How to Apply
To be considered, a cover letter and resume are required. The cover letter must be the leading page of your resume and should:
- Specifically outline the reasons for your interest in the position and
- Outline your particular skills and experience that directly relate to this position.
Salary is commensurate with skills and experience.
The Chief Information Security Officer (CISO) is the highest level executive dedicated to IT security at the University of Michigan. Secure access to information assets is critical to achieve business objectives. The CISO is responsible for establishing and maintaining the information security program to ensure that information assets and associated technology, applications, systems, infrastructure and processes are adequately protected in the digital ecosystem in which we operate. The CISO is responsible for collaboratively identifying, evaluating and reporting on legal and regulatory, IT and cybersecurity risk to information assets, while supporting and advancing business objectives.
The CISO position requires a visionary leader with sound knowledge of business management and a working knowledge of cybersecurity technologies in the university's digital ecosystem. The CISO will proactively work with business units and ecosystem partners to implement practices that meet agreed-on policies and standards for information security. He or she should understand IT and must oversee a variety of cybersecurity and risk management activities related to IT to ensure the achievement of business outcomes where the business process is dependent on technology. The CISO will be responsible for implementing and running the enterprise information security program.
The CISO is responsible for the security and protection of information, technology and communication resources used in conduct of the research, education, clinical care and administration missions of the University. Using an enterprise risk approach, the CISO will work with University leaders to develop strategies, programs, policies and procedures to achieve an appropriate level of assurance in an increasingly threat-based world.
This role requires a high level of engagement and interaction with university leaders, IT governance groups and department leaders to ensure alignment with critical strategies and objectives. This position requires technical knowledge and extensive subject-matter expertise to develop and implement the security program for a complex organization with competing business requirements.
The CISO has direct management oversight for a group of security professionals and works in partnership with the larger security community from departments across the University and in Michigan Medicine, as well as other privacy, risk and compliance stakeholders. The position reports to the Vice President of Information Technology and Chief Information Officer and works closely with Information and Technology Services (ITS) leadership and all departments across the university. The CISO provides services as needed to respond to incidents or provide consultation to university leadership in Michigan Medicine or on any of the three (3) University of Michigan campuses.
The CISO should understand and articulate the impact of cybersecurity on (digital) business and be able to communicate this to the Board of Regents and other senior stakeholders. A key element of the CISO's role is working with executive management and other stakeholders to determine acceptable levels of risk for the organization.
Establish Governance and Build Knowledge
- Facilitate an information security governance structure through the implementation of a governance program, including the formation of an information security steering committee or advisory board
- Provide regular reporting on the current status of the information security program to university stakeholders, senior leadership and the Board of Regents as part of a strategic enterprise risk management program that supports business outcomes
- Work with the vendor management office to ensure that information security requirements are included in contracts by liaising with vendor management and procurement organizations
- Work in collaboration with the Chief Privacy Officer to create and manage a targeted data protection awareness training program for all employees, contractors and approved system users and establish metrics to measure the effectiveness of this training program for the different audiences
- Understand and interact with related disciplines (including privacy, risk management, compliance and business continuity management) through committees to ensure the consistent application of policies and standards across all technology projects, systems and services
- Provide clear risk mitigating directives for projects with components in IT, including the mandatory application of controls
- Lead the security community program to mobilize employees in all locations
Lead the Organization
- Lead the information security function across the University to ensure consistent and high-quality information security management in support of the business goals
- Determine the information security approach and operating model in consultation with stakeholders and aligned with the risk management approach and compliance monitoring of non-digital risk areas
- Manage the budget for the information security function, monitoring and reporting discrepancies
- Manage the cost-efficient information security organization, consisting of direct reports and dotted line reports (such as individuals in business continuity and IT operations). This includes hiring (and conducting background checks), training, staff development, performance management and annual performance reviews
Set the Strategy
- Develop an information security vision and strategy that is aligned to organizational priorities and enables and facilitates the organization's business objectives and ensure senior stakeholder buy-in and mandate
- Develop, implement and monitor a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity and availability of information assets owned, controlled and/or processed by the organization
- Assist with the identification of non-IT managed IT services in use ("citizen IT") and, as appropriate, help facilitate a University IT onboarding program to bring these services into the scope of the central IT function and apply standard controls and rigor to these services; where this is not possible, ensure that risk is reduced to the appropriate levels and ownership of this information security risk is clear
- Work effectively across the University campuses, business units and Michigan Medicine to facilitate information security risk assessment and risk management processes and empower them to own and accept the level of risk they deem appropriate for their specific risk appetite
Develop the Frameworks
- Develop and enhance an up-to-date information security management framework using a risk management framework, establishes and maintains the enterprise’s security vision, strategy and programs to ensure information assets and technologies are adequately protected; develops and reports regularly to university leaders a set of metrics that measure the university’s security posture; in collaboration with the Chief Privacy Officer, provides an annual report of the University’s IT security and privacy posture to the Executive Officers and Board of Regents
- Create and manage a unified and flexible control framework to integrate and normalize the wide variety and ever-changing requirements resulting from standard security frameworks (ex:NIST) and laws, standards and regulations, as well as best practices
- Develop and maintain, in collaboration with the Chief Privacy Officer, a framework of continuously up-to-date data protection policies, standards and guidelines
- Oversee the approval and publication of information security policies and practices
- Create a framework for roles and responsibilities with regard to information ownership, classification, accountability and protection of information assets
- Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation and increase the maturity of the information security and review it with stakeholders at the executive level
Build the Network and Communicate the Vision
- Create the necessary internal networks among the information security team and line-of-business executives, University compliance, audit, physical security, legal and HR management teams to ensure alignment as required
- Build and nurture external networks consisting of industry peers, ecosystem partners, vendors and other relevant parties to address common trends, findings, incidents and cybersecurity risks
- Liaise with external agencies, such as law enforcement and other advisory bodies, as necessary, to ensure that the organization maintains a strong security posture and is kept well-abreast of the relevant threats identified by these agencies
- Liaise with the enterprise architecture team to build alignment between the security and enterprise (reference) architectures, thus ensuring that information security requirements are implicit in these architectures and security is built in by design
Operate the Function
- Create a risk-based process for the assessment and mitigation of any information security risk in your ecosystem consisting of business partners, vendors, consumers and any other third parties
- Work with the Chief Privacy Officer to ensure that all information owned, collected or controlled by or on behalf of the company is processed and stored in accordance with applicable laws and other regulatory requirements
- Define and facilitate the processes for information security risk and for legal and regulatory assessments, including the reporting and oversight of treatment efforts to address negative findings
- Ensure that security is embedded in the project delivery process by providing the appropriate information security policies, practices and guidelines
- Collaborate and liaise with the Chief Privacy Officer to ensure that data privacy requirements are included where applicable and privacy impact assessments are incorporated into IT and IT security processes and workflows
- Oversee technology dependencies outside of direct organizational control which includes collaborating with the Chief Privacy Officer in reviewing contracts and the creation of alternatives for managing risk
- Manage and contain information security incidents and events to protect University IT assets, intellectual property, regulated data and the University’s reputation
- Leads the Computer Security Incident Response Team (CSIRT) to respond to serious security incidents that occur on any of the three campuses of the University of Michigan or Michigan Medicine; works with the Office of General Counsel, the Division of Public Safety and Security, the Office of the Vice President for Global Communications, the University Health System Compliance office and other stakeholders to manage the response to and reporting of serious incidents; builds and oversees a sophisticated team of computer forensics experts
- Monitor the external threat environment for emerging threats and advise relevant stakeholders on the appropriate courses of action
- Support the development of asset inventories, including information assets in cloud services and in other parties in the organization's ecosystem
- This position reports to the Vice President of Information Technology and Chief Information Officer to drive the definition and delivery of successful IT Security strategy execution
- Bachelor's degree in computer science engineering, information technology or a related field or the equivalent experience is required
- A minimum of ten (10) years of experience in a combination of risk management, information security and IT or OT jobs where at least five (5) years must be in a leadership role
- A minimum of eight (8) years of supervisory experience which includes recruiting, mentoring, career development, performance management, leadership and team building and a proven ability to lead a team to meet customer expectations
- Proven track record and experience in developing information security programs, policies and procedures, as well as successfully executing programs that meet the objectives in a dynamic environment
- Proven success in strategy development and execution
- Demonstrated ability to implement general security concepts and methods such as vulnerability and risk management, privacy, incident response, policy creation and enterprise security strategies
- Experience with information security regulatory and compliance management
- Experience developing and administering information security standards, guidelines and best practices
- Knowledge and understanding of relevant legal and regulatory requirements
- Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT and NIST, including 800-53 and Cybersecurity framework
- Excellent written and verbal communication skills, interpersonal and collaborative skills
- Ability to effectively and clearly communicate security and risk-related concepts to technical and nontechnical audiences
- Poise and ability to act calmly and competently in high-pressure, high-stress situations
- Must be a critical thinker with strong problem-solving skills, project management skills: financial/budget management, scheduling and resource management
- A strong solution orientation with a penchant for not only identifying problems but also finding ways of solving them within typical business constraints
- Ability to lead and motivate cross-functional, interdisciplinary teams to achieve strategic goals
- Demonstrated strong management or supervisory experience that includes recruiting, mentoring, career development and performance management, leadership and/or team building
- Ability to professionally handle confidential matters and show an appropriate level of judgment and maturity
- High degree of initiative and ability to work with little supervision
- Proven ability to lead project teams to meet customer expectations
- Proven strategic planning based on customer feedback and projected needs along with the ability to track and sometimes predict trends in markets, technology and the industry; influences direction to meet changing customer needs
- Master’s degree
- IT security in a higher education environment
- Certified Information System Security Professional (CISSP), Information Security Management Professional (ISMP) or Certified Information Security Manager (CISM)
- Other security-related certifications
Responsible for protecting data and information from unauthorized release or from loss, alteration or unauthorized deletion; and, following applicable regulations and instructions regarding access to computerized files, release of data, etc. as stated in a computer access agreement
- Normal amount of sitting, average mobility to move around an office environment; able to conduct normal amount of work at a computer; travel to various locations on and off campus; and moves throughout buildings to provide support
- May require on-call availability
- May require working during non-business hours and on weekends
- Punctual, regular and consistent attendance is required
Diversity, Equity and Inclusion
The University of Michigan Information and Technology Services seeks to recruit and retain a diverse workforce as a reflection of our commitment to serve the diverse people of Michigan, to maintain the excellence of the University and to offer our students richly varied disciplines, perspectives and ways of knowing and learning.
The University of Michigan Benefits Office is committed to offering a high-quality benefits package to support faculty, staff and their families. Learn more about our 2:1 retirement matching, healthcare plans with nationwide coverage including prescription drug coverage, three dental plans, a vision plan, flexible spending account, well-being programs, long-term disability, automatic life insurance, general legal services, three early childhood centers, time away from work and work-life programs to promote balance.
- The University of Michigan is ranked No. 2 U.S. public university, 28th overall in The Wall Street Journal and Times Higher Education announced 09/05/2018.
- The University of Michigan maintained its ranking as the top U.S. public university in the QS World University Rankings for 2018-19, and ranked 20th among all institutions on the list, which was released 06/13/2018.
- The University of Michigan maintains No. 15 in Times Higher Education World University Rankings released 05/30/2018.
- The University of Michigan continues to be recognized nationally in the U.S. News & World Report’s annual rankings of the nation's best graduate schools for 2019. Among the programs ranked each year in America’s Best Graduate Schools — business, education, engineering, law, medicine and nursing — U-M maintained top-20 rankings in all six categories.
Job openings are posted for a minimum of seven calendar days. This job may be removed from posting boards and filled anytime after the minimum posting period has ended.
U-M EEO/AA Statement
The University of Michigan is an equal opportunity/affirmative action employer.