Chief Information Security Officer (CISO)

Chief Information Security Officer (CISO) / Head of Information Security

We are seeking an experienced Information Security Leader to define and execute a comprehensive enterprise security strategy. This role is responsible for safeguarding systems, data, and infrastructure while ensuring compliance with federal, state, and industry regulations.

The ideal candidate will bring deep expertise in security governance, regulatory compliance, cloud security, and incident response, along with a proven ability to lead large-scale security programs in complex, high-compliance environments.

Key Responsibilities

Security Strategy & Governance

• Develop, implement, and maintain an enterprise-wide information security strategy aligned with business objectives and customer commitments.
• Establish and oversee security governance frameworks, including policies, standards, and procedures across the organization.
• Serve as a strategic advisor to executive leadership, providing regular updates on security posture, risks, and program maturity.
• Define and track key security metrics, KPIs, and risk indicators; report findings to senior leadership and stakeholders.
• Manage the information security budget, including planning, forecasting, and justification of investments.
• Evaluate and implement advanced technologies, including AI-assisted security tools, to enhance detection, response, and automation capabilities.

Compliance & Regulatory

• Lead compliance initiatives for CJIS Security Policy, including transition to CJIS 6.0 standards (e.g., phishing-resistant MFA, FIPS 140-3 encryption, updated cloud controls).
• Manage FedRAMP authorization and continuous monitoring (ConMon) efforts, including coordination with third-party assessors, vulnerability management, and audit readiness.
• Oversee SOC 2 Type II and ISO 27001 ISMS programs, including audits, risk management, and continuous control validation.
• Ensure compliance with data privacy, residency, and sovereignty requirements applicable to government and regulated industries.
• Monitor evolving regulatory requirements and proactively align security programs to maintain compliance.
• Oversee cyber insurance coverage and collaborate with legal teams on contractual security obligations and breach response requirements.
• Act as the primary point of contact for security audits, client assessments, and compliance questionnaires.
• Support business development efforts, including RFP/RFI responses and client security discussions.

Incident Response & Threat Management

• Develop, maintain, and test the incident response program, including tabletop exercises and simulations.
• Establish or oversee Security Operations Center (SOC) capabilities, including SIEM tools, 24/7 monitoring, and threat detection.
• Lead response efforts for security incidents and breaches, serving as the primary decision-maker during active events.
• Oversee vulnerability management, penetration testing, and threat intelligence programs.
• Manage relationships with external security vendors, service providers, and relevant authorities.
• Ensure timely and compliant breach notification processes.

Security Awareness & Training

• Design and deliver an enterprise-wide security awareness and training program tailored to organizational and regulatory requirements.
• Promote a culture of security awareness across all departments.
• Develop specialized training for technical teams, including secure coding and data protection practices.
• Track program effectiveness and continuously improve training initiatives based on evolving threats.

Architecture & Engineering Partnership

• Collaborate with engineering, product, and DevOps teams to embed security-by-design principles across the development lifecycle.
• Review and approve security architectures for applications, infrastructure, and new initiatives.
• Oversee identity and access management (IAM), encryption standards, data classification, and data protection controls.
• Ensure strong cloud security posture, including secure configuration and monitoring of cloud environments and services.
• Lead application security (AppSec) initiatives, including code scanning, vulnerability management, and secure development practices.
• Implement software supply chain security practices, including dependency management and secure CI/CD pipelines.
• Drive adoption of Zero Trust architecture principles aligned with federal guidance.
• Ensure compliance with physical and remote work security requirements for sensitive data handling.

Business Continuity & Disaster Recovery

• Develop and maintain business continuity and disaster recovery (BC/DR) plans aligned with regulatory and operational requirements.
• Conduct regular testing to ensure readiness and resilience of systems and services.
• Ensure continuity plans address data protection, infrastructure resilience, and service level commitments.

Vendor & Third-Party Risk Management

• Establish and manage a third-party risk management program, including vendor assessments and security requirements.
• Ensure vendors and partners meet organizational and regulatory security standards.

Qualifications

• Bachelor's degree in Computer Science, Information Security, Information Technology, or a related field (required).
• Master's degree (preferred).
• Industry certifications such as CISSP, CISM, or equivalent (required or obtained within 12 months).
• Additional preferred certifications: CCSP, AWS Security Specialty, CISA, or FedRAMP-related credentials.
• CJIS Security Awareness certification (required or obtainable within 90 days).

Experience & Expertise

• 10+ years of progressive experience in information security, including 3–5 years in a senior leadership role.
• Deep knowledge of CJIS Security Policy (including version 6.0) and experience implementing compliant programs.
• Proven experience managing FedRAMP ATO and Continuous Monitoring programs.
• Hands-on experience with SOC 2 Type II and ISO 27001 ISMS.
• Strong understanding of frameworks such as NIST CSF, NIST 800-53, ISO 27001, and CIS Controls.
• Experience leading incident response programs and managing active security incidents.
• Expertise in securing cloud environments and implementing modern security architectures.
• Familiarity with Zero Trust principles and federal security mandates.
• Strong knowledge of data protection, privacy, and regulatory requirements for government or regulated sectors.
• Experience managing security teams, vendors, and external partners.

Skills & Competencies

• Strong executive presence and ability to communicate complex risks in business terms.
• Strategic thinking combined with hands-on execution capability.
• Excellent leadership, stakeholder management, and decision-making skills.
• Strong analytical and problem-solving abilities.
• Ability to operate effectively in high-pressure, high-stakes environments.