Principal Cybersecurity Governance Specialist (Hybrid)

Job Description

Primary Purpose :

The Principal Cybersecurity Governance Specialist drives cybersecurity governance capabilities with emphasis on detecting and reducing risk within organization.

Brings strong cybersecurity expertise to ensure protection of technology, data, systems, and applications across enterprise.

Drives success by identifying, assessing and recommending risk mitigation tasks across enterprise technology landscape with a focus on continuous improvement.

Collaborating with cybersecurity leadership, offers specialized industry insight to drive innovation, best practices, and competitive technologies.

As an expert member of cybersecurity teams, utilizes expert specialist knowledge to advance cybersecurity functions and reduce risk.

Mentors or coaches other team members in cybersecurity.

Works with contractors through external vendor manager directly or their back-office support for any assigned work, to lead status meetings with external vendor manager to review progress and quality of assigned work.

Assists as needed with providing company protocols, scope of work, and contract adjustments where valid and approved by company.

Duties and Responsibilities :

Governance :

• Cultivates technical excellence as an expert subject matter advisor in design and execution of cybersecurity-related functionality, seeking out industry trends and leading practices.
• Drives and manages determination of cybersecurity governance capabilities needed and selection of related technology (systems, platforms or networks) with an emphasis on automation and continuous improvement.

Identifies opportunities for innovation and assists in identification or strategic opportunities for continuous improvement, including competitive analysis of cybersecurity technologies.

• Acts as a thought leader, developing comprehensive governance documents with support recommendations.
• Reviews current cybersecurity policies, standards and procedures, to ensure they follow industry best practices, leveraging specialized insight to drive innovation, offering recommendations and guidance for greater compliance as needed.
• Ensures that key risk indicators are adopted and periodically provided to stakeholders leveraging dashboards.
• Provides expertise for cybersecurity council facilitation to drive cybersecurity risk awareness and escalation as needed.

Threat awareness and mitigation consulting :

• Provides expert technical input leading identification of enterprise-level threats and risks with security, engineering, and architecture leadership as appropriate.
• Works with strategic vendors to develop or enhance security technologies for benefit of enterprise.
• Leads design and evaluation of cybersecurity technology and technology tools according to delivery frameworks for business-critical functional areas, to remediate risk and enhance controls throughout.
• Acts as subject matter expert with respect to security needs of infrastructure, software development, and application technologies across organization.

Understands and utilizes advanced tools to identify, analyze, and solve risks.

Ensures adoption of security practices to facilitate automated risk characterization, monitoring, and mitigation across the companies.

Assessment :

• Leads analysis, diagnosis and assessment of cybersecurity-related capabilities (systems, platforms, or networks), with a focus on those that fill strategic enterprise security needs, ensuring adequate governance and risk management.
• Exercises considerable initiative to solve challenging problems pertaining to enterprise needs.
• Directs teams for maintenance support for cybersecurity applications, including facilitating quality oversight of deliverables from vendors who provide maintenance and support of technology and systems.
• Drives identification of opportunities for automation and integration for continuous improvement within company's cybersecurity functions and related technologies.

Leadership :

Mentors less experienced technology staff on cybersecurity knowledge best practices, procedures, and processes.

Other :

Performs other duties as assigned (no more than 5% of duties).

Qualifications

Education :

Bachelor's Degree in Information Systems, Software Engineering, Computer Science, related field or equivalent training and / or experience, required.

Experience :

• 8 years of progressive experience working within enterprise cybersecurity with experience in cybersecurity process, risk assessments, and the troubleshooting of systems, required.
• 5 years of experience working with cybersecurity and technology, with experience performing and developing governance risk and compliance (GRC) activities, required.
• 8 years of experience with National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) or Risk Management Framework (RMF) such as NIST 800-53, preferred.
• 5 years of experience with communicating and creating executive level presentations, preferred.

Knowledge, Skills and Abilities :

• Cybersecurity Acumen - Knowledge of cybersecurity design and architecture (application, data, and technical) with understanding of how systems and processes work together as aligned to business and IT imperatives.
• Cybersecurity Governance - Ability to understand, communicate and drive mitigation actions to secure the enterprise. Collaborate with peers to drive actions, track, escalate as necessary.
• Cybersecurity Risk Assessment and Quantification - Ability to evaluate existing systems and solutions for security risk and vulnerabilities, designing solutions and systems that provide quality and traceability of risk data and analytics to inform security recommendations.

Ability to extract key risk indicators to quantify and represent risk factors.

• Network Security Skills - Ability to deliver network security services through preventing unauthorized access to network resources (data and voice systems), managing network security related incidents and providing on-going services to maintain network security operations functions (firewall, DNZ, corporate LANs, etc.).
• Identity and Access Management - Knowledge related to design and delivery of solutions for establishing user, applications and device credentials and processes for applying those credentials to access enterprise systems and applications.
• Application Security - Ability to define and operate secure application programs, as well as perform security reviews and tests of applications to meet security and compliance requirements while minimizing the risks of losses through exploitable security defects in applications.
• Vulnerability Management - Ability to perform security reviews and tests to meet security and compliance requirements while effectively minimizing the risks of losses through exploitable security vulnerability.
• Development Languages - Knowledge and understanding of one or more IT programming languages and database architectures, and ability to write code and develop applications using those languages.
• IT Service Management - Ability to manage IT services lifecycle (service strategy, design, transition, operation, continuous service improvement) and use DevOps methodology and tools to analyze results.
• DevSecOps Practices - Strong understanding of automation and security concepts and processes (e.g., test automation, code coverage, DevSecOps, Continuous Integration / Continuous Delivery (CI / CD) pipelines, etc.

and ability to drive the integration of development, operations, and security into enterprise software development.

Software Delivery Frameworks Strong knowledge of delivery frameworks such as Agile Scrum, Kanban, and / or Software Development Lifecycle (SDLC);

proven ability executing projects in a collaborative, fast paced environment.

Licenses and Certifications :

Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM) or Certified Information Systems Auditor (CISA), preferred.

Other qualifications :

• May require work outside of normal business hours and / or 24 / 7 response availability for system and application maintenance, enhancements, production releases and / or operational emergencies.
• Must reside in Southern California or be willing to relocate upon hire.
• We offer a hybrid work environment. Although the schedule may vary, typically this will allow you to work from the office three days per week and work remotely on the remaining workdays.

Work Schedule

HYBRID : Work a combination of onsite and remote days each week, typically 2-3 days per week.