Chief Information Security Officer

About Charles River Associates

Charles River Associates is a leading global consulting firm that provides economic, financial, and business management expertise to major law firms, corporations, and governments around the world. CRA advises clients on economic and financial matters pertaining to litigation and regulatory proceedings, and guides corporations through critical business strategy and performance-related issues. Since 1965, clients have engaged CRA for its combination of industry experience and rigorous, fact-based analysis that provides clients with clear, implementable solutions to complex business concerns. 

The Information Technology (ITS) department at Charles River Associates is a team of 40 professionals dedicated to enhancing, maintaining, and developing the firm's technology infrastructure and security. The team comprises six functions: Enterprise Applications Services; Service Delivery & Telecom; Information Security; Infrastructure, Cloud and Networks; Project Management and Procurement; and Human Resource Information Systems. Information Technology staff are based in the Boston, Chicago, College Station, New York, Oakland, and Washington, DC offices domestically, as well as London and Munich offices internationally.

Position Overview

The Chief Information Security Officer (CISO) is responsible for developing and implementing an information security program that includes procedures and policies frameworks for application security, infrastructure security, compliance and security operations. Reporting to the Chief Information Officer, the CISO will oversee the organization’s information security strategy, manage a team of security professionals, and ensure compliance with relevant laws and regulations.

The ideal candidate will possess deep technical expertise in the field of Information Security with a successful history of delivering Enterprise-wide security programs.

• Develop, implement, and coordinate enterprise-wide information security program that aligns with business needs and compliance responsibilities;
• Define and execute both vision and strategy for the entire company’s security risk management program to include organizational security, information technology, application security, and compliance;
• Build and drive a cybersecurity strategy and framework, with initiatives to secure the organization's cyber and technology assets;
• Evaluate and prioritize risks and emergent security threats throughout our organization, recommending mitigation strategies and identifying risks associated with current and future systems;
• Coordinate IT Security Governance activities, including monitoring, evaluating, reporting on, directing security efforts, and establishing security-related policies and procedures;
• Coordinate internal and enterprise communications and communicate technical information in a manner that enables effective strategic decisions for both technical and non-technical stakeholders;
• Oversee information security incident detection, response, and recovery to mitigate the impact and ensure timely resolution and communication;
• Manage all teams involved in IT security, including hiring and developing a pipeline of talent, providing training and mentoring to security team members;
• Lead a third-party oversight function to assess, onboard, and monitor key suppliers, ideally using a risk-based approach;
• Oversee the security awareness programs to educate employees about information security and their role in protecting the organization's assets;
• Perform periodic information security-related risk analyses, prioritize risks, and implement effective risk mitigation processes to protect the enterprise information assets;
• Communicate security policies and procedures to all personnel and monitor compliance, provide periodic reporting on the information security program to leadership;
• Coordinate with legal and compliance to ensure compliance with laws and regulatory requirements;
• Maintain company certifications (SOC2, ISO27001 etc.);
• Manage client compliance program including client audits, contractual compliance;
• Lead cybersecurity operation and implement contingency plans for disaster recovery protocols and business continuity plans with business resilience in mind;
• Stay current with emerging security trends, threats, and technology solutions to ensure the organization maintains a robust security posture; and
• Other duties and special projects as assigned.

Desired Qualifications

• Bachelor's Degree from an accredited institution in Computer Science, Information Technology, Engineering, Cybersecurity, Mathematics, Business, or a related field required; advanced degree in a related technical, audit, law, or security field preferred;
• 10+ years of experience in evolving information security and IT roles, including 3+ years’ experience as a Chief Information Security Officer and 5 years’ leadership/management-level experience with enterprise-level security programs, policy, and administration;
• Certified Information Systems Security Professional (CISSP) required; additional certifications (CRISC, CISA, CISM, CISSP or similar) desirable;
• Deep understanding of cybersecurity principles, frameworks, standards, and best practices, including NIST 800-53 and Cybersecurity Framework (CSF), ISO 27001, SANS, OWASP, COBIT and others. High familiarity with privacy laws across all global jurisdictions;
• Familiarity with relevant legal and regulatory compliance requirements, such as cybersecurity laws, financial regulations, data protection laws (e.g., SOC2, HIPAA, HITECH Act, GDPR), and industry-specific regulations;
• Knowledge of network architectures, including cloud security, firewalls, and intrusion detection/prevention systems;
• Knowledge of Cloud platforms, such as AWS, Azure, Google Cloud, and protecting data stored within such environments;
• Strong security architecture background with experience building and driving a cybersecurity strategy and framework, with initiatives to secure the organization's cyber and technology assets and prevent, mitigate, and recover from security breaches and incidents;
• Strong understanding of information security principles, practices, and technologies, including network security, application security, cloud security and endpoint security;
• Excellent oral and written communication skills and the ability to adapt your communication style across various audiences – technical, executive, user;
• Strong leadership skills, both within the information security business unit and as a collaborator with other business units and stakeholders;
• Demonstrated success in building and leading high-performing teams in dynamic environments;
• Strong sense of urgency, personal responsibility, accountability; self-motivated, efficient, and effective; and
• Excellent organizational and time management skills, able to initiate, organize, prioritize, and coordinate multiple & complex projects.

Work Location Flexibility

CRA creates a work environment that enables our colleagues to benefit from being together in the office to best deliver on our promise of career growth, mentorship and inclusivity. At the same time, we recognize that individuals realize a range of benefits when working from home periodically. We currently ask that individuals spend 3 to 4 days a week on average working in the office (which may include traveling to another CRA office), with specific days determined in coordination with your team. At certain times of the year (e.g. holiday periods), additional remote work options are offered to those whose work commitments permit it, although our offices remain open for those who choose or need to be there.

Our Commitment to Equal Employment Opportunity

Charles River Associates is an equal opportunity employer (EOE). All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, age, disability, status as a protected veteran, or any other protected characteristic under applicable law.