: 25398 

Summary

The Lead, IT Policy and Security Awareness works under the direction of IT security leadership to develop, maintain and train on IT governance and security policies, standards and procedures and manage and execute cybersecurity awareness programs for the organization, driving a security-minded culture across employees, contractors and third parties. The Lead works with internal stakeholders and external cybersecurity awareness vendors to ensure the program is aligned with leadership’s expectations. This role emphasizes employee behavioral change by providing successful training and education content focused on mitigating business risk.

The Lead, IT Policy and Security Awareness is the service owner for IT governance and security policy, standard and procedures management and the Security Awareness Program.

Successful candidates combine business acumen, effective communication and technical aptitude to provide cybersecurity content serving all levels of proficiency, from beginners to experts, as well as develop effective, clear and concise IT governance and security policies, standards and procedures that align to existing and future needs and risk reduction objectives. The Lead measures the efficacy of the cybersecurity awareness program, communicates metrics to security leadership and makes recommendations to improve the company’s resiliency. In addition, the coordinator is adept at developing trust and earning respect so that regardless of employee ability, all feel welcome to ask questions, share feedback and support the mission. As a liaison between cybersecurity and the business units, the coordinator is people-centric, a security champion and an example for others to follow.

Responsibilities

• Maintain existing IT governance and security policies, standards, and procedures. Collaborate with the VP, Global Cyber and Information Security to identify, create, socialize, approve, and operationalize new policies as needed.
• Manage the document framework of continuously updated cybersecurity policies, standards, and guidelines. Create training materials to facilitate adoption.
• Lead the development and delivery of IT policy and security training and awareness programs for all employees, contractors, and approved system users to foster a culture of risk awareness and compliance.
• Benchmark IT governance policies and security awareness practices of other companies, particularly those in related industries or with similar business models. Stay updated on industry best practices and monitor the legal and regulatory environment for changes that may require updates to IT policies and practices.
• Encourage associates to move beyond mere compliance and adopt an IT governance and security mindset.
• Keep education and awareness materials engaging, while accommodating different learning methods to influence changes in employees’ behavior, such as workshops, videos, guest speakers, gamification and others.
• Disseminate strong cybersecurity content across globally diverse teams using different mediums, including, but not limited to, written and visual (video/images).
• Create and manage a metrics framework that effectively measures employee behavior and compliance with IT governance and security policies and tracks the overall effectiveness of the policy management and cybersecurity awareness program.
• Work in tandem with risk management, security and IT teams, and business leaders to assess the cybersecurity threat and regulatory landscape and align security awareness and education initiatives and content focused on behavioral change and reducing human risks.
• Collaborate with the VP, global cyber and information security to develop and implement a global information security champion program.
• Drives for continuous improvement of the policy management and security awareness programs.
• Perform other duties as assigned

Requirements

Education, Training and Previous Experience

•  
• Minimum Bachelor’s degree in Information Technology, Cybersecurity, Risk Management, Business Administration, or a related field.
• Three to five years of cybersecurity and training and education practitioner experience.
• Three to five years of experience writing and implementing IT governance and security policies, standards and procedures 

     Desired (Not Required) 

• Preferable, but not required: Industry-related legal, compliance, information security or business continuity management certification such as GSEC, GISP, CRISC, CISSP
• Experience with Policy management tools
• Knowledge of relevant laws, regulations, and industry standards, such as SOX, GDPR, ISO 27001, NIST, etc.
• Experience with policy, standards and procedures requirements aligned to compliance requirements and standards such as CMMC, ISO 27001, NIST 800-53 or NIST 800-171
• Experience with Marketing

Technical and Business Experience

• Experience in planning, organizing, writing and implementing IT governance and security policies, procedures and practices.
• Experience with security awareness training tools and platforms. This may include experience with learning management systems (LMSs), authoring tools, Phishing test tools and other training delivery platforms.
• Experience with project management and delivery. This includes the ability to develop and implement training plans, track progress, and measure results.
• Experience with adult learning principles. This includes the ability to design and deliver training that is relevant and effective for adult learners.
• Experience with marketing and/or business communication. This includes internal HR communication to employees, external marketing or other roles involving mass communication in a business or professional setting.
• Experience developing and using materials to support various learning styles and roles.
• Preferable experience communicating with geographically dispersed employees, across multiple languages and cultures.
• Experience in delivering content across multiple business units, as well as remote and in-office teams.

Knowledge and Skills

• Excellent writing skills to ensure policies, standards and procedures achieve the desired outcomes while being clear and concise.
• An ability to apply a pragmatic approach to policy, standards and procedures development and implementation that meets regulatory and business requirements while avoiding unnecessary complexity, driving adoption and desired behaviors.
• An ability to communicate complex and technical issues to diverse audiences, orally and in writing, in an easily understood and actionable manner.
• An ability to effectively influence and convince others to make appropriate changes in their priorities and behaviors for the benefit of the organization.
• An ability to coordinate activities on behalf of Information Security with HR, Risk Management, and Compliance functions.
• An understanding of business needs and commitment to delivering high-quality, prompt, and efficient service to the business, balancing risks with achieving business outcomes.
• Excellent communication and collaboration skills, with the ability to work effectively with IT and business stakeholders at all levels of the organization.
• Excellent presentation and storytelling skills, with the ability to explain technical concepts to both technical and non-technical audiences.
• High degree of initiative, dependability and ability to work with little supervision.
• Proven ability to track and measure policy and awareness and training
• Strong understanding of existing and emerging social engineering tactics and other threat actor tactics that exploit human behaviors.
• Proven ability to foster credibility with technical teams and external constituents through sustained industry knowledge.
• Excellent prioritization capabilities, with an aptitude for breaking down work into manageable parts, effectively assessing the priority and time required to complete each part

Lincoln Electric is an Equal Opportunity Employer. We are committed to promoting equal employment opportunity for applicants, without regard to their race, color, national origin, religion, sex (including pregnancy, childbirth, or related medical conditions, including, but not limited to, lactation), sexual orientation, gender identity, age, veteran status, disability, genetic information, and any other category protected by federal, state, or local law.