Posting Address

Shelton, CT

#LI-SL1

Position Overview

The Chief Information Security Officer (CISO) is responsible for establishing and maintaining the information security program to ensure that information assets and associated technology, applications, systems, infrastructure, and processes are adequately protected in the digital ecosystem in which Hubbell operates. The CISO is responsible for identifying, evaluating, and reporting on legal and regulatory, IT, and cybersecurity risk to information assets, while supporting and advancing business objectives.

The CISO position requires a leader with sound knowledge of business management and a working knowledge of cybersecurity technologies covering the corporate network as well as the broader digital ecosystem. The CISO will proactively work with business units and ecosystem partners to implement practices that meet agreed-on policies and standards for information security. He or she should understand IT and must oversee a variety of cybersecurity and risk management activities related to IT to ensure the achievement of business outcomes where the business process is dependent on technology. The CISO will be responsible for implementing and running the enterprise information security program.

The CISO should understand and articulate the impact of cybersecurity on digital business and be able to communicate this to the board of directors and other senior stakeholders. He or she serves as the process owner of the appropriate second-line assurance activities not only related to confidentiality, integrity, and availability, but also to the safety, privacy and recovery of information owned or processed by the business in compliance with regulatory requirements. The CISO understands that securing information assets and associated technology, applications, systems, and processes in the wider ecosystem in which the organization operates is as important as protecting information within the organization's perimeter.

Duties and Responsibilities

• Formation of an information security steering committee/advisory board.
• Work with VMO ensuring information security requirements are included in contracts.
• Create/manage/establish metrics for targeted information security awareness training programs for employees, contractors and approved system users.
• Provide clear risk mitigating directives for projects with components in IT.
• Manage budget for the information security function, monitoring and reporting discrepancies.
• Manage the cost-efficient information security organization, consisting of direct reports and dotted line reports including training, staff development, performance management and annual performance reviews.
• Develop, implement and monitor a comprehensive information security program, ensuring appropriate levels of confidentiality, integrity, availability, safety, privacy and recovery of information assets owned, controlled or/and processed by the organization.
• Assist with the identification of non-IT managed IT services in use ("citizen IT").
• Work with business units to facilitate information security risk assessment and risk management processes, empowering them to own/accept the level of risk deemed appropriate.
• Develop/enhance an up-to-date information security management framework based on the following: International Organization for Standardization (ISO) 2700X, ITIL, ENISA, ISA-62443, COBIT/Risk IT and National Institute of Standards and Technology (NIST) Cybersecurity Framework.
• Create/manage a unified and flexible control framework.
• Develop/maintain a document framework of continuously up-to-date information security policies, standards and guidelines.
• Oversee the approval and publication of information security policies and practices.
• Create a framework for roles and responsibilities regarding information ownership, classification, accountability and protection of information assets.
• Facilitate a metrics and reporting framework measuring the efficiency/effectiveness of the program, appropriate resource allocation, increase the maturity of the information security and review it with stakeholders/executive and board levels.
• Create internal networks among the information security team and line-of-business executives, corporate compliance, audit, physical security, legal and HR management teams.
• Build/nurture external networks to address common trends, findings, incidents and cybersecurity risks.
• Liaise with external agencies, such as law enforcement and other advisory bodies, to ensure that the organization maintains a strong security posture and is kept well-abreast of the relevant threats.
• Liaise with the enterprise architecture team to build alignment between the security and enterprise (reference) architectures.

Skills and Experience

The successful candidate will have the following experience:

• Minimum of 10 years of experience in a combination of risk management, information security and IT or OT jobs (at least five must be in a senior leadership role)
• Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate information security and risk-related concepts to technical and nontechnical audiences at various hierarchical levels, ranging from board members to technical specialists
• Strategic leader and builder of both vision and bridges, and able to energize the appropriate teams
• Sound knowledge of business management and a working knowledge of information security risk management and cybersecurity technologies
• Proven track record and experience in developing information security policies and procedures
• Poise and ability to act calmly and competently in high-pressure, high-stress situations
• Knowledge and understanding of relevant legal and regulatory requirements
• Excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives
• Project management skills: financial/budget management, scheduling, and resource management
• Degree in business administration or a technology-related field, or equivalent work- or education-related experience
• Professional security management certification is desirable, such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or other similar credentials
• Knowledge of common information security management frameworks, such as National Institute of Standards and Technology, ISO/IEC 27001, ITIL, and COBIT
• High level of personal integrity, as well as the ability to professionally handle confidential matters and show an appropriate level of judgment and maturity
• High degree of initiative, dependability, and ability to work with little supervision while being resilient to change