|Company||NYS Office of Information Technology Services|
|Preferred GIAC Certifications||GSLC, GSTRT|
|Salary||$124,534 - $157,338|
Reporting to the Chief Information Security Officer, the Information Security Manager will serve as the Deputy Chief Information Security Officer for the Office of Information Technology Services and the State of New York. The incumbent will provide oversight in the managing of day-to-day operations of the Chief Information Security Office (CISO) including the Strategic Planning and Program Management (SPPM), Integrated Security Services (ISS), Integrated Risk Management (IRM), and Integrated Cyber Command Center (CyCom) bureaus of the department to support the confidentiality, integrity, and availability of the State’s information assets. The selected candidate will act as a senior member of the CISO Leadership Team, helping shape and implement the strategic vision for cyber security within NYS.
The position requires the incumbent to act with a great deal of independence in alignment with agency and upper-level management strategic direction. The incumbent must be able to communicate clearly orally and in writing with various individuals including executive management, users, vendors, and other IT staff, and with subordinate staff regarding work priorities and performance. The selected candidate will have to work with ITS teams and upper-level agency management to resolve technically complex and politically sensitive issues under pressure.
The position requires availability during off-shift hours to ensure appropriate response to security incidents or other critical activities that may impact sensitive information, critical systems, NYS agencies, or ITS.
Duties include, are but not limited to:
• Collaborate with the CISO to identify and assist agencies in classifying and protecting information assets that support critical business functions and managing related cybersecurity risks in a manner consistent with the State’s overall cybersecurity risk management program and business objectives;
• Provide leadership, vision and direction for innovative problem solving (on a Statewide basis) and anticipate future needs in relation to information security industry trends;
• Coordinate information security risk management initiatives across IT and business teams, identifying, evaluating, reporting and advising executive management on cybersecurity risk, in a manner that incorporates compliance and regulatory requirements;
• Provide expertise on analyzing cyber security threats and vulnerabilities;
• Develop and guide the implementation of appropriate safeguards to ensure system resiliency, protect critical infrastructure services, and detect, contain and respond to cybersecurity incidents.
• Develop and manage information security awareness training programs;
• Provide leadership, vision and support to the Cyber Security Operations Center (SOC) activities related to threat and vulnerability monitoring including vulnerability scanning, penetration testing, threat intelligence assessment, and remediation strategies, and the effective distribution of security advisories, alerts, notices and bulletins;
• Provide leadership, vision and support to the State Cyber Incident Response Team (CIRT) activities related to prevention, detection and response to security events and intrusions affecting State information assets; including reporting and assisting State and local agencies with recovery and remediation efforts;
• Integrate security into system development processes, and procedures, and providing technical security guidance for IT initiatives, including procurements, secure system architecture, and evaluation of security controls, configuration and maintenance;
• Provide support for internal and external security reviews and compliance audits, including controls recommendations to remediate negative security findings;
• Manage the CISO’s participation in agency-wide programs;
• Manage contracts related to managed security services and guide the development of unit budget and spending plans;
• Perform the full range of supervisory responsibilities.
Bachelor’s degree with at least 15 credit hours in cyber security,
information assurance or information technology and six years of information technology experience, including five years of information security or information assurance experience and four years at a supervisory level or two years at a managerial level.
Note: Bachelor's degree candidates without at least 15 course credits in cyber security, information assurance, or information technology require an additional year of general information technology experience to qualify. Appropriate information security or information assurance experience may substitute for the bachelor's degree on a year-for-year basis; an associate's degree requires an additional two years of general information technology experience. Experience solely in information security or information assurance may substitute for the general information technology experience.
Master's Degree with a concentration or a major in Information Security, Cyber Security, Digital Forensics, or a related field.
Master's Degree with a concentration or major in Business Administration, Public Administration, or a related field with a certification in Information Security Management (e.g., CISSP, GSLC, GSTRT, CISM, CCISO).
Certifications in Certified Information Systems Security Professional (CISSP).
5+ years' experience in leading a team in related work;
5+ years’ experience in strategic planning;
5+ years’ experience in developing metrics and key performance indicators;
5+ years’ experience in process development and process improvement;
5+ years’ experience in communication with reporting out to executive management and Governor’s Office;
5+ years’ experience in leading organizational change management;
5+ years’ experience in technical writing;
5+ years’ experience in NYS procurement;
5+ years’ experience in preparing budgets;
5+ years’ experience with talent management;
5+ years’ experience in information security policy and standard development;
5+ years’ experience in information security regulatory compliance;
5+ years’ experience in information security incident response;
5+ years’ experience in presenting.
Working knowledge of Information Security (CIA triad, Information Classification, Risk Management, Incident Response, Vulnerability Management, Security Architecture & Engineering); Information Security Frameworks (NIST Cyber Security Framework, CIS Controls, ISO 2700 series) and technical security solutions (e.g., intrusion detection/prevention systems, firewalls).
Excellent oral and written communication skills including the ability to clearly articulate information technology and information security concepts to a varied audience to facilitate wide understanding.
Demonstrated critical thinking, problem solving and analytical skills.
Demonstrated skill in facilitating meetings, listening, and negotiating between multiple stakeholders to drive results.
Ability to obtain and maintain a Secret clearance.