Principal Director - Cyber / Information Security, and Head of the Information Security Office

Posted:
9/19/2024, 9:50:22 AM

Location(s):
Virginia, United States ⋅ Chantilly, Virginia, United States ⋅ California, United States ⋅ El Segundo, California, United States

Experience Level(s):
Expert or higher ⋅ Senior

Field(s):
IT & Security

The Aerospace Corporation is the trusted partner to the nation’s space programs, solving the hardest problems and providing unmatched technical expertise. As the operator of a federally funded research and development center (FFRDC), we are broadly engaged across all aspects of space— delivering innovative solutions that span satellite, launch, ground, and cyber systems for defense, civil and commercial customers. When you join our team, you’ll be part of a special collection of problem solvers, thought leaders, and innovators. Join us and take your place in space.

At Aerospace, we are committed to providing an inclusive and diverse workplace for all employees to share in our common passion and aspiration – to carry out a mission much bigger than ourselves.

Job Summary

The CISO will be responsible for implementing and running the enterprise cybersecurity program. That will involve identifying, evaluating and reporting on legal and regulatory, IT, and cybersecurity risk to information assets, while supporting and advancing business objectives.

The CISO position requires a visionary leader with sound knowledge of business management and a working knowledge of cybersecurity technologies covering the corporate network as well as the broader digital ecosystem. The CISO is responsible for establishing and maintaining the cybersecurity program to ensure that information assets and associated technology, applications, systems, infrastructure and processes are adequately protected in the digital ecosystem in which we operate.

A key element of the CISO's role is working with executive management to determine acceptable levels of risk for the organization. They will proactively work with business units and ecosystem partners, including customer stakeholders, to implement practices that meet agreed-on policies and standards for cybersecurity. The CISO should understand and articulate the impact of cybersecurity on (digital) business and be able to communicate this to the board of directors and other senior stakeholders.

The CISO must be knowledgeable about both internal and external business environments and ensure that information systems are maintained in a fully functional and secure mode and are compliant with legal, regulatory and contractual obligations. They serve as the process owner of the appropriate second-line assurance activities not only related to confidentiality, integrity and availability of information owned or processed by the business but extend their expertise to aid the organization in meeting safety, privacy, reliability, and resilience requirements. The CISO understands that securing information assets and associated technology, applications, systems, and processes in the wider ecosystem in which the organization operates is as important as protecting information within the organization's perimeter.

The ideal candidate is a thought leader, a builder of consensus and of bridges between business and technology. They are an integrator of people, process and technology. While the CISO is the leader of the cybersecurity program, they must also be able to coordinate disparate drivers, constraints and personalities, while maintaining objectivity and a strong understanding that cybersecurity is foundational for the organization to deliver on its business goals and objectives. Ultimately, the CISO is a business leader, and should have a track record of competency in the field of cybersecurity and/or risk management, with seven to 10 years of relevant experience, including five years in a significant leadership role.

Work Model

This is a full-time position based in El Segundo, CA or Chantilly, VA.

What You’ll Be Doing

Establish Governance and Build Knowledge

  • Facilitates a cybersecurity governance structure through the implementation of a hierarchical governance program.
  • Provides regular reporting on the current status of the cybersecurity program to enterprise risk teams, senior business leaders and the board of trustees as part of a strategic enterprise risk management program, thus supporting business outcomes.
  • Develops, socializes and coordinates approval and implementation of security policies.
  • Works with the Supply Chain team to ensure that cybersecurity requirements are included in contracts by liaising with vendor management and procurement organizations.
  • Directs the creation of a targeted cybersecurity awareness training program for all employees, contractors and approved system users, and establishes metrics to measure the effectiveness of this security training program for the different audiences.
  • Understands and interacts with related disciplines, either directly or through committees, to ensure the consistent application of policies and standards across all technology projects, systems, and services, including privacy, risk management, compliance and business continuity management.
  • Advises on the cyber risk posture of the organization, including the mandatory application of controls.
  • Embeds Cyber Judgement across a centralized or decentralized or distributed decision-making model.
  • Owns the security champion program to mobilize employees in all locations.

Lead the Organization

  • Leads the cybersecurity function across the company to ensure consistent and high-quality information security management in support of the business goals.
  • Determines the cybersecurity approach and operating model in consultation with stakeholders and aligned with the risk management approach and compliance monitoring of non-digital risk areas.
  • Manages the budget for the cybersecurity function, monitoring and reporting discrepancies.
  • Manages an effective cybersecurity organization, consisting of direct reports and dotted line reports (such as individuals in business continuity and IT operations). This includes hiring (and conducting background checks), training, staff development, performance management and annual performance reviews

Set the Strategy

  • Develops a cybersecurity vision and strategy that is aligned to organizational priorities and enables and facilitates the organization's business objectives, and ensures senior stakeholder buy-in and mandate.
  • Develops, implements and monitors a strategic, comprehensive cybersecurity program to ensure appropriate levels of confidentiality, integrity, availability of information assets owned, controlled or/and processed by the organization as well as the meeting of safety, privacy, reliability and resilience requirements as needed.
  • Advises on the identification of non-CIO managed IT services in use ("Mision IT") and on facilitating a corporate IT onboarding program to bring these services into the scope of the IT function, and apply standard controls and rigor to these services; where this is not possible, ensures that risk is reduced to the appropriate levels and ownership of this cybersecurity risk is clear.
  • Works effectively with business units to facilitate cybersecurity risk assessment and risk management processes and empowers them to make the right decisions that fall within the risk appetite of their organization.

Develop the Frameworks

  • Enhances the security posture by adopting a cybersecurity framework that is applicable to the organization including National Institute of Standards and Technology (NIST) Cybersecurity Framework SP 800-171 controls, and Cybersecurity Maturity Model Certification (CMMC) 2.0.
  • Creates and manages a unified and flexible, risk-based control framework to integrate and normalize the wide variety and ever-changing requirements resulting from global laws, standards, and regulations.
  • Develops and owns a document framework of continuously up-to-date cybersecurity policies, standards, and guidelines. Oversees the approval and publication of these cybersecurity policies and practices.
  • Creates a framework for roles and responsibilities with regard to information ownership, classification, accountability and protection of information assets.
  • Facilitates a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitates appropriate resource allocation, and increases the maturity of the cybersecurity, and reviews it with stakeholders at the executive and board levels.

Build the Network and Communicate the Vision

  • Provides input for the IT section of the company's code of conduct.
  • Creates the necessary internal networks among the cybersecurity team and line-of-business executives, corporate compliance, audit, physical security, legal and HR management teams to ensure alignment as required.
  • Builds and nurtures external networks consisting of industry peers, ecosystem partners, vendors and other relevant parties to address common trends, findings, incidents and cybersecurity risks.
  • Liaises with external agencies, such as law enforcement and other advisory bodies, as necessary, to ensure that the organization maintains a strong security posture and is kept well-abreast of the relevant threats identified by these agencies.
  • Liaises with the enterprise architecture team to build alignment between the security and enterprise (reference) architectures, thus ensuring that cybersecurity requirements are implicit in these architectures and security is built in by design.

Operate the Function

  • Collaborates and liaises with the privacy officer to ensure that privacy requirements are included where applicable.
  • Defines and facilitates the processes for cybersecurity risk and for legal and regulatory assessments, including the reporting and oversight of treatment efforts to address negative findings.
  • Ensures that security is embedded in the project delivery process by providing the appropriate cybersecurity policies, practices, and guidelines.
  • Manages and contains cybersecurity incidents and events to protect corporate IT assets, intellectual property, regulated data and the company's reputation.
  • Monitors the external threat environment for emerging threats and advises relevant stakeholders on the appropriate courses of action.
  • Develops and oversees effective resilience policies and standards to align with the enterprise resilience program goals, with the realization that components supporting primary business processes may be outside the corporate perimeter.
  • Coordinates the development of implementation of incident response plans and procedures to ensure that business-critical services are recovered in the event of a security event; provides direction, support and in-house consulting in these areas.
  • Facilitates and supports the development of asset inventories, including information assets in cloud services and in other parties in the organization's ecosystem.

What You Need to be Successful

Minimum Requirements:

Education, Training and Previous Experience

  • Demonstrated experience and success in senior leadership roles in risk management, cybersecurity, and IT or OT security.
  • Degree in business administration or a technology-related field, or equivalent work- or education-related experience.

Technical and Business Experience

  • Knowledge and understanding of relevant legal and regulatory requirements, such as NIST SP 800-171 controls, and experience overseeing Cybersecurity Maturity Model Certification (CMMC) 2.0 at Level 2 and higher a plus.
  • Knowledge of common information security management frameworks, such as NIST 800-53 and Cybersecurity Framework.
  • Sound knowledge of business management and a working knowledge of cybersecurity risk management and cybersecurity technologies.
  • Up-to-date knowledge of methodologies and trends in both business and IT
  • Experience with securing cloud services and integrating FedRAMP certified services a plus.

Knowledge and Skills

  • Excellent communication skills, interpersonal and collaborative skills, and the ability to communicate cybersecurity and risk-related concepts to technical and nontechnical audiences at various hierarchical levels, ranging from board members to technical specialists.
  • Strategic leader and builder of both vision and bridges, and able to energize the appropriate teams in the organization.
  • Ability to lead and motivate the cybersecurity team to achieve tactical and strategic goals, even when only "dotted" reporting lines exist.
  • Excellent stakeholder management skills.
  • Financial/budget management, scheduling and workforce management.
  • A master of influencing entities and decisions in situations where no formal reporting structures exist, but achieving the desirable outcome is vital.
  • Business acumen and an understanding of the organization’s risk profile.
  • Ability to develop and implement security strategies that are aligned with the organization's business goals.

How You Can Stand Out

It would be impressive if you have one or more of these:

  • Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC) or other similar credentials.
  • Experience successfully executing programs that meet the objectives of excellence in a dynamic business environment.
  • Experience with contract and vendor negotiations.

We offer a competitive compensation package where you’ll be rewarded based on your performance and recognized for the value you bring to our business.  The grade-based pay range for this job is listed below.  Individual salaries within that range are determined through a wide variety of factors including but not limited to education, experience, knowledge and skills. 

(Min - Max)

$174,360 - $296,493

Pay Basis: Annual

Leadership Competencies

Our leadership philosophy is simple: every employee, regardless of level and role, can demonstrate leadership. At Aerospace, our commitment is our people. To cultivate our talent and ensure that we have a strong pipeline of future leaders, we want individuals who:

  • Operate Strategically
  • Lead Change   
  • Engage with Impact   
  • Foster Innovation   
  • Deliver Results  

Ways We Reward Our Employees

During your interview process, our team will provide details of our industry-leading benefits.

Benefits vary and are applicable based on Job Type.  A few highlights include:

  • Comprehensive health care and wellness plans

  • Paid holidays, sick time, and vacation

  • Standard and alternate work schedules, including telework options

  • 401(k) Plan — Employees receive a total company-paid benefit of 8%, 10%, or 12% of eligible compensation based on years of service and matching contributions; employees are immediately eligible and vested in the plan upon hire

  • Flexible spending accounts

  • Variable pay program for exceptional contributions

  • Relocation assistance

  • Professional growth and development programs to help advance your career

  • Education assistance programs

  • An inclusive work environment built on teamwork, flexibility, and respect

We are all unique, from diverse backgrounds and all walks of life, yet one thing bonds all of us to each other—the belief that we can make a difference. This core belief empowers us to do our best work at The Aerospace Corporation.

Equal Opportunity Commitment

The Aerospace Corporation is an Equal Opportunity/Affirmative Action employer. We believe that a diverse workforce creates an environment in which unique ideas are developed and differing perspectives are valued, producing superior customer solutions. All qualified applicants will receive consideration for employment and will not be discriminated against on the basis of race, age, sex (including pregnancy, childbirth, and related medical conditions), sexual orientation, gender, gender identity or expression, color, religion, genetic information, marital status, ancestry, national origin, protected veteran status, physical disability, medical condition, mental disability, or disability status and any other characteristic protected by state or federal law. If you’re an individual with a disability or a disabled veteran who needs assistance using our online job search and application tools or need reasonable accommodation to complete the job application process, please contact us by phone at 310.336.5432 or by email at [email protected]. You can also review Know Your Rights: Workplace Discrimination is Illegal, as well as the Pay Transparency Policy Statement