Reporting to the Chief Information Officer (CIO), the Chief Information Security Officer (CISO) is a member of the CIO senior leadership team and serves a key role in the University, working closely with senior administration, academic leaders, and the campus community. The CISO is an advocate for the University of Chicagoâ™s total information security needs and is responsible for the development and delivery of a comprehensive information security strategy, aligned with the Universityâ™s privacy policies and objectives, to optimize the security posture of the University. The CISO leads the development and implementation of a security program that leverages collaborations and campus-wide resources, facilitates information security governance, advises senior leadership on security direction and resource investments, and designs appropriate policies to manage information security risk. The CISO also oversees the Universityâ™s Identity and Access Management program. The complexity of this position requires a leadership approach that is engaging, imaginative, and collaborative, with a sophisticated ability to work with other leaders to set the best balance between security strategies and other priorities at the University level.
Unit-Specific Responsibilities Strategy 1) Develop and implement a strategic, long-term information security strategy and roadmap to ensure UChicago's information assets are adequately protected; lead information security planning to establish an inclusive and comprehensive information security program for the institution.Â
2) Communicate security at a strategic level to executive management and the Audit Committee of the Board of Trustees.
3)Â Evangelize security across the organization to drive adoption of security best practices.
4) Work with senior leaders across the organization to assess and communicate acceptable levels of risk; provide guidance and counsel to the CIO and key members of University leadership on information security and IT risk matters. Â 5) Develop and foster the Board of Trustees understanding of information security and risk management.
Risk Management 6) Identify, evaluate, and report on information security risks, practices, and projects to University leadership and the Board of Trustees. 7) Provide subject matter expertise on security standards and best practices (e.g. HIPAA, FERPA, PCI, FISMA/NIST, etc.). 8) Work with University leadership, Office of Legal Counsel, and relevant compliance department leadership to build cohesive security and compliance programs for the University to effectively address statutory and regulatory requirements; develop a strategy for cohesively dealing with audits, compliance checks, and external assessment processes for internal / external auditors, PCI, ITAR, HIPAA, FISMA/NIST, and other applicable standards. Â 9)Â Lead the development of up-to-date information security policies, procedures, standards, and guidelines, and oversee their approval, dissemination, and maintenance. 10)Â Provide executive guidance on strategies for managing vendor risk and other third-party risk. 11)Â Lead the development, implementation, and administration of effective and reasonable security policies, practices, standards, and controls to mitigate risk, protect data, and ensure compliance with relevant laws, regulations, and contractual requirements; provide technical leadership and executive leadership, direction, and guidance in assessing and evaluating information security risks and monitoring compliance with information security policies, standards, and controls. 12)Â Collaborate with and assist researchers whose research includes substantial information related risk, liability, or compliance elements; collaborate with University Research Administration, Office of Legal Counsel, the Provost's Office, and Institutional Review Boards (IRBs) to reduce information security risk and enable research activities to be successful. Â 13)Â Examine impacts of new technologies on the University of Chicagoâ™s overall information security and risk environment; establish processes to review implementation of new technologies to ensure security compliance.
14) Develop, mentor, and manage a high performing staff of information security professionals.
15) Act as the champion for the enterprise information security program and foster a security-aware culture. 16) Oversee the evaluation, selection, and implementation of information security solutions that are innovative, cost-effective, and minimally disruptive.
17) Partner with enterprise architecture, infrastructure, and applications teams to ensure that technologies are developed and maintained according to security policies and guidelines. 18)Â Provide executive leadership for the intrusion detection and vulnerability management program, and reporting senior leadership about the results of the program. 19) Develop organizational metrics to measure the effectiveness of the security management program, and increase the maturity of the program over time. Â 20)Â Manage institution-wide information security governance processes, including liaising with schools, divisions, and departments, to support campus-wide information security programs and project priorities. Â 21)Â Maintain strong working relationships between the Information Security organization and other IT teams to align information security practices throughout the University. 22)Â Direct the Identity & Access Management and IT Security & Compliance functions of IT Services and contribute to the overall development of its strategic goals, performance metrics, communication practices, and culture as a member of its senior leadership group. 23) Develop and chair an information security advisory board for the University. Â
Education and Awareness
24) Maintain an awareness and understanding of the current and emerging threat landscape, information security issues, and regulatory changes for higher education; advise relevant stakeholders on appropriate courses of action.Â 25) Create the strategy for security awareness programs and advise stakeholders at all levels on security issues, best practices, and vulnerabilities; work with groups across the University to build awareness and a sense of common purpose around information security. 26) Engage with external communities to develop knowledge and awareness on information security practices at peer organizations, to promote and increase inter-organizational ability to address common problems in information security, and to manage inter-organizational information security incidents. Â 27) Liaise with law enforcement and other advisory bodies as necessary to ensure that the organization maintains a strong security posture. 28)Â Engage in professional development to maintain continual growth in professional skills and knowledge essential to the position.
Incident Response and Investigation 29) Direct the incident response activities for the University, including management of a dedicated team. 30) Provide proactive monitoring of the University network, including management of a dedicated team.Â 31) Direct strategic â˜threat huntingâ™ activities. 32) Manage confidential investigations as requested by the appropriate authorities, including law enforcement engagement. 33) Perform special projects and other duties as assigned.
1) Broad knowledge of IT and IT security. 2)Â Combination of strategic leadership, relationship-building skills to develop and implement security programs, broad technical knowledge, and subject-matter expertise.Â 3)Â Strong interpersonal and communication skills, plus the ability to achieve goals through influence, collaboration, and cooperation. 4) Work effectively with an array of constituencies in a diverse community with distributed authority. 5)Â Integrity and high standards of personal and professional conduct. 6)Â Knowledge of and experience with key regulations affecting IT security, risk, and compliance. 7)Â Demonstrated ability to assess IT risk, including risk to mission; to develop strategies, policies, and procedures; and successful implementation. Â
8) A proven track record in developing information security policies and procedures, and successful execution. 9) Extensive knowledge of business risk, risk assessment, and risk-based decision making. 10) Communicate security and risk-related concepts to both technical and non-technical audiences (in business terms), including board level. 11)Â A natural influencer and coalition builder; passionate about building high performing teams. 12)Â Inspire and motivate cross-functional, interdisciplinary teams to achieve tactical and strategic goals; an innovative leader, problem solver and consultant. 13)Â Evangelize IT security to make it a critical part of business operations; build trust and respect for the security function. 14)Â Excellent written and verbal communication, interpersonal, and collaborative skills. 15)Â Effectively prioritize and execute tasks in high-pressure situations. 16)Â Knowledge of security, risk, and control frameworks and standards such as NIST Cybersecurity Framework, 800-53 controls, 800-63 guidelines, ISO 27001 and 27002, SANS-CAG, FISMA, COBIT, COSO, and ITIL. 17)Â Understanding of cloud, SaaS, and IoT architectures, and their implications on information security strategy. Â
1) Standard office environment.
2) Travel across campus for meetings.
1) Sit or stand for short or extended time periods.
2) Extensively use computer.
1) Bachelorâ™s Degree in computer science, engineering, or a related field.
2) Graduate degree.
1) Minimum 15 years of experience in information security and information technology assignments with progressively greater responsibility and authority. 2)Â Minimum eight years of information security leadership, and management responsibilities. 3)Â Experience in a large, decentralized organization. Â 4)Â Experienced with contract and vendor negotiations.
5)Â Technical acumen including but not limited to: OSI, IT infrastructure, cloud, application development languages, tools and frameworks, database technologies, web technologies, next gen mobile, network architecture, enterprise architecture, and directory services. 6)Â Experience overseeing infrastructure and processes for incident detection and response, threat hunting, and offensive security (Red Team) testing, across a wide variety of on-premise and cloud environments.Â 7)Â Experience overseeing incident response planning and testing, the investigation of security breaches, and assist with any associated disciplinary, communications, public relations, and legal matters. 8)Â Security technology acumen and experience including but not limited to: firewall, intrusion detection, cyber-attack tools and defenses, encryption, certificate authority, web filtering, anti-malware, anti-phishing, identity and access management, and multi-factor authentication. Â
Licenses and Certifications
1) Professional certifications, such as a CISSP, CISM, CISA.
1) Resume 2) Cover Letter Â
NOTE: When applying, all required documents MUST be uploaded under the Resume/CV section of the application.
The University of Chicago is an Affirmative Action/Equal Opportunity/Disabled/Veterans Employer and does not discriminate on the basis of race, color, religion, sex, sexual orientation, gender identity, national or ethnic origin, age, status as an individual with a disability, protected veteran status, genetic information, or other protected classes under the law. For additional information please see the University's Notice of Nondiscrimination.
Staff Job seekers in need of a reasonable accommodation to complete the application process should call 773-702-5800 or submit a request via the Applicant Inquiry Form.
The University of Chicago's Annual Security & Fire Safety Report (Report) provides information about University offices and programs that provide safety support, crime and fire statistics, emergency response and communications plans, and other policies and information. The Report can be accessed online at: securityreport.uchicago.edu. Paper copies of the Report are available, upon request, from the University of Chicago Police Department, 850 E. 61st Street, Chicago, IL 60637.
Internal Number: JR08040
About University of Chicago
One of the world's premier academic and research institutions, the University of Chicago has driven new ways of thinking since our 1890 founding. Today, UChicago is an intellectual destination that draws inspired scholars to our Hyde Park and international campuses, keeping UChicago at the nexus of ideas that challenge and change the world.