Security Specialist - Senior

Must Haves:

• 7+ years' experience in information security, including working with large security projects
• 7+ years' experience in OT environments and understanding the unique governance, risks and compliance requirements of OT systems and operations
• Expertise in security governance, risk management, and compliance, including developing road maps, policies, standards, procedures and processes
• Strong understanding of cybersecurity, governance, risk, and compliance (GRC) frameworks and regulatory requirements. (PCI-DSS, NIST, ISO 27001)

Description

• Our project aims to strengthen Metrolinx's Cyber Governance and Compliance Program, addressing the evolving landscape of cybersecurity threats across both OT (Operational Technology) and IT environments. We are seeking a consultant with a strong background in OT/IT governance and compliance to support the development of a solid foundation for both IT and OT governance. This includes designing a roadmap, establishing an operating model, and enhancing IT compliance frameworks such as PCI and OT compliance. The consultant will play a key role in developing robust security policies, standards, procedures, risk management strategies, and compliance frameworks that effectively manage third-party risks, ensuring alignment with Metrolinx's overall business objectives.

REQUIRED EXPERIENCE/SKILLS:

• A minimum of seven (7+) years of experience in information security, including working with large security projects.
• Experience in OT environments and understanding the unique governance, risks, and compliance requirements of OT systems and operations.
• Strong understanding of cybersecurity, governance, risk, and compliance (GRC) frameworks and regulatory requirements such as PCI-DSS, NIST, ISO 27001.
• Strong communication, interpersonal, and presentation skills for engaging with diverse stakeholders.
• Expertise in security governance, risk management, and compliance, including developing road maps, policies, standards, procedures, and processes.
• Proven experience in contractual security requirements and third-party risk management through RFP processes and vendor evaluations throughout procurement lifecycle.
• Ability to work in cross-functional teams, communicating complex technical information to all levels of the organization, including leadership.
• Proficient in cybersecurity risk management and third-party risk management tools (e.g., ServiceNow, One Trust, Audit Board).
• Experience with development of security processes, procedures, and standards documentation.
• Strong time management skills and the ability to prioritize project work and ongoing responsibilities.
• Strong reporting and presentation skills, with the ability to communicate security risks and compliance status to executives and stakeholders.
• Self-motivated with the ability to work independently in a fast-paced environment.
• Proficiency with Microsoft Office tools such as Word, Excel, PowerPoint, PowerBI, Visio, and O365 SharePoint.

Deliverables

• Lead efforts to expand and improve cybersecurity governance and compliance in both IT and OT environments, ensuring alignment with Metrolinx's cybersecurity strategy, policies, and risk management.
• Support annual PCI assessments by collaborating with QSAs, internal teams, and business units to validate compliance and address findings.
• Develop and update governance documents such as security policies, standards, and procedures for IT and OT, aligned with industry standards (PCI-DSS, ISO 27001, NIST, ISA/IEC 62443, CIS).
• Lead the creation, review, and approval of cybersecurity policies and standards, ensuring they are comprehensive and applicable across environments.
• Manage security documentation and audit artifacts to maintain accuracy and controlled access.
• Collaborate with IT, business, product, digital transformation, vendors, and audit teams to align security strategies and remediate risks.
• Assist GRC team in designing security-compliant solutions and provide expert consultation on security threats and controls.
• Foster collaboration across teams by effectively communicating complex security concepts.
• Work with project teams as a cybersecurity SME to recommend and implement security controls.
• Maintain ongoing compliance related to regulatory requirements and Metrolinx standards.
• Develop security processes, procedures, governance artifacts, and controls within cybersecurity programs.
• Assist with security audits and risk assessments, ensuring compliance and remediation.
• Communicate regularly with cybersecurity teams and stakeholders, escalating matters as needed.
• Participate in cybersecurity awareness programs and tailor materials to Metrolinx's risks and regulations.

Additional Terms

• A current security designation (CISSP, CISM, CCSP, or CISA).
• Familiarity with key OT governance frameworks and standards such as NIST CSF, ISO/IEC 27001, ISA/IEC 62443.