Chief Information Security Officer

Chief Information Security Officer

The mission of the Georgia Student Finance Commission is to promote and increase access to education beyond high school for Georgians. To achieve this mission the commission administers state and lottery-funded student financial aid programs including the HOPE Scholarship and HOPE Grant and provides college planning and other educational services to more than 2 million Georgians through GAfutures.org. The commission seeks to improve its own operations and inform policymakers and other stakeholders through analysis, interpretation and publication of information using the extensive data collected in support of its programs.

We offer excellent benefits including 13 paid holidays, 3 weeks annual + 3 weeks sick leave per year, health/life/disability benefits after 30 days, employer 401k match, medical/childcare spending account options, and deferred compensation plan. Our standard business hours are Monday through Friday from 8am to 5pm. We also offer employee recognition and a great place to work! Our office is conveniently located in Tucker only 2 minutes from I-285.

Working under broad supervision, the Chief Information Security Officer is the leader of the corporate information security function for the Georgia Student Finance Commission, to include responsibility for overall corporate security strategy and security architecture planning and development. The scope of this role covers all utilized security technologies and services, including protection services, perimeter defenses, physical and logical access control, and profile management of all employees and contractors. As the company's senior security officer, the incumbent also has enterprise-level responsibility for all data/information security policies, standards, evaluations, roles, and corporate awareness.

The incumbent will work with Information Technology, Internal Compliance / Risk Management, Human Resources, operational groups, and users in the development and implementation of an IT security strategy designed to provide a high level of information security while preserving and enhancing system processes and usability. The individual must be a results-oriented person who can achieve tangible improvements in the corporate security arena. Excellent technical and communications skills are a must, as well as proven security leadership experience. The incumbent will be responsible for staff security and awareness training.

The Chief Information Security Officer will be responsible for directing the activities of the information security function. Responsibilities will include:

• Develop, implement, and manage the overall enterprise process for security strategy and associated architecture and engineering standards.
• Develop and implement policies, standards, and guidelines related to corporate security.
• Oversee the continuous daily monitoring and protection of and information systems.
• Design and implement security controls across on‑premises and cloud environments (IaaS, PaaS, SaaS), with a focus on data residency, data loss prevention, identity‑centric security, and access governance across platforms such as Microsoft 365/Azure and AWS.
• Drive the responsible adoption of emerging technologies, including artificial intelligence, by evaluating AI risks and value and integrating agentic, AI‑driven threat detection into agency workflows.
• Develop and manage an Incident Report and Response System to address organization security incidents (breaches), responding to alleged policy violations, or complaints from external parties. Serve as the enterprise focal point for security incident response planning and execution.
• Evaluate suspected security breaches and recommend corrective actions (including incidents involving outside vendors).
• Partner with Internal Compliance / Risk Management to design, implement, and manage a comprehensive Governance, Risk, and Compliance (GRC) program.
• Lead continuous information security risk assessments that identify and classify critical assets, evaluate associated threats and vulnerabilities, and drive the implementation of risk mitigation controls.
• Serve as compliance officer with respect to state and federal information security policies and regulations, working with Internal Compliance / Risk Management as necessary. Prepare and submit required security-related documents to state and federal agencies and departments.
• Develop appropriate criteria to assess the new/existing applications and/or technology infrastructure elements for compliance with enterprise security standards.
• Establish and monitor formal evaluation processes regarding enterprise security standards relating to the planned acquisition and/or procurement of new applications or technologies.
• Assist in the review of applications and/or technology environments during the development or acquisitions process to (a) assure compliance with corporate security policies and directions and (b) assist in the overall integration process regarding GSFC's own technology environment.
• Oversee the implementation of the State of Georgia security awareness and training program, including appropriate introductory training for new employees as well as ongoing training for all employees and managers.
• Evaluate changes to the corporate environment for security impact and present findings to management.
• Work with Information Technology on the evaluation, selection, testing, and deployment of security-related tools and services.
• Coordinate enterprise business continuity planning across business units and integrated services.

The Chief Information Security Officer will report directly to the Executive Vice President & Chief Operating Officer.

The following standards express the minimum background of education and experience as evidence of an applicant's ability to qualify for this class title. Any combination of education and experience, if evaluated as equivalent, may qualify an applicant for a position within this class.

• Bachelor's degree from an accredited college or university AND eight years in the specific field of IT Security, five years of which include team leadership or management experience.
• Knowledge of network and application protocols (IP, UDP, FTP, DNS, DHCP, routing, etc.).
• Broad knowledge in authentication systems, risk analysis, threat mitigation, and security domains.
• Ability to design and manage standards-based architecture including compliance monitoring and enforcement.
• High-proficiency level knowledge of security technologies such as cloud‑native endpoint cybersecurity platforms, physical firewalls, and virtualized firewall solutions.
• Expertise in intrusion detection systems, proxy and VPN technologies, vulnerability assessment platforms, and identity‑centric security architectures, including IAM and Zero Trust.
• Proficiency in data classification and loss prevention (DLP) specifically for high-volume personally identifiable information (PII).
• Experience with log management systems and tools, encryption, and VOIP.
• Knowledge of Linux and Windows server operating systems.
• Knowledge of business and management principles involved in strategic planning, resource allocation, leadership, production methods and coordination of people and resources.
• Strong written, verbal and facilitative communication skills, including ability to maintain cooperative and effective working relationships with colleagues.
• Strong analytical skills, critical thinking, and agility.

Preferred Qualifications:

• A college degree (BA/BS) in Information Security and ten years of experience in Information Security management, at least five of which were in a leadership role.
• Experience with CrowdStrike, Tenable, NinjaPro Anti-Virus, and vulnerability and configuration assessment products.
• Detailed knowledge of and experience in implementing and managing against National Institute of Standards and Technology Special Publications; (i.e. NIST SP 800-53).
• Detailed knowledge of and experience in implementing and managing security configuration and applications guidelines such as the Department of Defense's Security Technical Implementation Guides (STIGs) or the National Institute of Standards and Technology's National Checklist Program (NCP).
• IT industry security certification such as CISM, CISSP, GIAC, or CISA.
• Associate degree from an accredited college or university and eight (8) years in the specific field of IT Security, which includes five (5) years in a managerial or supervisory role.