Chief Information Security Officer

The University of Virginia (UVA), one of the nation’s leading public institutions, seeks an experienced, dynamic, and mission-driven leader to be the next Chief Information Security Officer (CISO).

Reporting to the Vice President and Chief Information Officer, the CISO will provide strategic leadership and oversight to a diverse portfolio.

They will lead high-performing teams and work collaboratively across a large, complex institution. The CISO must be a strong communicator with the ability to build relationships and work with members of the University community in a collaborative and empathetic manner.

The complexity of this position requires strong leadership and the ability to balance the priorities of security strategies with university strategies and business needs.

Be one of the first applicants, read the complete overview of the role below, then send your application for consideration.

As a critical member of the Information Technology Services (ITS) leadership team, the CISO is responsible for establishing and maintaining a university-wide information security management program to ensure that the university’s data and assets are adequately protected.

The CISO will work closely with IT leadership, administrative leaders, and academic faculties across Grounds to identify, evaluate, and report on information security risks in a manner that meets compliance and regulatory requirements and aligns with and supports the risk posture of the University.

The CISO will lead a team of 20, including a Deputy CISO and professionals within the areas of operations, engineering, policy, compliance, and services and engagement.

The CISO will also manage the Managed Security Service Provider (MSSP) contracted by UVA.

The CISO will lead and / or sponsor efforts aimed at meeting strategic objectives for UVA. Among these important initiatives are :

The Device Security Initiative (DSI). An exciting multi-year program designed to create a comprehensive cross-Grounds approach to core security practices.

Projects under this initiative include creating / maintaining an accurate device inventory, as well as providing central tooling, automated endpoint management, network segmentation, and other technical controls to support accountability.

Understanding how AI can transform UVA’s underlying mission, from teaching methodologies to student learning, research, and administrative processes.

The CISO will partner and consult with leaders across Grounds to define the risks that accompany this new technology, as well as safeguard the privacy of UVA community members.

Enabling research. As UVA continues its path to research preeminence, research computing is a dynamic space where the CISO is critical to ensuring that research and research data are properly secured, while working closely with the research community with a solutions-oriented approach.

Key responsibilities fall into four major categories :

• Manage the university's information security organization, including hiring, training, staff development, performance management, and annual performance reviews.
• Promote collaborative, empowered working environments within ITS and across Grounds, removing barriers and realizing possibilities.

Lead IT security planning processes to establish an inclusive and comprehensive cyber security program for the institution in support of academic, research, and administrative information systems and technology.

Policy, Compliance and Audit

• Develop, maintain, and publish up-to-date information security policies, standards, and guidelines and ensure information security and compliance with relevant legislation and legal interpretation.
• Continually assess, evaluate, and make recommendations to ITS leadership regarding the adequacy of the security controls.

Security Awareness and Training

• Develop / identify, administer, and champion information security education and awareness programs and advise operating units at all levels on security issues, best practices, and vulnerabilities.
• Work with the schools / units to identify needed training for local service providers to maximize their effectiveness in enforcing / supporting security policies and standards at the local level.

Risk Management, Security Operations, Projects, and Incident Response

• Provide leadership, direction, and guidance in identifying, evaluating, and prioritizing information security risks and monitor compliance with security standards and appropriate policies.
• Manage the daily IT security operations, disseminating information to the schools / units as appropriate. Oversee the management of the IT security operations team, inclusive of managed detection and response services, while working collaboratively with other members of ITS to enact needed controls.

Qualifications

• Excellent written and verbal communication skills, interpersonal, relationship-building, and collaborative skills, and the ability to communicate security and risk-related concepts to technical and nontechnical audiences.
• A bachelor’s degree in Information Technology, Computer Science, Information Systems, or a related field (master’s degree preferred).
• Professional security management certification is strongly desired, such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), or other similar credentials.
• At least 10 years of experience in a combination of risk management, information security, and IT jobs (at least five must be in a senior leadership role).

J-18808-Ljbffr