PurposeThe Information Security Manager is responsible for supervisory oversight and consultation in cybersecurity and privacy governance, compliance and risk to optimize the security posture of SMUD’s enterprise Information Technology (IT) and Operational Technology (OT). To ensure the confidentiality, integrity and availability of SMUD’s IT and OT systems, information, and network infrastructure the Information Security Manager for cybersecurity governance and compliance or cybersecurity risk oversees staff in identifying, developing, implementing and maintaining processes to evaluate defense-in-depth layering of security principles and controls to reduce cybersecurity and regulatory risks to SMUD’s people, processes, and technology.
Bachelors Degree in Cybersecurity, Computer Science, Information Technology or related discipline and/or 11 years' equivalent experience.Experience:
Typically 7+ years of cybersecurity or information security experience in a corporate or business environment, ideally in the utility industry or progressively responsible relevant work experience managing an enterprise-wide cybersecurity functions to include implementing technology solutions, leading/managing oversight/operational staff and managing various project initiatives.Knowledge Of:
• Knowledge of: SMUD policies, procedures, applicable MOUs and other special agreements; federal and state laws and regulations related to supervisory practices and employee rights; methods and techniques for planning, organizing, directing and controlling work activities; methods and techniques for training staff; policies and procedures for evaluating and recording performance results; policies and procedures for recruiting, screening and hiring; principles and practices for budget administration; techniques and concepts related to team management; security requirements and cryptography, intrusion detection/incident handling, business continuity, risk reviews, computer operations security, and privacy issues; hardware, software, and network hardening and internal control risk management in large-scale networks and network vulnerability assessments; UNIX/Linux; Microsoft Windows; familiarity with Perl, Shell, and SQL (scripting); basic knowledge of technology platforms and web-based applications; basic understanding of infrastructure control procedures and security (Networks, and UNIX / Windows servers and databases); reporting and creating metricsSkill To
Articulate thoughts clearly, plan initiatives, and execute flawlessly with appropriate urgency; demonstrate drive, intelligence, maturity, and energy and will be a proven change leader; possess a high degree of business acumen and must have a “real world” perspective; maintain a high level of discretion and personal integrity in the exercise of duties, including the ability to professionally address confidential matters; ability to develop business cases for policy and technology changes and introductions; establish and maintain a high level of trust and confidence in the group's knowledge of, and concerns for, business, legal and regulatory requirements; effective negotiation techniques; excellent written and verbal communication skills, interpersonal and collaborative skills; critical thinking, with strong problem-solving skills; develop and implement new and revised policies and procedures to provide for the effective operation of the area of responsibility; apply applicable personnel laws, codes and regulations; coordinate the work of the function or unit with other SMUD entities; make final decisions on department administrative and operational matters; prepare performance plans and evaluations for staff; plan, organize, direct, control, and review the work of others; make final decisions on department administrative and operational matters; identify, assess and coordinate training needs for staff; to learn new skills quickly with minimal guidance; to achieve project schedules and milestones; work in a team environment with aggressive deadlines and multiple priorities while staying a team player; facilitation and presentation skills; Strong interpersonal skills, ability to listen, learn, speak up, and mentor; attention to detail; skill to work with different groups and diverse projects as a partner; skill to perform privacy and/or security reviews including regulatory and industry assessments, risk analyses, information inventory and data mapping, vendor management assessments, and additional privacy or security compliance related projects.
Major Duties & Responsibilities
- Supports director efforts to continuously improve and monitor SMUD’s risk based comprehensive enterprise security program, including commensurate policies and procedures, to ensure that the confidentiality, integrity, and availability of information is owned, controlled and properly accessed and processed.
- Authority responsible for oversight and management of cybersecurity and privacy governance, compliance, and risk; introduces, monitors, and enforces policy to ensure organization-wide cybersecurity and privacy risk management is aligned with SMUD’s strategic goals, applicable laws and regulations.
- Protects company data against unauthorized disclosure, accidental or intentional loss of data, or unauthorized modification.
- Oversees security initiatives which provide overall risk mitigation while maintaining business agility; works directly with business units to facilitate IT risk assessment and risk management policies and processes, and work with stakeholders throughout the enterprise on identifying acceptable levels of residual risk.
- Oversees research, coordination, development and communication of CIP policies, procedures and standards as set forth by regulatory requirements from NERC, FERC, WECC and other regulatory agencies; implements and maintains CIP and associated cyber security standards including calendar driven activities for control owners; works with all CIP asset owners to ensure CIP compliance.
- Participates in investigations of suspected information security breaches and policy violations; communicates unresolved security exposures, misuse, or noncompliance situations to the CIO and any other relevant senior/executive leader.
- Oversees cybersecurity risk assessments, audits, and incident investigations; keeps abreast of security incidents and act as primary control point during significant information security incidents; establishes procedures to address security incidents, develops cyber security contingency plans to be activated in response to cybersecurity breaches, violations and incidents.
- Responsible for the development and implementation programs, seminars, workshops, and bulletins to further end-user information security education and awareness; maintains technical reference library; develops training material and workshops for IT, program and security IT staff as appropriate.
- Oversees initiatives in support of annual and long-range security and compliance goals, security strategies, metrics, reporting mechanisms and program services; and maturity models and roadmaps for continual program improvements.
- Stays abreast of information security issues and regulatory changes affecting SMUD and ensures that SMUD’s information technology systems adhere to regulatory requirements including local, state and federal compliance standards; establishes external relationships to understand evolving threats, networks with broader cybersecurity industry leaders representing utilities; participates in national policy and practice discussions, and communicates to director on a regular basis about those topics; engages in professional development to maintain continual growth in professional skills and knowledge essential to the position
- Supports a high performance, accountable culture, clearly setting expectations, mentoring direct reports, coaching and motivating the team via Agile principles and implement professional development plans for all members of the team ensuring appropriate skill sets and resources are in place to meet current and future needs.
- Other related duties as assigned.