The Senior Director, Institutional Security serves a key role in Woods Hole Oceanographic Institution (WHOI) leadership, working closely with and advising the Board, President & Director, Senior Administration, Staff Council, and other members of the WHOI community by providing leadership, strategic direction, coordination and oversight for the Institutions security policies and strategies to secure all of WHOIs physical and cyber assets. This critical role is responsible for the development and delivery of a comprehensive information security strategy and program to optimize the security posture of the Institution. This person will leverage and collaborate with institution-wide resources to facilitate information security governance, advise senior leadership on security direction and resource investments, and design appropriate policies and processes to manage information security risk. Responsibilities span a variety of complex operations to secure and protect all cyber data, physical facilities and processes to maintain and further the Institutions mission. This position is highly collaborative across the Institution and specifically with the IS department with matrix reporting to the Vice President for Business and Legal Affairs, General Counsel and to the Deputy Director / VP for Research while managing the Security/Technical Control Officer. This role may eventually include management of IS Security and oversight of the physical facilities security personnel team. Essential Functions - Strategize, develop, and lead an institution-wide security program to safeguard software and data, materials, documents, property and physical assets relating to both classified and unclassified programs.
- Support the Institutions research mission through establishment and management of high-level security programs that meet regulatory (Federal, State, Local, DOD) standards.
- Lead the development and implementation of a strategic governance structure across the Institution for the advancement of information security and risk management to ensure the integrity, confidentiality and availability of information and systems owned, controlled or processed by the Institution and its members. Establish annual and long-range security and compliance goals.
- Implement a risk classification framework and evaluate systems to identify information security risks and to ensure the security program matches business risk expectations as set by the Board and senior leadership.
- Lead the development of up-to-date information security policies, procedures, standards and guidelines, and oversee their approval, dissemination, and maintenance.
- Collaborate with IS on central services delivery to implement consistent policies and procedures for system scanning, network monitoring, incident response, malware containment, security consulting and appropriate investigations, resolutions, and responses.
- Define security strategies, metrics, reporting mechanisms, and services for continual program improvements.
- Work closely with leadership to offer a broad range of outreach services and training including user information and education, seminars, campus working groups, and direct communication and collaboration with IS managers.
- Demonstrate a commitment to diversity, inclusion and cultural awareness through actions, interactions and communications with others.
- Report to and communicate regularly with senior leadership on information security risks, best practices implementation and projects to advance the maturity of the program including contributing to the security risk report in preparation for Audit Committee of the Board of Trustees as requested.
- Collaborate with OGC to ensure that the security program is following applicable laws, regulations, and contractual requirements. This includes maintaining current knowledge on changing regulations specific to security, identifying appropriate implementation plans, and ensuring requirements are met.
- Remain current with understanding of potential and emerging information security threats, vulnerabilities, and control techniques and communicate this information as appropriate within the Institution.
- Identify appropriate on-line trainings and collaborate with internal LIMS support personnel to ensure security-related training is taken by cleared personnel.
- Collaborate with Facilities to help ensure construction and accreditation of NISPOM and ICD-705 spaces meets security requirements.
- Ensure development of long-term capital and operating budget financial planning activities for institutional security.
- Manage and allocate budget forecasting.
NON-ESSENTIAL FUNCTIONS: - Ad hoc responsibilities as directed by supervisor.
Education & Experience Education : - Bachelor's degree in Information Systems, Computer Science, Engineering, MIS or related discipline. Masters degree preferred.
- Equivalent combination of education and experience in IT security may be considered in lieu of degree requirement if highly applicable
Experience : - 10+ years of increasing experience in information security directly aligned to the specific responsibilities of this role.
- Department of Defense experience required. Extensive work experience in higher education, scientific research organization is highly desirable.
- Ability to obtain national security clearance is essential.
- Extensive experience with development of information security policies/procedures, application design, information analysis and reporting, networking and systems integration, security control, audits, risk analysis and disaster recovery. Demonstrated ability to successfully execute programs that meet the objectives of excellence in a dynamic environment.
- Demonstrated skills in the identification of business process improvements and the application of technology to optimize business practices
- Proven experience conducting/ managing case intake, documentation, investigation and resolutions process for security and risk management issues
- Prior experience working with external auditors and regulators as firm representative for cyber security standards.
- Must have a demonstrated track record of success developing and implementing an information security infrastructure and comprehensive technology strategy that is both aligned with and supports the current and future goals of a large, private research institution.
- Understanding of information security laws and regulations, including but not limited to HIPAA, FERPA, GLBA, CALEA and accepted industry practices
- Knowledge of forensic techniques for investigating incidents, determining root causes and the extent of total exposure
- Knowledge of contemporary hardware, software and network architectures and how security policy can best be implemented within these architectures.
- Knowledge of authentication, authorization and encryption technologies; network hardware and typologies.
- Demonstrated effectiveness in oversight and coordination of activities involving professionals from different internal organizations.
- Experience giving formal presentations, seminars and consulting internal clients
- Experience with developing security practices as a people problem vs. a technical problem.
Soft Skills : - Commitment to diversity and to serving the needs of a diverse population.
- Excellent analytical, written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate security and risk-related concepts to technical and non-technical audiences.
- Ability to develop and maintain effective working relationships with a variety of stakeholders
- Must be a collaborative, articulate and persuasive leader who can serve as an effective member of the management team
- Ability to lead and motivate cross-functional, interdisciplinary teams to achieve tactical and strategic goals.
- Agile, versatile, flexible and the ability to work with constantly changing/evolving priorities.
Special Requirements - Must be a U.S. Citizen in order to obtain a DoD security clearance at level Secret or above
Physical Requirements Physicalduties for this position include but are not limited to, ability to liftless than 25 lbs and carry 0-10 lbs. Visual abilities to include near and ability todistinguish basic colors. Hearing requirements include the ability to hear and respond to instructions.Other physical tasks include occasional standing/walking, repetitive motion. Other occupational requirements include talking, traveling as required for business objectives, working around others, and with others. Will be exposed to electrical/mechanical/power equipment hazards and prolonged work hours.Physicalduties are subject to change. |
