Director - Cybersecurity, Governance, Risk & Compliance at American Woodmark

Posted in Other 28 days ago.

This job brought to you by CareerBuilder

Location: Winchester, Virginia





Job Description:
PURPOSE: The Director, Cybersecurity, Governance, Risk & Compliance position will provide overall leadership in the area of information security and risk management for American Woodmark's technology operations. This position will interact with all levels of management across all business units, will report directly to the CIO and is based out of the company's headquarters in Winchester, Virginia. This role will provide thoughtful leadership and subject matter expertise in delivering a holistic, standards-based cybersecurity and risk management program. (based on COSO, ISO 27000, NIST (CSF), ITIL, & PMI-PMBOK) aimed at mitigating risk, ensuring continuity of operations and safeguarding the company's information assets. Overall, this role will have the primary responsibility to develop, deploy and continuously update the Cybersecurity Strategy, Cybersecurity and Risk Management Program, and Cybersecurity Management System. This position will be responsible for providing enterprise security administration, identity & access management, as well as access to all business applications in addition to account provisioning. Design and build security architectures; ensures compliance to security policies and procedures; and resolves access problems and security incidents. Enforce security policies and monitor all platforms by reviewing all security violations and investigating security exceptions. Provide direct support to management, end-users, auditors, and IS team members. This position requires flexibility and agility with the ability to provide insight and support on complex technical issues including problems with hardware, software, network infrastructure and other related technologies This role requires a high-level of customer service throughout the organization with a primary focus on systems availability, responsiveness, connectivity, cybersecurity, and established service level metrics. This position will plan, execute, and manage multi-faceted projects related to cybersecurity risk management, mitigation and response, compliance, control assurance, and user awareness. Additional focus on fully deploying a cybersecurity management system including; policies, controls, processes & standards and ensuring the effectiveness of solutions for the organization. Provide expertise to ensure the company's infrastructure and information assets are protected and implement appropriate tools including; boarder routers, firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), virtual private networks (VPNs), network security, wireless security, endpoint security, mobile device security, 3rd party services security, etc. Perform security assessments and security attestations. Manage and direct on-going security monitoring of information systems including assessing cybersecurity risk through qualitative risk analysis on a regular basis, conducting functional and gap analyses and recommending new cybersecurity technologies and counter-measures against threats to information or privacy. This position requires strong analytical, communication and technical skills with knowledge of cybersecurity, risk management and related technologies. The organization depends on a capable Director, Cybersecurity, Governance, Risk & Compliance to effectively define, deploy and oversee the company's cybersecurity and risk management program by focusing on these (8) key responsibilities: Strategy & Planning Cybersecurity Services & Operations Information & Data Security Management Incident Management, Monitoring and Reporting Governance, Risk Management & Compliance Security & Risk Assessments Disaster Recovery Leadership and Management ESSENTIAL FUNCTIONS: Strategy & Planning Develop and maintain a standards-based Cybersecurity Framework and underlying policies, controls, processes, procedures and best-practices (e.g. COSO, ISO 27000, NIST (CSF), ITIL, PMI-PMBOK). Develop, deploy and continuously update the Cybersecurity Strategy, Cybersecurity and Risk Management Program, and Cybersecurity Management System. Ensure appropriate administrative, physical and technical safeguards are in place to protect information assets from internal and external threats. Develop and deploy effective staff and organizational training and awareness programs are in place to increase security across the enterprise. Utilize LEAN strategies and methodologies to optimize work processes and realize cost and resource efficiencies. Research, evaluate, and recommend information security-related hardware and software, including developing business cases for security investments Cybersecurity Services & Operations Support the IT Change Request process to acquire, configure, and install hardware and software for new requests and configuration changes to production systems. Provide expert technical input to the project planning process as requested. Regulates access and security to all critical business systems. Ensure proper managerial approval is documented and recorded for auditing purposes. Implements and monitor system security procedures such as system updates and access control to maintain system integrity and availability. Provide Standard Operating Procedures, Policies, and Work Instructions to the Service Desk for new and emerging technologies or identified issue resolution. Assist and support a service-oriented, customer-focused IT function that supports ongoing operations that drive efficiency, quality, customer service and growth. Provide elevated support and issue resolution as required after-hours and on weekends. Assist and support in root cause analysis process for all infrastructure and cybersecurity related incidents. Assist and support in problem tracking, RCA templates, post-mortems, and action item follow-up, monthly metrics. Work and collaborate with suppliers to administer and support relevant cybersecurity services. Information & Data Security Management Define, develop, and validate baseline security configurations for operating systems, applications, and networking & telecommunications equipment, including policy assessment and compliance tools, network security appliances, and host-based security systems. Oversee and advise all technology projects to assess security requirements and are addressed throughout the project life cycle and ensure that security controls are implemented and enforced. Develop security processes and procedures, and support service-level agreements (SLAs) to ensure that security controls are managed and maintained. Research, evaluate, design, test, recommend and plan the implementation of new or updated cybersecurity technologies, threats, and security alerts and recommend remedial actions. Incident Management, Monitoring and Reporting Develop and deploy the appropriate security incident and vulnerability management processes including design, implementation and continuous improvement. Report to management on residual risk, vulnerabilities, and other security exposures, including misuse of information assets and noncompliance. Assist security administrators and IT staff in the resolution of reported security incidents. Provide second and third-level support and analysis during and after a security incident. Monitor daily or weekly reports and security logs for unusual events and act as a liaison between incident response leads and subject matter experts. Support e-discovery processes to include identification, collection, preservation, and processing of relevant data. Governance, Risk Management & Compliance Support a comprehensive enterprise cybersecurity program to ensure the integrity, confidentiality and availability of relevant data. Assist and support in the establishment and enforce policies, processes, standards and methodologies, including those for architecture, cybersecurity, disaster recovery and service provision. Assist and support in the establishment and implement comprehensive approaches to cybersecurity and risk management. Assist and support in the establishment and implementation of ITIL/ISO/NIST based cybersecurity framework. Assist and support in the establishment, development and implementation of effective and reasonable policies and practices to secure protected and sensitive data and ensure information security and compliance with relevant legislation and legal interpretation. Work with Internal Audit and outside consultants as appropriate on required assessments and audits. Participate in development of a strategy for cohesively dealing with audits, compliance checks and external assessment processes for internal / external auditors, PCI, SOX, HIPAA and other applicable standards. Support annual and long-range cybersecurity and compliance goals, strategies, metrics, reporting mechanisms and program services. Maintain an awareness of existing and proposed security-standard-setting groups, state and federal legislation, and regulations pertaining to cybersecurity. Identify legal and regulatory changes that will affect cybersecurity policy, standards and procedures, and recommend appropriate changes. As a member of the enterprise architecture (EA) team provide strategic and technical guidance. Develop, deploy and update the Cybersecurity Management System documentation including the review and formal approval process for policy updates. Ensure cybersecurity policies, controls, processes and standards are documented and meet or exceed industry standards, compliance requirements and customer/client expectations. Identify and assess compliance and data protection risks associated with the company's business initiatives, IT development, and practices, especially as it relates to the management of data and sharing information with third parties, including outsourcers. Conduct root cause analysis and lead corrective action efforts so that process breakdowns are addressed, escalated, and resolved. Support information governance & compliance requirements; data protection & privacy, records retention, eDiscovery and regulatory reporting. Security & Risk Assessments Develop a risk assessment roadmap built on a risk-based methodology, taking into consideration the security, regulatory and compliance requirements. Identify, introduce and implement appropriate procedures, including checks and balances, are in place to test safeguards on a regular basis. Thoroughly conduct and complete annual reviews, vulnerability scans, penetration tests and audits as required engaging both internal business partners across the organization and external resources. Identify authoritative sources, key controls, and testing methodology for cybersecurity risk assessments. Define and execute an annual risk assessment plan, and gain sign off on the plan from key stakeholders. Utilize the risk assessment process to educate process owners on cybersecurity risks, risk management and appropriate remediation options. Engage in preparation and participate in external and internal audits. Accountable to prove to internal and external auditors that the program is effective as exemplified by identified deficiencies, risk remediation or risk acceptance. Work with business units and other functions to identify security requirements, using methods that may include risk and business impact assessments, including business system analysis and communication, facilitation, and consensus building. Participate in security investigations and compliance reviews, as requested by internal or external auditors. Manage relationships with the audit group and receive audit findings and manage the collection of responses and remediation plans with owners. Provide oversight and management of audit finding remediation, including generating requirements for full remediation, providing feedback and suggestions on managerial responses to findings, and tracking progress and providing status and updates to the enterprise compliance team for reporting purposes. Oversee cybersecurity risk remediation including risk tracking and escalation. Establish and oversee a formal vulnerability and testing program. Disaster Recovery Work with business and IT management to develop and deploy disaster recovery strategies, policies, controls, processes, procedures and technologies that are tested on a regular basis. Identify critical business processes and define the system requirements and procedures which should be implemented to minimize the impact on the organization and recover from loss of information assets (which may be the result of, for example, natural disasters, accidents, equipment failures, and deliberate actions) to an acceptable level through a combination of preventive and recovery controls. Leadership & Management Work with IT leadership to develop strategies and plans to enforce security requirements and address identified risks. Establish the appropriate management cadence, operating dashboards and governance to align IT with the overall business objectives. Operate in a direct, transparent and data-driven fashion, be an effective communicator and forge strong day-to-day working relationships. Build strong technology vendor partnerships, and able to manage multiple vendor relationships to ensure the best performance and financial return. Establish departmental goals and performance objectives that deliver best-in-class information technology services and solutions to the organization. Develop and implement training programs to increase the overall knowledge, skills, and capabilities of the IS organization. Establish and track meaningful departmental performance measurements. Analyze reports, measurements and external benchmarks to identify opportunities for continuous improvement. Develop a LEAN culture to drive continuous improvement. Manage all departmental functions such that goals and objectives are consistently achieved. Performs those administrative activities necessary for the effective management of the department, including provision for the selection and development of employees, pay administration, budget administration, employee safety, employee counseling and motivation, organization goals and objectives, and planning, organizing, integrating and measuring the work performed within the department. Adhere to company policies, procedures, and ethics codes and ensure that they are communicated and implemented within the department. QUALIFICATIONS: To perform this job successfully, an individual must be able to perform each essential duty satisfactorily. The requirements listed below are representative of the knowledge, skill, and ability required. Education Bachelor's Degree in Computer Science, Information Systems, Cybersecurity or other related field, or equivalent work experience. Experience and Skills Typically requires 7 or more years of combined IT and security work experience with a broad range of exposure to systems analysis, application development, systems administration and over 5 years' experience designing and deploying security solutions. Audit, Compliance, or Governance experience, preferred. In-depth knowledge and understanding of information risk concepts and principles, as a means of relating business needs to security controls. Knowledge of and experience in developing and documenting security architecture and plans, including strategic, tactical and project plans. Knowledge of common IT service management, cybersecurity and risk management frameworks, such as ITIL, ISO 27000, NIST (CSF), COSO and COBIT. Knowledge of the fundamentals of project management, and experience with creating and managing project plans, including budgeting and resource allocation. In-depth knowledge of risk assessment methods and technologies. Skilled in performing risk, business impact, control, and vulnerability assessments. Strong understanding of business applications, including ERP and financial systems. Excellent technical knowledge of mainstream operating systems and a wide range of security technologies, such as network security appliances, identity and access management (IAM) systems, anti-malware solutions, automated policy compliance tools, and desktop security tools. Ability to develop, document, and maintain security policies, processes, procedures, and Standards. Knowledge of network infrastructure, including routers, switches, firewalls, and the associated network protocols and concepts. Strong analytical skills to analyze security requirements and relate them to appropriate security controls. Requires in-depth knowledge of security issues, techniques and implications across a broad range of common computer platforms Certifications & Licenses Requires Security Certification(s) (i.e. Certified Information Systems Security Professional CISSP or Certified Information Security Manager CISM) Language Skills: Ability to read, analyze, and interpret common business and technical journals. Ability to listen and communicate effectively with customers/clients in an effort to respond to common inquires or complaints from customers/clients, regulatory agencies, or members of the business community and public. Ability to develop and make presentations to public/employee groups. Mathematical Skills: Ability to add, subtract, multiply and divide in all units of measure, using whole numbers, common fractions, and decimals. Ability to compute rate, ratio, and percent and to interpret graphs and diagrams. Reasoning Ability: Ability to define problems, collect data, establish facts, and draw valid conclusions. Ability to interpret an extensive variety of technical instructions in mathematical or diagram form and deal with several abstract and concrete variables. PHYSICAL DEMANDS: While performing the duties of this job, the employee is regularly required to sit and talk or hear. The employee frequently is required to use hands to finger, handle, or feel and reach with hands and arms. The employee is occasionally required to stand and walk. WORKING ENVIRONMENT: Typical office environment. The noise level is usually moderate. Out of town travel will be required up to 50%. Occasional weekend work. Equal Opportunity Employer Minorities/Women/Protected Veterans/Disabled

Sponsors