IT Security Manager
- Business Support Departments
- Role Type
- Richmond VA (Glen Allen Headquarters)
- Based on Experience
- Job Advert Description
About the Information Security Team Manager
The IT Security Manager, is responsible for establishing and maintaining the information security program to ensure that Elephant Insurance Services information assets and associated technology, applications, systems, infrastructure, and processes are adequately protected. The Manager is responsible for identifying, evaluating and reporting on legal and cybersecurity risks to information assets, while supporting and advancing business objectives. This includes securing the partner ecosystem that supports production. In addition to their security role they will be the liaison for IT with internal and external auditors and regulators.
The IT Security Manager will be responsible for implementing and running the enterprise information security program. He/she will proactively work with Elephant’s functional departments and partners to implement practices that meet agreed-on policies and standards for information security. He/she will oversee a variety of cybersecurity and risk management activities related to IT to ensure the achievement of business outcomes.
The IT Security Manager must be knowledgeable about Elephant internal and external business environments, ensure that information systems are maintained in a fully functional and secure mode, and are compliant with legal, regulatory and contractual obligations. This position reports to the IT Director.
- Lead the information security function across Elephant to ensure consistent and high-quality information security management in support of the business goals. Serve as a primary point of contact to all functional areas to ensure consistent application of policies and standards across all technology projects, systems and services, including privacy, risk management, compliance and business continuity management.
- Serve as the security, privacy and compliance lead for Elephant IT. This role is the Point of Contact (PoC) for all security and privacy efforts within the organization, including Governance, Risk and Compliance, Application Security, Identity and Access Management, Security Operations Management and Audit.
- Maintain and update the security management and controls framework, based on an industry framework, such as National Institute of Standards and Technology (NIST), CoBIT and/or Center for Internet Security (CIS).
- Develop a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increase the maturity of the information security. Provide regular reporting to management.
- Manage a team of IT Security professionals. This includes hiring, training, staff development, performance management and annual performance reviews.
- Ensure that security is embedded in the project delivery process by providing the appropriate information security policies, practices and guidelines.
- Monitor the external threat environment for emerging threats and advise relevant stakeholders on the appropriate courses of action.
- Oversee the Security Incident Response plan and procedures to ensure that business- critical services are recovered in the event of a security event; provide direction, support and in-house consulting in these areas.
- Manage a risk-based process for the assessment and mitigation of any information security risk, consisting of supply chain partners, vendors, consumers and any other third parties. Work effectively with business units to facilitate information security risk assessment and risk management processes.
- Work with Legal and Procurement to ensure that information security requirements are included in contracts.
- Manage the information security awareness training program for all employees, contractors and Production staff.
- Minimum of 7 to 10 years of experience in a combination of IT Security and IT Services. At least five years should be at a senior leadership level CISM and/or CISSP strongly preferred.
- Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate information security and risk-related concepts to technical and non-technical audiences
- Proven track record and experience in developing information security policies and procedures, as well as successfully executing programs in a dynamic business environment
- Poise and ability to act calmly and competently in high-pressure, high-stress situations
- Must be a critical thinker, with strong problem-solving skills
- Strong knowledge and understanding of relevant legal and regulatory requirements, such as: Sarbanes-Oxley (SOX) and General Data Protection Regulation (GDPR). Strong knowledge and understanding of security frameworks, including National Institute of Standards and Technology (NIST), CoBIT, Center for Internet Security (CIS) and ITIL.
- Excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives
- Ability to lead and motivate the information security team to achieve tactical and strategic goals, even when only "dotted line" reporting lines exist.
- Experience with contract and vendor negotiations
- High level of personal integrity, as well as the ability to professionally handle confidential matters and show an appropriate level of judgment and maturity
- Closing Date