Deputy Director, Cyber Security Services

This is a non-merit system, employment-at-will, long-term contract position.

The Deputy Director, Cyber Security Services establishes and implements strategic initiatives for WSSC Water’s information security program (cyber security), compliance (e.g. information management, cyber security, software licenses, change/configuration management), and WSSC Water’s disaster recovery and incident response processes.

Essential Functions

- Develops, implements, and maintains enterprise Risk Management Information Management, and Change/Configuration Management Programs

- Develops, implements, and maintains an enterprise software licenses, hardware/software maintenance compliance program

- Performs periodic Information Security audits to identify compliance issues

- Leads the development and governance of the Commission-wide ECM strategy

- Conducts and/or supports investigations of data breaches; supports investigations initiated by Human Resources, General Councils Office, Emergency Management & Security, and/or General Manager

- Manages IT audits, IT risk reduction recommendations, and general IT control reviews

- Works with business owners to identify statutory and regulatory requirements that impact the business to ensure compliance

- Performs application planning and pre-implementation risk assessments and validation; reviews in conjunction with Information Security policies, standards, and procedures to ensure compliance and consistency

- Provides subject matter expertise on IT and business-related initiatives regarding risk and cyber security

- Participates in testing and evaluation of IT internal controls on corporate security risks, internal and external audits and reports, and sensitive data exposures

- Provides project management oversight and guidance for IT initiatives including development and maintenance of project plans, status reports, and budgets

- Manages the security department staff including career development, performance appraisals, task prioritization, and assignments

- Develops security processes to apply best practices and ensure compliance with relevant regulations

- Collaborates with the management team to develop the strategic direction of the team and take actions necessary to move toward the strategy

- Implements enterprise-wide disaster recovery/business continuity plan

- Routinely reviews plans for accuracy and relevance

- Develops and uses effective mechanisms to report compliance-related actions

- Manages external vendor relationships with contract administrators to review / negotiate/revise relevant contracts

- Oversees the management of service-level agreements with vendors and service providers

- Supervises employees including selecting or recommending selection, training, assigning and evaluating work, counseling, disciplining, and/or termination or recommending termination

Other Functions

- Reports key metrics on information security and compliance as well as program updates

- Reviews Information Security policies, standards, and procedures on an annual basis; updates as required

- Maintains knowledge of existing and proposed regulations pertaining to information system security and privacy

- Manages semi-annual tests of the Commission’s preparedness plans, evaluates effectiveness, and modifies plans as required

- Ensures all IT business processes are documented, monitored, and audited

- Represents the Commission on Prince George’s County and Montgomery County Information Security Committees

- Performs related duties as assigned

Work Environment And Physical Demands

Business casual office setting

Required Knowledge, Skills, And Abilities

- In-depth knowledge of Information Security and experience in implementing an information security program

- Knowledge of Information Security issues related to Industrial Control systems

- Knowledge of IT governance protocols and current trends

- Knowledge of Information Management assurance and security

- Ability to assess risks and implement appropriate controls to mitigate risks

- Familiarity with external/internal Attack and Penetration Assessments, Information Security Risk Assessments, Security Vulnerability Assessments, IT Audit Assessments, Network Server and Application Security Assessments, and Security Policy Standards & Procedure Development

- Understanding of LAN/WAN technologies and protocols, FTP, Active Directory, VPN (MPLS, IPSEC, etc.) IIS

- Extensive knowledge and experience with network topologies, file/application servers, encryption technologies, and network operating hardware and software

- Knowledge of industry-standard risk, governance, and security best practices associated with Local, Wireless and Wide Area Networking, internet security, applications security architectures, as well as secure email and file transfer protocols (HTTPS, SMIME, etc.)

- In-depth knowledge of ISO-20001 and ISO-27002 security frameworks

- Strong process facilitation, project management, and organization skills

- Excellent written and verbal communication skills

- Strong analytical and problem-solving abilities and strong customer service orientation

- Ability to work with highly confidential and sensitive internal employee matters

Minimum Education, Experience Requirements

- Bachelor’s degree in Computer Science, Business Administration, or related discipline

- 8+ years of Information Technology experience that includes: - 5+ years’ experience managing and supporting Information Security (Cyber Security) Program and Compliance (information management, cyber security, software licenses, change/configuration management) activities, and Disaster Recovery and Incident Response Planning control methods for enterprise-scale systems - 3+ years managing information security teams

- Experience in the concurrent management of multiple development projects, multiple development managers, and a team of developers/analysts/technical staff

- Experience with forensic software such as Encase, chain-of-custody procedures for evidence collection and preservation