Information Security Manager

Information Security Manager

ITS provides operational support to state agencies on a 24x7x365 basis; some positions may be required to provide this critical service at any time. Under the direction of the Executive Director of Security Shared Services (S3), within the Chief Information Security Office/Security Shared Services section, this position will assist with the oversight of the Security Shared Services Bureau. The position will supervise four or more Senior Information Security Officers SG-29 which lead teams supporting the security needs of multiple ITS dedicated agency/sector teams. The position will oversee the Incident Response Program. The position will assist with oversight of the NYS Cyber Risk Remediation Program (CRRP) and the development of products offered by the Chief Information Security Office (CISO). The incumbent will act as a member of the Chief Information Security Office Executive Leadership Team and participate in shaping and implementing the strategic vision for cybersecurity within NYS.

The position requires an incumbent to act with a great deal of independence in alignment with agency and upper-level management strategic direction. The position requires communicating orally and in writing with various individuals and groups including, but not limited to, executive management, business users and other IT staff. The incumbent must be able to communicate with clarity to subordinate staff regarding work priorities and performance. The incumbent will have to work with ITS Dedicated Support Teams and upper-level agency management to resolve technically complex and politically sensitive issues under pressure. The incumbent will have strong customer service skills and will focus on developing relationships with key stakeholders. The position requires availability during off-shift hours to ensure appropriate response to security incidents or other critical matters that may impact sensitive information, critical systems, ITS, NYS agencies, or other partners (such as local governments).

Duties include, but are not limited to:

• Assist with the direction of the Security Shared Services Bureau in developing, deploying, and maintaining processes and procedures in alignment with NYS State and agency information security policies and standards. Monitor compliance and take appropriate action as needed.
• Oversee the continued development of the ITS Cyber Incident Response Program which includes continuously improving procedures and ensuring 24x7x365 rotating coverage schedules for IR responders.
• Enhance the Secure Software Development Lifecycle (SSDLC) process in response to shifting cyber landscape and the requirements of ITS, agencies, and NYS.
• Foster and develop relationships with key stakeholders, such as the Dedicated Commissioners of Technology (DCTs).
• Provide off-hours leadership in response to cyber threats, incidents, and events on a rotating basis.
• Serve as information security expert and evaluate systems and contracts for alignment with agency and State information security policies.
• Provide advisement and expertise in the development of NYS security policies and standards.
• Assist with development and implementation of the Security Shared Services Bureau's program and associated products.
• Perform administrative and strategic functions to assist the CISO Executive Leadership team in managing the operations of the Chief Information Security Office.
• Monitor and maintain awareness of information security industry trends, tools, and techniques.
• Perform the full range of supervisory responsibilities.

Minimum Qualifications:

Information Security Manager

Non-competitive: Nine years of information technology, cybersecurity, or information assurance experience*, including three years at the supervisory level or one year at the managerial level.

*Substitutions:

A bachelor's or higher-level degree in any field including or supplemented by 15 semester credit hours in computer science or related field substitutes for three years of required experience; any bachelor's substitutes for two years of required experience.

An associate degree with 15 semester credit hours in computer science or related field may substitute for one year of required experience. Candidates in a bachelor's degree program with at least 15 semester credit hours in computer science or related field may substitute such credits for one year of required experience.

A master's degree or higher in computer science or related field substitutes for one year of required experience.

Preferred qualifications:

• Applicable Information Security certificate(s) such as CISSP, CISM, etc.

• Experience in one or more of the following areas:

• Leading information security teams
• Applying and implementing network, system, or application security
• Security policy/standard/guideline development, implementation, or interpretation
• Conducting risk assessments and evaluating information technology systems for security controls (SSDLC)
• Process development, improvement, and measurement
• Information security incident response
• Developing metrics and key performance indicators

• Strong understanding of enterprise IT environments, including but not limited to system administration, application architecture, network architecture, operating systems, and associated security controls and solutions (e.g., WAF, firewalls)

• Strong understanding of the foundations of Information Security, such as the CIA triad, information classification, identity and access management, risk management, vulnerability management, secure architecture and engineering, network security, software development security, etc.

• Excellent oral and written communication skills including the ability to clearly articulate information technology and information security concepts to a varied audience to facilitate wide understanding

• Demonstrated critical thinking, problem solving and analytical skills

• Demonstrated excellence in customer service

• Demonstrated skill in facilitating meetings, listening, and negotiating between multiple stakeholders to drive results