Director, Information Security & Compliance

Job Summary:

The Director, Information Security & Compliance is part of the IT Leadership team reporting to the highest-level IT executive in the company. This role is responsible for establishing and maintaining Cirrus Aircraft's information security and compliance program. The scope of the program includes ensuring information assets and associated technology, applications, systems, infrastructure and processes are adequately protected as well as overseeing all technology related compliance issues including privacy, business continuity, identity management, and user access. The Director, Information Security & Compliance will provide objective risk assessments and remediation plans regarding Cirrus Aircraft's cybersecurity posture, and compliance with regulatory, organization and commercial requirements governing the organization's information technology systems. In this role, the Director, Information Security & Compliance will work closely with Cirrus Aircraft's legal, finance and human resources, as well as other business functions to ensure organizational alignment to balance risk while supporting and advancing business objectives.

Supervisory Responsibility:

No Direct Reports

Multiple Strategic Partner Relationships

Job Duties and Responsibilities (Essential Functions):

The Director, Information Security and Compliance will oversee all activities that safeguard Cirrus Aircraft information technology.

• Develop, implement and monitor a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy and recovery of information assets owned, controlled or/and processed by the organization.
• Create and oversee an IT risk assessment framework to periodically assess the regulatory, commercial and organizational, inherent and residual IT security and compliance risks.
• Identify the associated IT security and compliance control gaps/issues and oversee the documentation, implementation and testing of the entire IT compliance control portfolio.
• Develop and direct IT security and compliance control monitoring programs to ensure IT compliance-related risks are managed to the appropriate level of acceptable residual risk.
• Communicate and report the levels of IT security and compliance risks, including control effectiveness, to key stakeholders such as IT-business unit management, senior management, legal management, regulators, internal/external auditors, etc.
• Periodically review and maintain all information technology security and compliance policies.
• Stay current with industry and monitor security threats, technology trends, providing technological advice and insight on information security and compliance requirements to leaders across the organization.
• Coordinate the investigation of any potential unlawful or fraudulent action related to IT compliance, such as the intentional release of privileged information or a related security breach.

Qualifications:

To perform this job successfully, an individual must be able to perform each essential duty satisfactorily. The requirements listed below are representative of the knowledge, skill, and/or ability required. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

Education and/or Experience:

• Undergraduate degree in the field of law, computer science or business administration; graduate degree in one these fields preferred.
• 10+ years' experience in a combination of risk management, information security and compliance, including 5 years in a leadership role.
• Professional security management certification is required, such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or other similar credentials.
• Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT as well as those from NIST, including 800-53 and Cybersecurity Framework.
• Knowledge and understanding of relevant legal and regulatory requirements, such as: Payment Card Industry/Data Security Standard (PCI), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX) and General Data Protection Regulation (GDPR).
• Excellent knowledge of technology environments, including information security, encryption methods and privacy-based solutions.
• Proven track record and experience in developing information security and compliance policies and procedures, as well as successfully executing programs that meet the objectives of excellence in a dynamic business environment.
• Proven experience developing and submitting IT audit and compliance reports to governing bodies, legal entities and/or external authorities.

Demonstrated Proficiencies/Skills/Abilities:

• A master of influencing entities and decisions in situations where no formal reporting structures exist, but achieving the desirable outcome is vital. Ability to establish credibility and working relationships with a wide range of corporate personnel, including operations, management, executive and legal staff as well as external personnel, including auditors and regulators.
• High level of personal integrity, as well as the ability to professionally handle confidential matters and show an appropriate level of judgment and maturity.
• High degree of initiative, dependability and ability to work with little supervision while being resilient to change.
• Poise and ability to act calmly and competently in high-pressure, high-stress situations.
• Must be a critical thinker, with strong problem-solving skills.
• Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate information security and risk-related concepts to technical and nontechnical audiences at various hierarchical levels, ranging from executives to technical specialists.

Other Duties:

Please note this job description is not designed to cover or contain a comprehensive listing of activities, duties or responsibilities that are required of the employee for this job. Duties, responsibilities and activities may change at any time with or without notice.

Cirrus is dedicated to a drug free work environment promoting equal employment opportunity. Qualified applicants will receive consideration for employment without regard to race, sex, national origin, color, age, disability, religion, pregnancy, veteran status, marital and family status, sexual orientation, receipt of public assistance, genetic information or any other characteristic protected by applicable law.