The purpose of Chief Information Security Officer (CISO) is to establish and maintain a County-wide information risk management program to ensure that information assets are adequately protected, meets compliance and regulatory requirements, and aligns with and supports the risk posture of the organization. The CISO will proactively work with County agencies to implement practices that meet defined policies and standards for information security. |
The CISO serves as the process owner of all ongoing activities related to the availability, integrity and confidentiality of customers, business partners, employees and business information, in compliance with the organization's information security policies. A key element of the CISO's role is working with executive management to determine acceptable levels of risk for the organization.
Minimum education and/or experience:
BS or BA degree in Computer Science or other technical/scientific field and ten (10) years of experience in Information Security and/or risk management. Any combination of education and experience may be substituted for the Information Security and risk management experience. A minimum of five (5) years of management experience in Information Security or risk management is required, regardless of education.
Preferred education and/or experience:
Master’s degree in Business Administration (MBA) or Master’s degree in a technical field and ten (10) years of experience in Information Security and/or risk management, which includes: a minimum of five (5) years of management experience, including direct supervision of employees and budgetary responsibility; a minimum of four (4) years experience in a security leadership role; a minimum of two (2) years designing security solutions on an enterprise scale; two (2) years experience supporting criminal justice and/or law enforcement organizations.
Knowledge, Skills, and Abilities:
The CISO must be highly knowledgeable about the business environment and must ensure that information systems are maintained in a fully functional and secure mode. Must have the ability to act calmly and competently in high-pressure, high-stress situations. Must be a critical thinker with strong problem-solving skills. Excellent analytical skills, able to manage multiple projects under strict timelines, work well in a demanding dynamic environment and meet overall objectives. Project management skills; financial/budget management, scheduling and resource management. Must have the ability to lead and motivate cross-functional, interdisciplinary teams to achieve tactical and strategic goals. Must have knowledge of IT audit and information security frameworks. Must have the ability to work well with people from all levels of the organization with varying degrees of technical experience; ability to express complex technical concepts clearly and concisely, both verbally and in writing. Must be able to coordinate disparate drivers, constraints and personalities while maintaining objectivity and a strong understanding that security. Strong skills in business management. Working knowledge of information security technologies.
Preferred special requirements: CISSP (Certified Information Systems Security Professional) Certification, Certified Information Security Manager (CISM).
NOTE: Degrees/credits must be from an academically accredited college or university as recognized by the U.S. Department of Education (USDE) or the Council for Higher Education (CHEA).
Essential Job Tasks:
Develop, implement and monitor a strategic, comprehensive enterprise information security and IT risk management program to ensure the integrity, confidentiality and availability of information owned, controlled or processed by the organization. This includes developing and implementing County IT Information Security policies, standards, procedures and guidelines and providing periodic reporting on the current status of the information security program to enterprise risk teams and County management as part of a strategic enterprise risk management program. Evaluate County organizational compliance with all applicable elements of County information security policies, standards, guidelines, and procedures. Serve as a technical expert for security frameworks including ISO27000 series, NIST, and COBIT. Interface with IT auditing agencies both internal and external to the County. Facilitate the remediation of open audit issues. Provide strategic risk guidance for IT projects, including the evaluation and recommendation of technical controls. Evaluate network threat analysis data and risk assessment results to identify and recommend appropriate security controls/solutions. Work directly with the business units to facilitate IT risk assessment and risk management processes, and work with stakeholders throughout the enterprise on identifying acceptable levels of residual risk. Coordinate information security and risk management projects with resources throughout the organization. Create, communicate and implement a risk-based process for vendor risk management, including assessment and treatment for risks that may result from partners, consultants and other service providers. Develop and deliver relevant training plans for Maricopa County employees and contractors. Ensure alignment between the security and enterprise architectures, coordinating the strategic planning implicit in these architectures. Provide mitigation plans for risks to Maricopa County technological or informational assets that minimize risk to the County while at the same time allow County agencies to leverage technological assets. Develop and direct the County information security incident management and response program. Develop and manage information security budgets. Coordinate the use of external resources involved in the information security program, including, but not limited to, interviewing, negotiating contracts and fees, and managing external resources.
The Maricopa County Human Resources Department reserves the right to admit to the exam process only those candidates considered to be the most highly qualified. Those selected will be scored based on evaluation of listed education and experience. The hiring authority will interview and select the successful candidate from a pool provided by Human Resources.