Chief Information Security Officer

About the job

Job Description

Are you a seasoned business leader with a passion for transforming security practices in an ever-changing world? The City of Raleigh is looking for a dynamic Assistant Department Director (Security) who will act as the Chief Information Security Officer (CISO). The ideal candidate will navigate business risk to spearhead our security initiatives and fortify our digital assets, seamlessly navigate a complex, evolving security landscape by balancing organizational needs, business relationships, and risk to improve the community we serve. We are in search of an executive who will turn challenges into opportunities by successfully leading a team to ensure our security program not only defends but thrives.

A key element for your success focuses on working with executive management to articulate the impact of cyber security on their department, collaborate on policy development, and advance the security posture of the city. This role isn’t just about a job; it’s your chance to shape the future of security for our City and be at the forefront of securing our digital landscape in this pivotal role in enhancing the City’s overall resilience.

Highlight Of Position Opportunities

  • Foster business relationships: Build internal and external relationships to advance the security program by collaborating with internal stakeholders, other government agencies, educational institutes, and industry leaders to share best practices and build a community focused defense to cyber threats in an innovative and engaging manner.
  • Fortify the Foundation: Build a solid foundation for security incident detection and reporting to architect and fortify our security program, making incident detection and reporting an instinctive part of our defense strategy.
  • City-Wide Security Governance: Lead city-wide security governance and guide policy development to encourage andshape the security landscape.

About City Of Raleigh IT And Security

The IT Department plays a major role in the City’s endeavors toward innovation and is recognized as one of the top Smart Cities to watch (StateTech, April 2022). The department was also recognized as the Next Century Cities Charles Benton Next Generation Engagement Award for innovative programs that use high-speed broadband to improve civic engagement and democratic participation.

The City’s IT Department Is Also Recognized For

  • In partnership with City Transportation, as IDC Government Insights’ Sixth Annual Smart Cities North America Awards recipient for the Raleigh Traffic goSmart Project in the Transportation Infrastructure category (2023)
  • Esri’s Enterprise Approach to GIS Award (2023)
  • As Drexel LeBow Analytics 50 Award for Analytics Innovation (2019)
  • IDC Smart Cities North America Award for Urban Planning and Land Use (2019)

IT works with partners in academia and other local governments on forward-thinking initiatives to improve the quality of life, realize a digital future, and foster economic development in Raleigh.

The City employs more than 4,500 staff across 20 departments that support its nearly 490,000 residents and is consistently ranked as one of the top locations in the nation to live, work and play.

Some City Accolades Include In 2023 Include

Raleigh is the 2nd Best State Capital for Safety & More – WalletHub, February

Raleigh is the 2nd Most Climate-Resilient City – Architectural Digest, February

Raleigh is 8th Biggest Boomtown – LendingTree, February

Raleigh is #4 Best U.S. City for Work/Life Balance & Mental Health – CoworkingCafe Study, January

In Ranking All State Capitals, Raleigh Ranked

#2 as Safest,

#4 for Economic Well-being,

#6 for Quality of Education and Health – WalletHub

Duties And Responsibilities

(Not intended to be all inclusive):

Establish Governance and Build Knowledge

Facilitate an information security governance structure through the implementation of a hierarchical governance program, including the formation of an information security advisory board across key stakeholder departments.

Provide regular reporting on the status of the Information Security Division to City leadership including City Council, City Management and Department Directors, and peers.

Develop, socialize and coordinate approval and implementation of security policies.

Work with the City’s legal and procurement team to ensure that information security requirements are included in contracts.

Direct a targeted information security awareness training program for all employees, contractors and approve system users, and establish metrics to measure the effectiveness of this security training program for the different audiences.

Understand and interact with related disciplines, either directly or through committees, to ensure the consistent application of policies and standards across all technology projects, systems and services, including privacy, risk management, compliance and business continuity management.

Provide clear risk mitigating directives for projects with components in IT, including the mandatory application of appropriate controls based on standard security frameworks.

Lead Information Security Division in IT

Lead the Information Security Division functions across the City to ensure consistent and high-quality information security management in support of City goals.

Leadership and judgement can be considered a key emphasis for this position. Articulate ideas, build consensus, and work effectively with senior positions throughout the city as well as technical and non-technical personnel.

Determine the Information Security Division approach and operating model in consultation with stakeholders and aligned with the risk management approach and compliance monitoring of non-digital risk areas.

Manage the budget for the Information Security Division, monitoring and report discrepancies, and manage spending.

Manage the cost-efficient Information Security Division in IT, consisting of direct reports and dotted line reports (such as individuals in business continuity and IT operations). This includes hiring, training, staff development, performance management and annual performance reviews.

Set the Strategy

Develop an Information Security Division vision and strategy that is aligned to organizational and departmental priorities to enable and facilitate the organization’s business objectives, and ensures senior stakeholder buy-in.

Develop, implement and monitor a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy and recovery of information assets owned, controlled or/and processed by the organization.

Work effectively with departments to facilitate information security risk assessment and risk management processes that empowers our partners to own and accept the level of risk they deem appropriate for their specific risk appetite.

Mature the Frameworks

Enhance and continually mature an up-to-date information security management framework based on the following: ITIL, COBIT/Risk IT and National Institute of Standards and/or Technology (NIST) Cybersecurity Framework. The City has adopted the NIST framework for cyber security operations.

Create and manage a unified and flexible, risk-based control framework to integrate and normalize the wide variety and ever-changing requirements resulting from global laws, standards and regulations.

Develop and maintain a document framework of continuously up-to-date information security policies, standards and guidelines. Oversee the approval and publication of these information security policies and practices.

Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the program, appropriate resource allocation, and increase the maturity of the information security. Review this framework periodically with stakeholders at the executive and board levels.

Build the Network and Communicate the Vision

Responsible for IT Security Policy program at the City.

Create the necessary internal networks among the Information Security Division, compliance, audit, physical security, legal and HR management teams to ensure alignment on key initiatives, advancing security as the foundation, and understanding service challenges.

Build and nurture external networks consisting of industry peers, ecosystem partners, vendors and other relevant parties to address common trends, findings, incidents and cybersecurity risks.

Work with external agencies, such as law enforcement and other advisory bodies, as necessary, to ensure that the organization maintains a strong security posture and is kept well-abreast of the relevant threats identified by these agencies.

Liaise with the enterprise architecture team to build alignment between the security and enterprise (reference) architectures, thus ensuring that information security requirements are implicit in these architectures and security is built in by design.

Operate the Function

Create a risk-based process for the assessment and mitigation of any information security risk in the ecosystem consisting of partners, vendors and any other third parties. Align with City’s Risk Management Team to negotiate and respond to City’s cyber insurance needs.

Define and facilitate the processes for information security risk and for legal and regulatory assessments, including the reporting and oversight of treatment efforts to address negative findings.

Oversee technology dependencies outside of direct organizational control. This includes reviewing contracts and the creation of alternatives for managing risk.

Coordinate the development and implementation of security incident response plans and procedures to ensure that business-critical services are recovered in the event of a security event; provide direction, support and in-house consulting in these areas.

Manage and contain information security incidents and events to protect City’s technology assets, intellectual property, regulated data, and overall reputation.

Typical Qualifications

Minimum Qualifications:

  • Proven skills in leadership of a significant IT organization, with a track record in delivering committed results in a complex and diverse environment.
  • 8+ years business management or program management in a complex organization
  • 2+ years in business operations or security operations experience

Education Required:

Bachelor’s degree in a technical (Information Technology), business, risk, or audit concentration or equivalent experience.

Preferred

Advanced degree in Business Management (MBA), information assurance, information securityrisk, audit or related field.

Certification or training in Information Security such as a Certified Information Systems Security Professional (CISSP), Certified Chief Information Security Officer (CCISO), or Certified Information Systems Manager (CISM). Certification or training in audit or risk compliance such as Certified Information Systems Risk & Control (CRISC) certification, Certified Risk Manager (CRM), Certified Information System Auditor (CISA), or Certified Internal Audit (CIA).

More Information

Apply for this job

13th Anniversary Global InfoSec Awards for 2025 now open for super early bird packages! Winners Announced during RSAC 2025...

X