Founded in 1898, Northeastern is a global research university and the recognized leader in experience-driven lifelong learning. Our world-renowned experiential approach empowers our students, faculty, alumni, and partners to create impact far beyond the confines of discipline, degree, and campus.
Our locations—in Boston; Charlotte, North Carolina; London; Portland, Maine; San Francisco; Seattle; Silicon Valley; Toronto; Vancouver; and the Massachusetts communities of Burlington and Nahant—are nodes in our growing global university system. Through this network, we expand opportunities for flexible, student-centered learning and collaborative, solutions-focused research.
Northeastern’s comprehensive array of undergraduate and graduate programs— in a variety of on-campus and online formats—lead to degrees through the doctorate in nine colleges and schools. Among these, we offer more than 195 multi-discipline majors and degrees designed to prepare students for purposeful lives and careers.
About the Opportunity:
Northeastern University Information Technology Services (ITS) is a partner in the advancement of teaching, learning, and research across Northeastern University’s global operations. We forge pathways to academic and professional successes through secure, collaborative solutions that propel innovation on individual, institutional, and global levels. As a member of our team, you will be part of exciting technology initiatives not found at other universities. Learn more about our culture, benefits, and how you can bring digital learning to life with us.
Reporting directly to the vice president for information technology and chief information officer (CIO), the associate vice president and chief information security officer (CISO) is responsible for Northeastern University’s total information security needs—domestically and internationally—and the development and delivery of a comprehensive information security strategy and privacy program designed to ensure university information assets are adequately protected. The CISO will also maintain a dotted line relationship to the Office of General Council to ensure open and trusted communication and collaboration in sensitive and legal matters.
The CISO is responsible for identifying, evaluating, and reporting on information security risks in a manner that meets compliance and regulatory requirements, and aligns with and supports the risk position of the university. The CISO works with key IT offices, data custodians, governance groups, and business and other key stakeholders in the development of security and application policies and best practices; oversees the effective dissemination of policies, standards, and procedures to the university community; establishes annual and long-range security and compliance goals; defines security strategies, metrics, reporting mechanisms, and services for continual program improvements; stays abreast of information security issues and regulatory changes affecting higher education at the state and national level; and communicates to and engages with the university community on a regular basis.
The CISO serves as the process owner of all assurance activities related to the availability, integrity, and confidentiality of customer, business partner, employee, and business information in compliance with the organization's information security policies. A key element of this role is working with executive leadership to determine acceptable levels of risk for the institution. The CISO must be highly knowledgeable about the business environment and ensure that information systems are maintained in a fully functional, secure manner.
The ideal candidate is a thought leader, a consensus builder, and an integrator of people and processes. As the leader of the security program, the CISO must be able to coordinate disparate drivers and constraints, while maintaining objectivity and an understanding that security is a major contributor to the university’s business activities, to best align and support the university's ability to deliver on its goals and objectives. To be effective in performing these duties the CISO needs to be familiar with a wide variety of security and compliance regulations, guidelines, and frameworks including current standards such as PCI-DSS, NIST 800-53, NIST Cybersecurity Framework, ISO 27001/2, FERPA, and GDPR, as well as upcoming regulations such as CCPA (California Consumer Privacy Act) and CMMC (Cybersecurity Maturity Model Certification). The CISO needs to understand the various security control objectives of these directives and how they apply in a higher education environment in general and Northeastern’s environment specifically. Previous experience working with these controls as an auditor and/or compliance manager would be beneficial. It is critical that the CISO have the ability to identify institutional risks and make actionable recommendations that will substantively help mitigate those risks without major impacts to the business needs or operations of the university.
- Expansive work experience in project management, application design and programming, data center operations, system programming, database administration, office automation, production analysis, client computing, consulting services, financial management, long range planning, data security, educational technology, and/or management; or an equivalent combination of education and experience.
- Proficient experience in information security auditing, risk assessments, compliance, analysis, and engineering.
- Professional security management certification, such as a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), or similar credentials.
- Eight to ten years of experience with a combination of risk management, information security, and information technology experience. At least four must be in a senior leadership role. Employment history must demonstrate increasing levels of responsibility.
- Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate security and risk-related concepts to technical and non-technical audiences.
- Proven track record and experience in developing information security policies and procedures, as well as the ability to successfully execute programs that meet the unit and university objectives of excellence in a dynamic environment.
- Must be a critical thinker, with strong problem-solving skills.
- Exhibit excellent analytical skills, the ability to manage multiple projects under strict timelines, and the ability to meet overall objectives while working well in a demanding, dynamic environment.
- Project management skills including financial/budget management, scheduling, and resource management.
- Ability to lead and motivate cross-functional, interdisciplinary teams to achieve tactical and strategic goals.