Wichita State University is seeking a Chief Information Security Officer (CISO) to lead the University’s data and information security efforts. This position requires a combination of strategic leadership, deep technical knowledge, extensive subject-matter expertise (threat landscape, security, legal, policy, compliance, and identity and access management) and relationship building skills to develop and implement security programs to fortify the University’s network infrastructure, data, research, and people from potential cyberattacks. An understanding of the needs of faculty researchers and administrators with highly sensitive data (such as PII, PHI, PCI, CUI, ITAR, EAR, etc.) is vital.
The CISO reports to the Chief Information Officer (CIO) and serves a key role in university leadership, working closely with senior administration, General Counsel, Internal Audit, academic leaders, and the campus community, including the National Institute for Aviation Research (NIAR). The CISO provides strategic guidance and technical leadership for a comprehensive university-wide information security and IT risk management program. The CISO works collaboratively with University leadership, faculty, and staff to ensure information security by balancing WSU’s academic and research values with institutional attention to the risks and requirements that arise from the University’s information-rich environment and external regulations.
The CISO is an advocate for the University’s total information security needs and is responsible for the development and delivery of a comprehensive university-wide information security and IT risk management program that leverages collaborations and campus-wide resources, facilitates information security governance, advises senior leadership on security direction and resource investments, strengthens security monitoring and incident management, designs appropriate policies to manage information security risk, and optimizes the University’s IT risk posture.
The complexity of this position requires a leadership approach that is engaging, imaginative, and collaborative, with a sophisticated ability to work with other leaders to set the best balance between security strategies and other priorities at the campus level.
Specific Responsibilities: UNIVERSITY STRATEGIC IT SECURITY PROGRAM – Develop, communicate, and oversee the implementation of a strategic, comprehensive information security and risk program for the university in support of academic, research, and administrative information systems and technology.
Provide leadership across the university in information technology security processes, policies, practices, and services.
Engage executives and university members, including leadership, faculty and administrators in colleges, centers, departments and research organizations, to adopt and foster a culture of data protection and information security awareness and responsibility, including at the individual level.
Provide leadership in the analysis, discussion, and development of security governance and framework, and guide the acquisition of advanced security technologies.
Lead information security planning processes to establish an inclusive and comprehensive information security program for the entire institution in support of academic, research, and administrative information systems and technology.
Develop and implement an enhanced information security governance framework to guide WSU’s information security efforts related to compliance, audit, and regulatory standards.
Establish annual and long-range security and compliance goals, define security strategies, metrics, reporting mechanisms and program services; and create maturity models and a roadmap for continual program improvements.
INFRASTRUCTURE MANAGEMENT AND SECURITY OPERATIONS – Continually perform security risk assessments on the university’s IT infrastructure and assist with overall business technology planning (e.g., necessary upgrades, mitigation efforts, equipment purchases, etc.)
Provide guidance and influence the university with regard to network and computing security needs in selecting hardware and software technologies, choosing between commercial and open source software, and determining whether services should be local or cloud-based.
Ensure that the university provides timely and documented responses to security concerns of IT projects.
Regularly assess implemented control activities for effectiveness in comparison with WSU security policy and nationally recognized frameworks. Report results and track remediation efforts towards sustainable implementation.
Examine impacts of new technologies on WSU’s overall information security and establish processes to review implementation of new technologies to ensure security compliance.
Provide recommendations on security best practices and designate approved security software for WSU use.
Perform IT security risk assessments, including vendor assessments. Report results and track remediation efforts towards sustainable implementation.
Work with WSU leadership to identify and mitigate risks to the confidentiality, integrity, and availability of university systems and data.
Collaborate with and support IT colleagues, both centrally and in distributed spaces, to monitor, assess, and test security solutions.
Manage a broad range of complex security and risk-related issues in the university’s central and its decentralized computing environments.
Manage WSU staff who are deploying enterprise-level security tools.
INCIDENT PREVENTION AND MANAGEMENT/CYBER RISK INTELLIGENCE – Identify, report, and control security incidents (including reviews, audits, regulatory inquires, etc.) and lead/coordinate institutional responses thereto.
Coordinate and track information security related audits at all internal, state, and federal levels and provide guidance, evaluation, and advocacy on institutional audit responses.
Lead and coordinate institutional responses to security incidents, providing timely reports during the incident and remediation, as well as propose solutions to prevent or mitigate future incidents.
Track security incidents and administer a university-wide IT Security Risk Management Program.
Assist in establishing best practices and procedures for information assurance, disaster recovery and business continuity.
Continually evaluate risks and act expeditiously in making decisions and recommendations, while considering the technology environment as well as the varying needs and viewpoints of the university community and its unique requirements.
Data loss and fraud prevention.
COMPLIANCE – Have a working knowledge of laws, regulations, and requirements applicable to an academic research institution including, but not limited FERPA (Family Educational Rights and Privacy Act), GLBA (Graham-Leach-Bliley Act), HIPAA (Health Insurance Portability and Accountability Act), PCI-DSS (Payment Card Industry Data Security Standard), the DMCA (Digital Millennium Copyright Act), GDPR (the European Union’s General Data Protection Regulation), and CUI (Controlled Unclassified Information) and develop, implement, and enforce process, procedures, technical security standards, and practices related to the same.
Ensure that IT Security policies are up to date and provide appropriate protections for WSU.
Develop, implement, maintain, and administer technical security standards to address and mitigate the university’s security risk.
Use appropriate technologies to monitor, mitigate and respond to security and compliance events.
Evaluate WSU’s security environment and provide strategic risk guidance for technical controls to implement appropriate defenses and safeguards.
Document and publish security standards, processes and procedures that the university community is expected to meet and uphold.
COMMUNICATION AND EDUCATION – Communicate with and educate the entire campus community, including leadership as to policies, procedures, best practices, cyber threats, etc.
Develop and enhance an information security and risk management awareness training program for all employees, contractors, and approved system users.
Develop and provide ongoing IT Security Awareness initiatives and communication for students, faculty and staff.
Work with IT and communications teams to address communication needs related to security incidents.
Stay abreast of information security issues and regulatory changes affecting higher education at the state and national level, participate in national policy and practice discussions, and communicate to campus on a regular basis about those topics.
Provide consultations, guidance, and investigation regarding information security, policy and security education and training.
Coordinate IT security education and training to the entire campus community.
Represent the university on committees and boards associated with the Kansas Board of Regents (KBOR) consortia and in national and regional consortiums and collaborations.
Provide periodic reporting on the current status of the information security program to university leadership as part of a strategic enterprise risk management program.
Bachelor’s Degree in a technical discipline (like Computer Science, Engineering, Mathematics, or other sciences)
At least 5 years of Information Security experience in Compliance, Audit & Standards.
At least 5 years of Information Security experience in Risk Management and Incident Response.
Minimum of 3 years in an Information Security leadership/management role.
Experience in development and deployment of information security policies, procedures, risk mitigation approaches, and various information security tools.
Demonstrated experience with federal and state information security and related compliance laws, regulations, and standards such as ISO27002, ISO27005, NIST 800, FERPA, PCI, e-discovery, ADA, HIPAA, DMCA, GDPR or CUI.
An advanced degree in Computer Science, Information Systems/Sciences, or related field.
Preferred Certifications: Certified Information Security Systems Security Professional (CISSP), Certified Information Security Manager (CISM) or similar certifications.
Experience in higher education, research, or government/public sector environment
Knowledge of Internal Audit, System Auditors, outside consultants and/or Office of the State Auditor in a lead capacity to coordinate representation of institutional technology systems and practices
Knowledge and experience in the policy and regulatory environment of information security, particularly in higher education
Knowledge of computers and information security, network security issues, and security incident response and recovery in a higher education environment
Demonstrated hand-on knowledge and experience in state-of the-art information security technologies and forensic investigation methodology and investigation tools to collect, analyze, and preserve electronic evidence
Experience in a complex and diverse organization.
Knowledge Skills and Abilities:
High degree of personal integrity and standards of professional conduct
Experience and ability to interact with senior management
Ability and experience in a fast-paced environment with minimal to no direct supervision
Demonstrated ability to communicate technical concepts and solutions to both technical and non-technical audiences.
Expertise in risk management approaches to assess and address security and other types of Information Technology-related risks.
Eligible to work in secure computing environments including International Traffic in Arms Regulations (ITAR) and Controlled Unclassified Information (CUI).
Proven ability to engage simultaneously in multiple projects and bring them to successful completion.
Excellent decision making and problem-solving skills and effectiveness in getting things done collaboratively.
Ability to interact effectively with a wide variety of users with different expectations and backgrounds.
Ability to lead and manage a technically diverse staff.
Experience in a complex and diverse organization.
Excellent interpersonal and communication skills, strong analytical skills, and ability to deal with ambiguity in a changing business environment.
Excellent customer service skills.
Ability to exhibit maturity, reliability, composure, and stability under pressure as required for handling on-the-job challenges.
Ability to give and receive constructive criticism and feedback.
Demonstrated curiosity, interest, and ability in keeping abreast of technology and methodology advancements in information security.