Information Security Program Manager
Previous Job
Information Security Program Manager
Ref No.: 18-00059
Location: Washington, District of Columbia
Must be legal to work in the United States without sponsorship.
Information Security Program Manager (ISPM) will manage all program management aspects of the clients information security portfolio.

The ISPM will be responsible for planning, scheduling, monitoring, and reporting on activities related to all aspects of the program. They will be responsible for managing multiple IT projects as part of a program. The ISPM will be expected to balance scope, budget, schedule, competing priorities, project risks and communications; and ensure project completeness, quality, and timely delivery. The ISPM will work with project managers across information security, application, and infrastructure teams to ensure project management discipline in the execution of security projects. The ISPM will play a key role in advising Security Steering Committees and IT Management on risk based project priorities, dependencies, and investment decisions as it relates to information security. The ISPM will receive strategic and tactical direction from the CISO. The ISPM will ensure that programs are managed to realize business benefits and that program management is informed by an awareness of industry best practices and current information technology methods/approaches.

Specific job responsibilities:

Builds and manages relationships with internal/external stakeholders in IT and business to influence strategies, manage expectations, and rally support of information security initiatives.

Exhibits advanced knowledge of various information security areas including understanding of complex and interrelated IT security technology and process implementation and operations. These areas include information risk management, identity and access management, application security, infrastructure security, endpoint security, security monitoring, managed security services, security operations, mobility, and cloud security.

Evaluates and further defines quality program requirements. Responsible for definition, planning, execution and closure of projects in the program. Work closely with the IT Leadership to ensure that projects deliverables and timelines are consistent with IT technology and business priorities.

Provides formalized, continuing work direction and leadership to assigned project(s), including scheduling, assignment of work and review of project efforts. Manages expectations regarding project timeframes, cost, and functionality on an ongoing basis. Performs cost-benefit analyses, TCO calculations and measures, value by tracking meaningful business outcomes.

Informs buy vs. build decisions based on established processes and criteria. Assists in developing business case and identifying related opportunities that may impact cost justification. Participates in creating Request for Proposal (RFP) documents, and in the evaluation of responses.

Manages the program budget. Tracks actual vs. projected expenses, analyzes variances, and forecasts end-of-year results for area of responsibility and escalates exceptions. Recommends reallocation of resources and technology to improve results.

Fosters collaboration and respect among project team members (staff and vendors) by addressing issues and/or concerns that could impede the group from reaching its goals. Provides clear direction and priorities. Provides feedback and coaching.

Required Skills:
The candidate must have strong experience in: (i) Security Program and Project Management at organizations with complex and large information security portfolios, preferably in the financial, insurance or pharmaceutical industries; (ii) Estimation and Cost Management; (iii) Managing IT Security- in the areas of infrastructure, network, endpoints, applications, and database system technologies; (v) Managing Vendor Relationships and complex negotiations; (vi) and Project management frameworks and leading tools.

Soft Skills: (i) Familiarity with a broad range of technologies supplemented by in-depth knowledge in specific areas of relevance; (ii) Ability to quickly grasp how new technologies work and how they might be applied to achieve business goals; (iii) Analytical skills that enable synthesis of inputs from many sources, and allow for strategic thinking and tactical implementation; (iv) Interpersonal skills that create openness and trust among colleagues; (v) Facilitation and conflict management skills that enable effective working relationships; (vi) Spoken and written communications that are compelling, convincing and reassuring, and skills to articulate complex technical ideas to non-technical stakeholders; (vii) Pragmatic security expert with an inherent ability to balance security demands with business reality; and (viii) Excellent relationship management skills; (ix) Ability to think laterally and to have input to / propose detailed, complex solutions to technical issues; (ix) Personal drive, ownership and accountability to meet deadlines and achieve agreed-upon results; and (x) Actively seeks knowledge needed to complete tasks and shares knowledge with others, communicating and presenting information in a clear and organized manner.

Knowledge requirements: Familiarity and/or experience with (i) advanced project management frameworks and practices- PMBOK, PRINCE2, TCM, agile and lean project management; (ii) project management tools like MS Project and Clarity; (ii) risk management and control frameworks including ISO 27001, NIST SP 800-53, FISMA, SOX404, COSO, and COBIT; (iii) Critical Security Process implementation projects such as Certification & Accreditation, 3rd Party Vendor Risk Management, Control and Risk assessments, threat & vulnerability management, compliance management, and independent assurance processes, (iv) IT GRC tools and processes; (v) security architecture principles and models such as SABSA/ EISA; (vi) identity and access management technologies; (vii) authentication and authorization technologies; (viii) web services security; (ix) infrastructure security: n-tier architectures, firewalls, intrusion detection/prevention tools, endpoint security, application whitelisting, network admission controls, policy detection and enforcement controls, web application firewalls, proxies, SOA firewalls, reverse proxies, server and network security controls (Windows/LINUX/AIX), database security (SQL DB/Oracle); (ix) application security processes and methodologies- Secure SDLC, OWASP; and (x) Incident management techniques and processes.

Minimum qualifications:
Educational requirements: (i) Advanced university degree in computer science, engineering, mathematics, business or related field of study plus a minimum of 10 years of relevant experience in Information Security, Cyber Security, or regulated industries (preferably financial), working as a Security Program Manager; or (ii) Bachelors degree in computer science, engineering, mathematics, business or related field of study and minimum 12 years experience in regulated industries (preferably financial) working as a Security Program Manager.

PMP is a requirement.

Additional certifications like PgMP, CISSP, CBAP, PMI-ACP are preferred.