Location: US-NY-New York
Department: NYU IT
School/Division: NYU IT (WS1170)
Compensation Grade: Band 55
The CISO serves as a member of the CIO’s senior leadership team and serves as the University’s subject matter
expert and internal consultative resource on technology security for the University’s global network and the integrity and safety of the
University’s significant intellectual property and research assets.
The CISO will set the strategic roadmap for the University
technology security initiatives directly impacting 20,000+ computers, over 60,000 technology users on the NYU NYC campus, as well as
computers and staff at 2 global campuses and 14+ global sites.
The CISO is accountable to the CIO, the EVP, and where appropriate,
the University Board of Trustees, for developing and implementing strategic and operational plans for the University wide technology
security programs and initiatives. The CISO must carefully balance such proactive efforts while ensuring appropriate cost and minimal
organizational risk, including potential damage to intellectual assets and unfavorable public relations consequences.
With NYU senior leadership, the Chief Information Security
Officer (CISO) will lead the development and implementation of an information security strategy and program for the University. They will
plan and execute University wide technology security initiatives; create and maintain security policy in coordination with the Information
Security Advisory Group (ISAG) and NYU IT Policy and Compliance; lead security assessment efforts; lead security risk assessment efforts;
direct, advise and collaborate with NYU units on secure system development life cycle, and cyber security protection programs appropriate to
risks, business continuity & disaster recovery plans, and audit & governmental compliance practices; direct security operations of the
Office of Information Security group. The CISO communicates cyber security risks, issues and program status to University leadership and the
NYU community as directed.
As the University’s subject-matter expert in the technology security space, the incumbent will have the
decision-making authority and signatory responsibility for $5+ million to recommend comprehensive solutions at the University level that
will mitigate risk, protect intellectual capital, respond appropriately to security breaches or similar adverse issues, both for long-term
critical response planning and nimbly in response to emerging threats that require more immediate and creative problem-solving.
role is responsible for leading a team of approximately 20 people. The CISO will also regularly interact with the University leadership,
senior IT leadership, and where appropriate, the University Board of Trustees. Interactions will also include the Office of General Counsel,
Public Safety, Emergency Management, HIPAA Security Officer (CIO), HIPAA Privacy Officer (EVP), outside agencies (including governmental
agencies), vendors, NYU IT managers, faculty and researchers, business unit senior managers, and NYU Medical Center.
Global Security Program (35%)
Serve as an expert advisor to NYU senior management
in the development and implementation of a comprehensive, risk based institutional and global security program.
- Work closely with
senior administration, academic leaders, and the campus community to determine, identify key security program elements and determine which
NYU departments or offices need to be involved in building a comprehensive information security program.
- Convene and coordinate
activities of the NYU Information Security Advisory Group (ISAG).
- Provide guidance and advocacy regarding prioritization of
infrastructure investments that affect security.
- Foster a collaborative approach to IT security efforts across the global components
- Serve as security technology expert to University portal campuses, sites, schools, and departments by providing information
and guidance regarding improved security needs.
- Consult with University and department administrators to understand unique
requirements and recommend security approaches and improvements.
- Track industry and higher education developments and best practices
to maintain a thorough understanding of current and future directions, systems, applications, and data security techniques for
instructional, research and administrative needs, and select security technology appropriate to meet needs.
- Establish annual and
long-range security and compliance goals, define security strategies, metrics, reporting mechanisms and program services; and create a
roadmap for continual program improvements.
- Ensure broad communication to the NYU community about threats and measures to protect
data and systems.
- Create consistency in risk reporting for the University Audit Committee and ISAG.
Develop and maintain an ongoing risk assessment program for NYU IT’s information, data and technology
- Research and report on information security threat profiles and system vulnerabilities.
- Recommend appropriate
technical controls or other actions to mitigate risks; conduct tests of information security controls.
- Ensure mitigation strategies
are aligned appropriately with the priorities and mission of the University.
- Determine security impact of implementation of new
University systems, review software proposals from vendors, and develop installation schedule and priorities for most secure
- Propose and oversee the portfolio of IT investments in support of the University security program.
Systems and Data Protection (20%)
Direct all protection of information systems and data using technology security measures
and techniques appropriate to current and evolving technology.
- Develop and implement security policies that are in compliance with
federal & other statutes, and University policy.
- Develop and oversee mechanisms to ensure compliance with these
- Develop short- and long-term strategic planning for the rapidly changing technical security field.
- Advise NYU and
NYU IT on effective technology security approaches.
- Make recommendations regarding new services and procedures so as to maintain and
continuously improve data and system security throughout the University.
- Make recommendations regarding outsourcing of program
components, as needed.
Security Incident Management (15%)
Develop strategies to handle security incidents;
coordinate the incident response process and investigation resulting from these incidents.
- Lead efforts to internally assess,
evaluate and make recommendations to management regarding the adequacy of the security controls for the University’s information and
- Determine appropriate and effective response to technology security breaches affecting the
- Supervise investigation of security breaches and assist with disciplinary and legal matters associated with such
breaches as necessary.
- Maintain relationships with local, state and federal law enforcement and other government
- Work with Internal Audit and outside consultants as appropriate on required security audits.
- Adhere to all
policies regarding investigation practices.
Team Leadership (5%)
Oversee a team of technology security
professionals and other technology security consultants as needed.
- Provide mentoring and training to these individuals and
distributed security staff across the University.
- Determine staffing needs including hiring, training, and evaluating
- Identify and prioritize assignments to ensure deadlines are met and review work for
Key Selection Criteria
- 10+ years
progressively responsible experience with complex and technology security systems and issues (required).
- The CISO must not only have
a strong command of technology security protocols, best practices, and risk mitigation, but must have the ability to provide sound,
practical technical and business solutions to highly complex and varying stakeholder needs (including, but not limited to, faculty,
researchers, students, and staff, and their respective academic/work products).
- Demonstrated ability to deliver security solutions
that meet organizational needs. Experience creating a security program, using a security framework.
- Demonstrated ability to create
new models for virtual security teams that include stakeholder departments in a collaborative model.
- Strong team leadership skills.
Strong at hiring, mentoring, and developing staff to create a strong people and team-oriented culture.
- Ability to identify critical
business risks related to information security and advises senior leadership on risk acceptance and mitigation
- Demonstrated ability to influence key stakeholders, and successfully manage risk, change and
- Excellent organizational, communication, and problem-solving skills. Experience communicating complex subjects to
- Proven ability to measure, report, and publicly communicate complex security decisions, situations, and
- Ability to work and effectively prioritize in a highly dynamic decentralized work environment.
- Must be well versed
in quality data collection to ensure adequacy, accuracy and legitimacy of data in NYU systems and be able to strictly follow data privacy
and security procedures for data handling and analysis to ensure adherence to legal and institutional standards.
- Must be familiar
with security compliance requirements, such as PCI, FERPA, HIPAA, Sarbanes-Oxley, and Gramm-Leach-Bliley and with ISO 27001 and NIST 800-53,
and emerging security standards for restricted and sensitive data.
- Must have 5+ years’ experience managing technical
- Bachelor’s degree is required; a Master’s degree in Cyber Security or IT Risk Management
NYU aims to be among the greenest urban campuses in the
country and carbon neutral by 2040. Learn more at nyu.edu/nyugreen.
We can recommend jobs specifically for you!
Click here to get started.