USA, Louisville, KY
Job Posting Title
Director, Information Security
The Director for Information Security focuses on communicating the vision, establishing and maintaining strategies, policies, standards, and guiding principles to enable a robust company security posture aligned with the CIS Top 20 Controls. The candidate will lead the organization, ensure alignment with management frameworks and operate the function. The Director must ensure the project portfolio is guided by a risk-based approach that addresses emerging and evolving security threats to protect the confidentiality, integrity, and availability of critical applications and infrastructure services. This individual will work with leaders across DT, Security Operations (MSP), Third-Party partners (Audit, Threat Detection / Response, Forensics), the Privacy Office, and Business partners to ensure adherence to policies, accountability for remediation, and management and coordination during Incident Response.
What you will Do
Establish Governance and Build Knowledge (20%)
- Facilitates an information security governance structure through the implementation of a hierarchical governance program, including leadership of the information security steering committee
- Develops, socializes, and coordinates approval and implementation of security policies
- Partners with the vendor management team to conduct security assessments of existing and prospective vendors (e.g. Third-Party Security Reviews)
- Partners with the internal Controllership team to review and evaluate the design and operational effectiveness of security-related controls
- Provides clear risk mitigating directives for projects with components in IT, including the mandatory application of controls
- Directs the creation of a targeted information security awareness training program for all employees, contractors, and approved system users, and establishes metrics to measure the effectiveness of this security training program for the different audiences
- Maps control to compliance requirements like PCI (Payment Card Industry), HIPAA (Health Insurance Portability and Accountability Act), SOX (Sarbanes-Oxley), and CCPA (California Consumer Privacy Act), and provides oversight to ensure adherence to compliance requirements
- Validates IT infrastructure and other reference architectures for security best practices and recommends changes to enhance security and reduce risk where applicable
- Creates a risk-based process for the assessment and mitigation of any information security risk in the ecosystem consisting of supply chain partners, vendors, consumers, and any other third parties
Lead the Organization (20%)
- Leads the information security function, including privacy and advanced threat detection and response team, to ensure consistent and high-quality information security management in support of the business goals
- Determines the information security approach and operating model in consultation with stakeholders and aligned with the risk management approach
- Manages the budget for the information security function, monitoring and reporting discrepancies
- Manages the cost-efficient information security organization, consisting of direct reports and dotted line reports (such as individuals in business continuity and IT operations). This includes hiring, training, staff development, performance management, and annual performance reviews
Set the Strategy (15%)
- Develops an information security vision and strategy that is aligned to organizational priorities and enables and facilitates the organization's business objectives, and ensures senior stakeholder buy-in and mandate
- Develops, implements, and monitors a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy, and recovery of information assets owned, controlled, or/and processed by the organization
- Works effectively with business units to facilitate information security risk assessment and risk management processes, and empowers them to own and accept the level of risk they deem appropriate for their specific risk appetite
- Reviews security capabilities, technologies, tools and services, and makes recommendations to the IT Lifecycle Management and Ops teams for their use based on security, financial and operational metrics
- Develop security tools and services strategy to help better maintain and improve the company security posture
Enhance and Maintain the Frameworks (10%)
- Maintains an up-to-date information security management framework based on COBIT/Risk IT and National Institute of Standards and Technology (NIST), Center for Internet Security (CIS)
- Creates and manages a unified and flexible, risk-based control framework to integrate and normalize the requirements resulting from laws, standards and regulations
- Develops and maintains a document framework of continuously up-to-date information security policies, standards and guidelines. Oversees the approval and publication of these information security policies and practices
- Facilitates a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitates appropriate resource allocation, and increases the maturity of the information security, and reviews it with stakeholders at the executive and board levels
- Creates a risk-based process for the assessment and mitigation of any information security risk in the ecosystem consisting of supply chain partners, vendors, consumers and any other third parties
Build the Network and Communicate the Vision (10%)
- Liaises with the enterprise architecture team to build alignment between the security and enterprise (reference) architectures, thus ensuring that information security requirements are implicit in these architectures and security is built in by design
- Builds strong relationships with technical teams across the functions (both IT professionals and business users) and with Haier Group Security Council members, and enables their awareness and compliance with guidelines set forth in Security policies, standards, and controls
- Builds and nurtures external networks consisting of industry peers, ecosystem partners, vendors and other relevant parties to address common trends, findings, incidents and cybersecurity risks
- Liaises with external agencies, such as law enforcement and other advisory bodies, as necessary, to ensure that the organization maintains a strong security posture and is kept well abreast of the relevant threats identified by these agencies
Operate the Function (25%)
- Ensures that security is embedded in the project delivery process by providing the appropriate information security policies, practices, and guidelines
- Owns the IT security risk registry and ensures projects and remediation efforts are in alignment with a focus on digital infrastructure and information protection, identity and access management.
- Leads security assessments of internal systems, applications, and IT infrastructure as part of the overall risk management practice of the organization in alignment with policies and strategies
- Participate in application and infrastructure project reviews to provide security planning advice and strategic thinking
- Coordinates the development of the implementation of incident response plans and procedures to ensure that business-critical services are recovered in the event of a security event; provides direction, support and in-house consulting in these areas
- Liaise with DT, business stakeholders, and 3rd parties as to the incident response manager
- Manages and contains information security incidents and events to protect corporate IT assets, intellectual property, regulated data and the company's reputation
- Monitors the external threat environment for emerging threats, and advises relevant stakeholders on the appropriate courses of action
What you need to Succeed
- Bachelors’ degree in Computer Science, Information Systems, Cybersecurity, Mathematics, Statistics or equivalent.
- 10+ years relevant experience in IT; 5+ years of experience leading teams
- Demonstrated experience and success in leadership roles in risk management, information security, and IT or OT security
- Vulnerability and threat analysis experience.
- Working knowledge of regulations, standards and frameworks like PCI (Payment Card Industry), HIPAA (Health Insurance Portability and Accountability Act), SOX (Sarbanes-Oxley), California Consumer Privacy Act (CCPA), CIS (Center for Internet Security)
- Understanding of identity and access management, authentication, authorization, encryption, PKI, and security monitoring methodologies and technologies.
- Understanding of malware analysis and reverse engineering; network protocols, design and operations; cybersecurity capabilities and threat landscape; network and computer forensics; cloud computing
- Understanding of security architecture, threat modeling, secure application development, developing security controls architecture patterns, and creating strategies and roadmaps.
- Demonstration of industry security awareness via training courses taken and/or certifications received (i.e. GCFA, GNFA, GCIH, GPEN, OSCP, etc.)
- Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate information security and risk-related concepts to technical and non-technical audiences at various hierarchical levels, ranging from board members to technical specialists
- Strategic leader and builder of both vision and bridges, and able to energize the appropriate teams in the organization
- Ability to lead and motivate the information security team to achieve tactical and strategic goals
- Excellent stakeholder management skills
- Excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives
- Project management skills: financial/budget management, scheduling, and resource management
- Masters’ degree in Computer Science, Information Systems, Mathematics, Statistics or equivalent.
- Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), Global Information Assurance Certification (GAIC) certifications OR equivalent security accreditation.
- ICS/SCADA/PLC proficiency and experience with best practice implementation.
- AWS Certified Solutions Architect – Professional.
- Demonstrated leadership, working across a diverse environment of IT employees (onshore and offshore), consultants and vendors
- Demonstrated ability to influence and build consensus with other IT teams and leadership
- Ability to effectively manage priorities in a highly dynamic environment and drive change
- Growth mindset
GE Appliances is an Equal Opportunity Employer. Employment decisions are made without regard to race, color, religion, national or ethnic origin, sex, sexual orientation, gender identity or expression, age, disability, protected veteran status or other characteristics protected by law.