Senior Director/Director Cybersecurity

Our present and future success depends on the creative and dedicated people of our company who demonstrate the principles outlined in the APS Promise: Design for Tomorrow, Empower Each Other and Succeed Together.

Cybersecurity at APS is more than protecting systems. It's about protecting the people and communities who count on us to keep the lights on. We're looking for a senior cybersecurity leader to step into our CISO (Chief Information Security Officer) role and shape how we defend the company, our customers, and the operations behind one of Arizona's most essential services.

The role

You'll set the long-term strategy for cybersecurity and compliance across APS, with accountability for the security of our IT and operational technology, the privacy of customer and employee information, and our standing under SOX, NERC CIP, Export Control, and related regulations. You'll be our company's primary cybersecurity advisor to senior leadership and the Board of Directors, translating risk into the business and financial terms that drive real decisions.

Day to day, you'll lead the enterprise cybersecurity program, security governance, incident response, and the work that keeps our compliance posture strong. You'll partner closely with business units and emergency management to support APS's resiliency goals, oversee internal audits, and represent APS in industry forums and with law enforcement and government partners. You'll also lead and develop the team that makes all this possible.

What we're looking for

• A senior cybersecurity leader who has built and run enterprise programs, ideally in a regulated or critical infrastructure environment.
• Deep fluency in cyber risk across IT and OT, with real command of NERC CIP and SOX.
• Someone who can sit across from executives and a Board of Directors, discuss risk, and advise them as they make decisions.
• A track record in security governance, audit, and regulatory compliance.
• A steady, credible presence who earns trust inside the company, across the industry, and with the agencies we work alongside.

• BS in Computer Science, Business, or related degree or equivalent. MBA or Master's degree preferred.
• Comprehensive IT technical and managerial knowledge and perspective with a minimum of ten (10) years' experience in cybersecurity, enterprise architecture, IT audit, regulatory compliance, or business systems integration.
• Five (5) years in leadership position(s) in one or more of those roles.
• Significant knowledge of business processes, competitive trends, and developments in information security and regulatory compliance including risk assessments, data protection, and disaster recovery planning.
• Proven experience in creating and overseeing regulatory compliance programs.
• Significant knowledge of Information Systems technologies.
• Demonstrated effective oral, written and presentation communication skills; marketing and negotiation skills; and highest quality interpersonal and people management skills.
• In-depth knowledge of NERC CIP and SOX regulations. Must hold or be eligible for U.S. National Security Clearance at the Secret level. Desired certifications include CISSP, GIAC GCIH, GIAC GCIL, and/or CISM.

Preferred Skills & Experiences

• Background in IT architecture, engineering, or platform delivery, with a solid understanding of how systems are designed, built, and run
• Experience leading the implementation of security capabilities, not just setting policy, but delivering and operating solutions
• Ability to collaborate with multiple IT and business teams to embed security into day-to-day IT operations and delivery (cloud, infrastructure, applications, DevOps) in a practical, low-friction way
• Strong communicator who can translate technical risks into clear business terms and influence across all levels of the organization
• Proven ability to drive change and adoption, bringing teams along and making security part of how work gets done
• Pragmatic, risk-based mindset that balances protection with business needs and operational realities

1. Lead the enterprise cybersecurity program to safeguard APS operations, uphold brand integrity, and fulfill customer and regulatory requirements
2. Govern, and provide strategic direction for, the enterprise privacy program to protect customer, employee, and contractor information.
3. Provide oversight, leadership, and direction for all cybersecurity compliance initiatives including SOX, NERC CIP, Export Control, and other applicable regulations.
4. Serve as primary cybersecurity advisor to executive leadership and Board of Directors.
5. Translate cybersecurity risk into business and financial impact to support executive decision-making.
6. Oversee coordination and facilitation of internal audits. Collaborate with internal audit group to ensure audit findings and recommendations are addressed, and any risks or exposures are properly mitigated.
7. Lead security governance activities including risk assessment, policy development, policy compliance, security strategy, security programs, awareness/training, and incident response.
8. Work closely with operational business units and the corporate emergency management program to provide comprehensive and integrated support to APS's business resiliency goals.
9. Represent APS in industry forums. Act as APS subject matter expert for cybersecurity and compliance policies, programs, and practices.
10. Promote best practices approach in support of company-wide information security initiatives.
11. Identify and evaluate trends and implement as appropriate to maximize operational effectiveness and reduce company cybersecurity or privacy risk.
12. Provide strategic and tactical guidance and vision for all cybersecurity matters.
13. Maintain relationships with local, state, and federal law enforcement and other related government agencies.
14. Provide leadership, employee development, and facilitation of performance management tools including Performance Management process, compensation administration, and coaching and discipline.

This position may require access to and/or use of information subject to control under the Department of Energy's Part 810 Regulations (10 CFR Part 810), the Export Administration Regulations (EAR) (15 CFR Parts 730 through 774), or the International Traffic in Arms Regulations (ITAR) (22 CFR Chapter I, Subchapter M Part 120) (collectively, 'U.S. Export Control Laws'). Therefore, some positions may require applicants to be a U.S. person, which is defined as a U.S. Citizen, a U.S. Lawful Permanent Resident (i.e. 'Green Card Holder'), a Political Asylee, or a Refugee under the U.S. Export Control Laws. All applicants will be required to confirm their U.S. person or non-US person status. All information collected in this regard will only be used to ensure compliance with U.S. Export Control Laws, and will be used in full compliance with all applicable laws prohibiting discrimination on the basis of national origin and other factors. For positions at Palo Verde Nuclear Generating Stations (PVNGS) all openings will require applicants to be a U.S. person.

Pinnacle West Capital Corporation and its subsidiaries and affiliates ('Pinnacle West') maintain a continuing policy of nondiscrimination in employment. It is our policy to provide equal opportunity in all phases of the employment process and in compliance with applicable federal, state, and local laws and regulations. This policy of nondiscrimination shall include, but not be limited to, recruiting, hiring, promoting, compensating, reassigning, demoting, transferring, laying off, recalling, terminating employment, and training for all positions without regard to race, color, religion, disability, age, national origin, gender, gender identity, sexual orientation, marital status, protected veteran status, or any other classification or characteristic protected by law.

For more information on applicable equal employment regulations, please refer to EEO is the Law poster. Federal law requires all employers to verify the identity and employment eligibility of every person hired to work in the United States, refer to E-Verify poster. View the employee rights and responsibilities under the Family and Medical Leave Act (FMLA).

In compliance with the Drug Free Workplace Act of 1988, the Company is committed to a work environment that is free from the effects of alcohol and controlled substances, and free from the abuse or inappropriate use of prescribed and over-the-counter medications. The Company requires employees to be subject to drug and alcohol testing that is job-related and consistent with business necessity, regulatory requirements and applicable laws.

CIP Requirement:

This position requires Critical Infrastructure Protection (CIP) access consistent with North American Electric Reliability Corporation (NERC) standards. The applicant considered for this role will be required to obtain and maintain CIP access for the duration of employment in this position. A full seven (7) year criminal history will be obtained through the pre-employment background check process (or, for current employees, through supplemental background check process) to fulfill the CIP access requirements. In addition, this position requires an additional background check every seven years to maintain access.

Hybrid: Employees in hybrid roles work both in their home offices (virtually) and alongside their colleagues (in person).

In order for employees to build strong relationships and to promote meaningful in-person interactions, hybrid employees are expected to work about 40% of their time in-person at an APS or other (non-home office) location.

• Employees are expected to reside in Arizona (or New Mexico for Four Corners-based employees).
• Working from a home office requires adequate technology and an appropriate ergonomic set up.
• Role types are subject to change based on business need.