Director, Data Security

Job Purpose

The Data Security Manager will partner with multiple divisions and technical managers to enhance security aspects of the data security program. Extensive oversight and control of CLS information assets, mitigating the risks of data loss at CLS in all aspects of day-to-day business. The individual will be accountable for the Data Security Program, setting strategic direction and driving operational excellence while leveraging resources distributed across several functional teams. The Data Security Manager will be responsible for analyzing potential weaknesses and identifying a roadmap to improve the security of information assets across CLS. The candidate will advise Business Owners, developers, and technical teams on options to mitigate risk. The candidate must have excellent verbal, written, analytical and interpersonal communication skills.

1. Provide strategic direction specific to data security management.
2. Build and maintain a robust data security program while aligning closely with CLS's mission.
3. Improve and manage the data security program and the company-wide security standards for the management of information assets.
4. Contribute to the overall security strategy in its annual iterations.
5. Provide strong knowledge of building security into business expectations for the utilization and hosting of critical CLS data/information assets.
6. Work with the Security Architects to build security into infrastructure and architecture designs and guide the implementation with the Operations team.
7. Provide direction and advice on projects to strengthen the overall cybersecurity posture.
8. Assess SaaS and IaaS cloud services and virtualization technologies and provide direction and input for the maturation of the Cloud Security Framework in respect to data classification.
9. Enhance security programs in response to regulatory requirements, internal audit and planned strategic initiatives.
10. Foster relationships with key functional teams such as IT, Compliance, Operations, Finance, HR, Internal Audit, and Enterprise Risk to support current and future initiatives.
11. Maintain timely understanding of CLS information assets, where they reside and how they are being utilized and hosted, continually review opportunities to improve the overall controls around data security.
12. Keep informed of new and updated industry frameworks and regulations: GDPR, ISO 27001/2, SANS Top 20 Critical Security Controls, NIST CSF, SP 800-53, PFMI, CPMI ISOCO and FFIEC handbook.
13. Keep informed of new and emerging security threats & assess effectiveness of current controls to identify opportunities for program improvement.
14. Translate relevant directives, guidance, and rules into actionable data for consumption by the CISO and wider security teams.

1. Communicate vulnerabilities, risks and remediation methods to business owners, developers and technical teams.
2. Perform security testing on data controls using dynamic and static analysis tools.
3. Integrate the defined relevant security controls into data security program.
4. Ensure the operational security teams have the appropriate tooling/capabilities and quality assurance for data security management.
5. Create and deliver knowledge sharing presentations and documentation to security, developers and operations teams.
6. Learn on the job and explore new technologies independently to identify new and emerging security threats.
7. Coordinate and maintain security policies, guidelines and procedures which communicate security controls that reduce risk to levels consistent with CLS risk tolerance.
8. Prepare and deliver security briefings for consumption by CLS Security, CISO, Executive Management Committee, and the CLS Board of Directors.
9. Assure compliance with security controls to identify control gaps, develop remediation plans and determine residual risk.
10. Improve security metrics program to report key performance and risk indicators, trend statistical data and publish management reports for Internal Audit, Regulatory Exams, Risk Committee and Board reporting.
11. Perform risk assessments of third-party vendors according to vendor criticality and vendor type to identify control gaps, develop remediation plans and determine residual risk.
12. Perform risk assessments of applications according to application criticality and application type to identify control gaps, develop remediation plans and determine residual risk.

1. Provide leadership across Security functions and beyond for all aspects of data security.
2. Individual contributor.
3. Mentor junior members of the team technically and professionally.

1. 5-8 years functional security expertise with broad understanding of competencies and the lifecycle of data security management.
2. Experience developing or managing security programs preferably across several domains including metrics and reporting for program maturity and risk reduction.
3. Experience and/or training on GDPR requirements and other data protection laws.
4. Experience defining program roles and responsibilities, assessing/identifying knowledge gaps across teams and implementing required training plans.
5. Ability to collaborate effectively with others to drive forward key security objectives.
6. Strong documentation and report writing skills (to both technical and business audiences).
7. Excellent time management and organizational skills.
8. Knowledge of policy frameworks and understanding of policies, procedures, guideline structure.
9. Knowledge of firewalls, IPS, DLP, proxies, SEIM, & endpoint protection software.

1. B.S. in a technology discipline (Computer Science, Information Management, Computer Engineering, Cybersecurity or equivalent).
2. Security certifications such as CompTIA Security +, CISSP, CISA, CRISC, CCNA, GIAC, or equivalent or working towards certification is preferred.
3. Knowledge of Risk Management life cycles based on an established framework: ISO 27001, SANS, NIST SP 800-53, CERT, ENISA.
4. Working knowledge of the following frameworks and regulations: ISO 27001/2, SANS Top 20 Critical Security Controls, NIST CSF, and FFIEC handbook.
5. An advanced degree would enhance the candidate’s credentials.

1. Possess a strong service-oriented mindset to consistently deliver balanced security solutions that include people, process and technology.
2. Possess strong technical, analytical and problem-solving skills.
3. Self-motivated to exceed management expectations and objectives.
4. Ability to effectively communicate complex technical issues to both business and technical staff at all levels.
5. Strong collaboration skills to tackle complex security challenges that may span across multiple internal and external departments and groups.
6. Able to effectively cope with change and comfortably handle risk and ambiguity, not upset when things are up in the air.
7. Tenacious resolve and positive attitude in challenging situations.

#LI-JF1