Global Cybersecurity Risk Manager

Requistion Number: 25817 

When you work for AmeriGas, you become a part of something BIG! Founded in 1959, AmeriGas is the nation’s premiere propane company, serving over 1.5 million residential, commercial, industrial and motor fuel propane customers. Together, over 6,500 dedicated professionals will deliver over 1 billion gallons of propane from 1,800+ distribution points across the United States.

Job Summary

This position is a leadership position reporting to the CISO. The Global Cybersecurity Risk Manager is responsible for identifying, assessing, and managing information/cybersecurity related risks within the organization, by ensuring assessments of systems, processes, and technologies align with regulatory requirements, established standards and policies informed by the NIST Cybersecurity Framework, European Union regulations, and company/industry best practices that requires compliance. The Global Cybersecurity Risk Manager will work closely with cross-functional teams to assist with developing strategies to mitigate risks, enhance security controls to protect critical assets and data and advise the GRC team on security exceptions and vendor security risk management practices. The Global Cybersecurity Risk Manager will also provide oversight for all security related audits, assessments and action items from incidents under the scope of the CISO as well as promote risk awareness and enhancements to the control environment.

Duties and Responsibilities

• Advise the CISO on emerging risks and trends in the security industry and continuously assess the industry’s relevant risk events to assess how they may impact UGI.
• Assist in developing and driving the internal assessment plans that cover cyber security risks globally for information technology and operational technology and ensure all action plans and recommendations are tracked from internal and external assessments.
• Support projects through a security risk lens in support of evolving technology.
• Collaborate with ERM and other key stakeholders to establish the organization’s cybersecurity risk management strategy, expectations, and policies to align with regulatory requirements (i.e., NIS Directive, SEC, PCI, SOX, GDPR, CCPA, PUC, FERC, etc.)
• Ensure risks and exposures are clearly understood by key partners and gain consensus from management to understand, manage, and mitigate information/cyber security risks in line with an evolving business strategy.
• Establish a robust global process to conduct, track and report on the outcomes of internal and external control assessments progress on action items and recommendations to monitor process.
• Provide second line subject matter expert review and challenge (e.g., risk assessments, testing) where appropriate, including evaluation of risk prioritization to ensure a clear and collective view of risks.
• Establish strong external connections to stay ahead of emerging threats and what the industry is doing in the cybersecurity environment. 
• Provide regular updates on risk management activities and significant risk exposures.
• Utilize data-driven insights to identify emerging risks and inform strategic planning.
• Ability to develop a mentoring culture with both experienced team members and junior staff.

Knowledge, Skills and Abilities

• This position requires keen external focus and avid learning given the rapid pace of change globally.
• Resourcefulness, good judgment, persistence, the ability to influence others and strong executive presence are some of the qualities of a successful candidate. 
• Executive level communication skills, both oral and written, and the ability to partner effectively with multiple business groups, corporate functions and external providers.
• Represent the company’s position regarding risk matters and influence executives in a manner that is consistent with goals and objectives.
• Consistent track record of effectively working with data to manage risk and process re-engineering, simplification and streamlining.
• Comfortable in ambiguity and an advocate for change.
• Driven to achieve results and adept at reading the environment and managing change.
• Knowledge of risk management in cloud environments.
• Ability to prioritize work and possess good time management skills.

Education and Experience

• Bachelor’s degree in Computer Science, Information Systems, Cyber Security or Information Technology.
• Master’s Degree (Preferred): in Cybersecurity, Risk Management or Business Administration (MBA) with a Cyber or Risk focus can provide a deeper understanding of strategic management and leadership.
• One or more Industry-standard security certifications (such as CISSP, CISM, CISA, CRISC) is preferred.
• Experience working with a diverse set of stakeholders across complex and diverse organizational structures.
• Experience using various risk management frameworks such as NIST, ISO/IEC 27000, FISMA, FAIR, CSA, COBIT, COSO, OCTAVE, PCI 27000 series, ITIL, COBIT, NIST Cybersecurity. 
• Experience in energy, financial or other regulated industries.
• Prior managerial experience leading security or compliance teams is a plus.

Working Conditions

• The Global Cybersecurity Risk Manager will collaborate closely with teams across IT, security, compliance, and business units to promote a secure and risk-aware culture within the organization.
• The position is hybrid at a minimum of 3 days in the office. However, this position may be considered remote based on the candidates’ skills. Travel will be required. 

AmeriGas is an Equal Opportunity and Affirmative Action Employer.  The Company does not discriminate on the basis of race, color, sex, national origin, disability, age, gender identity, sexual orientation, veteran status, or any other legally protected class in its practices.

AmeriGas is a Drug Free Workplace. Candidates must be willing to submit to a pre-employment drug screen and a criminal background check. Successful applicants shall be required to pass a pre-employment drug screen as a condition of employment, and if hired, shall be subject to substance abuse testing in accordance with AmeriGas policies. As a federal contractor that engages in safety-sensitive work, AmeriGas cannot permit employees in certain positions to use medical marijuana, even if prescribed by an authorized physician.  Similarly, applicants for such positions who are actively using medical marijuana may be denied hire on that basis.