Sr. Director, Information Security
Employment Type : Full-Time
PRIMARY RESPONSIBILITY
The Senior Director of Information Security is responsible for maturing and maintaining the companywide information security program to ensure that information assets and associated technology, applications, systems, infrastructure and processes are adequately protected. This hands-on role is responsible for identifying, evaluating and reporting on cybersecurity risk to information assets, while supporting and advancing business objectives. The Senior Director will be responsible for running the enterprise information security program. Scope includes:
- Develop an information security vision and strategy that is aligned to organizational priorities and enables the organization's business objectives, and ensure senior stakeholder buy-in
- Facilitate an information security governance structure through the implementation of a hierarchical governance program, including an information security steering committee or advisory board
- Translate IS-risk requirements and business needs into technical control requirements and spec’s
- Oversee security awareness training program for all employees, contractors and approved system users, and establish metrics to measure the effectiveness of this security training program for the different audiences
- Understand and interact with functional areas to ensure the consistent application of policies and standards across all technology projects, systems and services, including privacy, risk management, compliance and business continuity management
- Provide clear risk mitigating directives for projects with components in IT, including the mandatory application of controls
- Lead the information security function across the company to ensure consistent and high-quality information security management in support of the business goals
- Oversight of business continuity, disaster recovery, IT change management/controls, and IT policy and procedures.
Personnel responsible for managing and operating IT infrastructure will report into other functional areas (for example, networking, servers, building security, HR new hire or database management), with their security-related activities coordinated by this role. This is a highly visible hands-on role balancing tactical, operational and strategic activities in support of sustaining Adaptimmune’s IS program.
KEY RESPONSIBILITIES
Strategic Support
- Work with Senior Leaders to implement and grow an Information Security program that addresses identified risks and business security requirements.
- Execute the process of gathering, analyzing and assessing the current and future threat landscape, as well as providing senior leaders with a realistic overview of risks and threats in the enterprise environment on a routine basis.
- Monitor and report on internal and 3rd party compliance with IS policies, procedures and methods, as well as the enforcement of IS requirements within the IT department and other functional areas (e.g. HR, Facilities).
- Own IS Policies, procedure and methods. Ensure controls are properly maintained and well defined for implementation by operational teams. Propose changes to existing policies to ensure operating efficiency and regulatory compliance. Execute IS responsibilities (e.g. verification) as outlined in policies and procedures.
Security Liaison
- Assist resource owners and IT staff in understanding and responding to security audit failures reported by internal and external auditors.
- Provide regular security communication, awareness and training for audiences, which may range from senior leaders to field staff.
- Work as a liaison with vendors and the legal and purchasing departments to establish mutually acceptable contracts and service-level agreements.
- Work with various stakeholders to identify information asset owners to classify data and systems as part of a control framework implementation.
- Work with IT and business stakeholders to define metrics and reporting strategies that effectively communicate successes and progress of the IS program.
- Provide support and guidance for legal and regulatory compliance efforts, including audit support.
Architecture/Engineering Support
- Consult with IT and business line staff to ensure that security is factored into the evaluation, selection, installation and configuration of hardware, applications and software, process and procedures, etc. Perform security assessments, and provide recommendations to close GAPs.
- Recommend and coordinate the implementation of technical controls to support and enforce defined security policies.
- Research, evaluate, design, test, recommend or plan the implementation of new or updated information security hardware or software, and analyze its impact on the existing environment; provide technical and managerial expertise for the administration of security tools.
- Work with the enterprise architecture team to ensure that there is a convergence of business, technical and security requirements; liaise with IT management to align existing technical installed base and skills with future architectural requirements.
- Develop a strong working relationship with the IT operations team to develop and implement controls and configurations aligned with security policies and legal, regulatory and audit requirements.
- Develops a common set of security tools. Defines operational parameters for their use, and conducts reviews of tool output. Administrate IS monitoring and verification tools and controls.
- Performs control and vulnerability assessments to identify control weaknesses and assess the effectiveness of existing controls, and recommends remedial action.
- Defines testing criteria for process and technical systems and applications.
- Is the primary individual responsible for the execution of IS risk assessment activities, analyzing the results of audits to produce recommendations of acceptable risk and risk mitigation strategies.
Operational Support
- Coordinate, measure and report on the technical aspects of security management.
- Manage outsourced vendors that provide information security functions for compliance with contracted service-level agreements.
- Manage and coordinate operational components of incident management, including detection, communication, response and reporting.
- Maintain a knowledgebase comprising a technical reference library, security advisories and alerts, information on security trends and practices, and laws and regulations.
Manage the day-to-day activities of threat and vulnerability management, identify risk tolerances, recommend treatment plans and communicate information about residual risk.
- Provide expert guidance on security matters for other IT projects.
- Design, coordinate and oversee formal documented security testing procedures to verify the security of systems, segregation of duties, networks and applications, and manage the remediation of identified risks.
- Respond to and, where appropriate, resolve or escalate reported security incidents.
- Investigate and resolve security violations by providing postmortem analysis to illuminate the issues and possible solutions.
Oversight of business continuity, disaster recovery, GMP and non-GMP IT change management / controls, and broader departmental IT policy and procedures.
Managing up to three people and external vendors
QUALIFICATIONS & EXPERIENCE
Required
- A minimum of 20 years of progressive IT experience, with 5 years in a senior information security role and 10 years in a supervisory capacity, or equivalent experience.
- A bachelor's degree in information systems or equivalent work experience; an M.B.A. or M.S. in information security is preferred.
- Information Security certification based on industry best practices.
Desirable
- ITIL Certification, GxP training, and/or IT Security training
- Advanced degree in Computer Science, Engineering, or Business
- Any equivalent combination of education, experience and training that provides the required knowledge, skills, and abilities.
- Global IT experience; Cloud SaaS experience
- Experience in disaster recovery, business continuity, change control, policy and procedures
- Previous pharmaceutical or biotechnology experience
SKILLS & COMPETENCIES
Required
- Strategic leader and builder of both vision and bridges, and able to energize the appropriate teams in the organization
- In-depth knowledge of risk assessment methods and technologies.
- Proven track record and experience in developing information security policies and procedures, as well as successfully executing programs that meet the objectives of excellence in a dynamic business environment
- A strong understanding of the business impact of security tools, technologies and policies.
- Strong leadership abilities, with the capability to develop and guide IT operations personnel, direct staff, and work with minimal supervision.
- Excellent verbal, written and interpersonal communication skills, including the ability to communicate effectively with the IT organization, project and application development teams, management and business personnel; in-depth knowledge and understanding of information risk concepts and principles as a means of relating business needs to security controls; an excellent understanding of information security concepts, protocols, industry best practices and strategies.
- Experience working with legal, audit and compliance staff
- Experience developing and maintaining policies, procedures, standards and guidelines.
- Experience with common information security management frameworks, such as International Standards Organization (ISO) 2700x, the IT Infrastructure Library (ITIL) and Control Objectives for Information and Related Technology (COBIT) frameworks, the U.S. Sarbanes-Oxley Act, the U.S. Health Insurance Portability and Accountability Act (HIPAA), the European Union Privacy Directives, and the Japanese Financial Instruments and Exchange Law ("J-SOX").
- Proficiency in performing risk, business impact, control and vulnerability assessments, and in defining treatment strategies.
- Knowledge of and experience in developing and documenting security architecture and plans, including strategic, tactical and project plans.
- Strong analytical skills to analyze security requirements and relate them to appropriate security controls.
- An understanding of operating system internals and network protocols.
- Familiarity with the principles of cryptography and cryptanalysis.
- Experience in application technology security testing (white box, black box and code review).
- Experience in system technology security testing (vulnerability scanning and penetration testing).
- Able to quickly prioritize and sort out complex set of activities to deliver on time
Desirable
- Maintain competency and enhances professional growth and development through continuing education for them self and for staff. Monitors and understands technology trends in Pharmaceuticals.
- Speak to individuals or groups of people with poise, voice control and confidence and respond adequately to enquiries or complaints.
- Strong analytical skills to analyze security requirements and relate them to appropriate security controls.
- A strong customer/client focus, with the ability to manage expectations appropriately, to provide a superior customer/client experience and build long-term relationships.
Decision Making Authority
This role is expected to represent IT leadership and Company-wide IS goals and objectives internally and externally.
At Adaptimmune we embrace diversity and equality of opportunity. We believe that the more inclusive we are, the better our work will be. We welcome applications to join our team from all qualified candidates, regardless of age, colour, disability, marital status, national origin, race, religion, gender, sexual orientation, gender identity, veteran status or other legally protected category. It is our intent that all qualified applicants will receive equal consideration for employment.
Powered by JazzHR
XjKAircP8z