Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Jobs InfoSec Jobs

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Business Information Security Officer (BISO)
Company CNA
Location Scottsdale, AZ
Preferred GIAC Certifications GIAC including but not limited to GSLC, GMON, GCIH, GCIA
Travel 35%
Salary Not provided
Contact Name Joe Butler
Contact Email joe.butler/at/
Expires 2021-12-04

Job Description

Job Summary

The Business Information Security Officer will be a member of the Global Information Security (IS) organization Responsible for providing management, oversight and direction for Information Security for CNA National Warranty, in alignment with the overarching Information Security strategy and guidelines of CNA.

You will work closely with CNA National Warranty Chief Operations Officer (COO) and other Technology leaders and will be supporting the group/team by developing a deep understanding of the business in order to have specialized information security risk-based discussions. This relationship will ensure a focus on the right risk priorities. You will also provide guidance on information security topics, policies, and controls.

Essential Duties & Responsibilities
Performs a combination of duties in accordance with departmental guidelines:

• Liaises between CNA Information Security and CNA National Warranty IT team to implement Information Security policies, processes and procedures and advises CNA National management on risk issues related to information security and recommends actions in support of the CNA's wider risk management and compliance programs.
• Develop a robust understanding of National Warranty’s operating model and client risk factors to provide a balanced perspective on security risk mitigation measures. Collaborate with business and technology leaders so that desired security outcomes can be accommodated in partnership with CNA’s business objectives.
• Oversees IT risk management for CNA National Warranty, including the identification, analysis and measurement of risks; monitoring and reporting on IT risks and disposition of risks in partnership with CNA Information Security and Risk Management teams.
• Establishes and directs the design, development, testing and implementation of Information Security strategies, plans, products and other access control techniques. Identifies emerging vulnerabilities, evaluates associated risks and threats and provides countermeasures in partnership with CNA Information Security.
• Manages the reporting, investigation and resolution of information security incidents. Works with and consults with business leaders on potential data breaches. Oversees digital forensics activities to support HR, Legal or other stakeholders while maintaining appropriate chain of custody.
• Responsible for implementing security standards, procedures and guidelines to prevent the unauthorized use, release, modification or destruction of data across multiple platforms and environments, in alignment with CNA corporate standards.
• Provides insights on emerging security issues to CNA National Warranty leadership and/or CNA Information Security team and provides guidance and advocacy regarding the prioritization of CNA investments that impact information security
• Oversees staff supporting the Office of the General Counsel in the collection, delivery and presentation of electronic evidence regarding litigation for and against the company. Provides services to manage the full lifecycle of electronically stored information to those ends.
• Works closely with Corporate Security and Safety to ensure common approach to threat and intelligence analysis, risk management, training and awareness, compliance, and crisis management.
• Ability to quantify the security risk issues/concerns from a financial impact to the firm perspective. Understand and incorporate resource availability so security mitigation risk recommendations are realistic and achievable within CNA’s budget, or partner with leadership on securing necessary funding to support these measures.
May perform additional duties as assigned.
• Maintain contact with industry security standard setting groups and awareness of State and Federal legislation and regulations pertaining to data privacy, information security and business continuity.
• May be called upon to speak to customers or prospects about CNA’s Information Security and Data protection capabilities.
• Direct and lead risk assessment and management processes for third party vendors and suppliers
• Evaluate new projects at CNA National Warranty to ensure that security issues are proactively identified and appropriately remediated. Provide transparency into risks to senior business leaders.
• Develop or adapt communications and related campaigns for information security awareness among CNA National Warranty staff.

Reporting Relationship
This position reports directly to CNA’s SVP & Chief Information Security, with dotted line reporting to CIO of CNA National Warranty.

Skills, Knowledge & Abilities
• Senior level understanding of multiple aspects of information security, risk management and business continuity management, including: security policies, security and risk management frameworks, disaster recovery techniques, vulnerability management, security operations, access control and security incident management.
• Senior level knowledge of regulations (e.g. SOX, HIPAA, privacy, etc.) and internal controls.
• Excellent ability to influence change in corporate understanding and adoption of information security concepts.
• Excellent communications and interpersonal skills and ability to work effectively with peers; senior executives in IT and the business, and internal/external stakeholders.
• Ability to exercise professional judgment and assume responsibility for decisions which have impact on people, quality of service and costs.
• Advanced computer skills.
• Preferred insurance industry knowledge.

Education & Experience
• Bachelor’s degree with Master’s preferred in Computer Science or related discipline, or equivalent work experience.
• Typically a minimum of 10 years of experience in information security or related areas.
• Applicable certifications preferred (CISSP, CISA, etc.)