Job Description :
Job description:
Security Manager with enterprise experience in retail sector doing PCI, PCI
compliance, PCI remediation, PCI Audits, etc. Should be familiar with
security engineering, design, architecture review, and security technology
management. Enterprise Security Expertise, Security Engineering and Design
background, CISSP and PCI certification a plus.
The Manager of Security Operations & Engineering reports to the VP of
Security Services and is responsible for ensuring a stable, secure computing
environment, promoting high levels of end user satisfaction, by providing
the leadership necessary to manage and coordinate the Information Security
program. This position is a hands-on position, providing the information
security services including compliance with SOX/PCI risk management,
security incident management, identity and access management, and
administration and operations of information security tools and services.
This position is also responsible for researching, interacting, coordinating
and recommending present and future information security solutions with
competent vendors who provide information security products and services.
IT Policies, Risk, & Compliance - 25%
Oversees the development, implementation, and maintenance of
global security policy, enterprise security standards, guidelines and
procedures for appropriate risk mitigation and to support regulatory or
industry compliance (e.g. SOX, PCI, HIIPA)
Partners with VP of Security Services to serve as advisors to
executive leadership, Board or Directors, and Audit Committee in the
development, implementation, and maintenance of a strong information privacy
and security program and infrastructure including network access and
monitoring policies.
Collaborates with Legal Counsel, Internal Audit on compliance,
security, and privacy practices, processes, procedures, and protocols;
Monitors and reports statuses, and actively participates in audits or
reviews as required.
Maintains relationships with local, state and federal law
enforcement and other related government agencies in support of security
program and roadmap, with partnership and direction from Legal Counsel.
Must be able to interact effectively with applications teams,
peers, and management staff to create application security processes and
protocols.
Must be able to develop, manage and maintain the proposed
capital and operating budget for IT Security, Risk, and Compliance
department. Will conduct ongoing budget control through budget review and
approval processes, and monitor departmental performance.
Be engaged with and understanding of business environment,
projects, considerations, and constraints in implementing all policies and
associated technologies
Develop and implement a strategic, long-term information
security strategy and roadmap with VP of Security to ensure that the
company''s information assets are adequately protected
Develop business metrics to measure the effectiveness of the
security management program and increase the maturity of the program over
time
Oversee incident response planning and the investigation of
security breaches, and assist with any associated disciplinary, public
relations and legal matters
Maintain technical reference library; develop training material
and workshops for IT, program and security staff as appropriate.
Security Operations Management - 35%
Responsible for 24/7 security monitoring and threat
detection/prevention for the organization
Develop and report on security operations dashboards, metrics
and KPIs relevant to understanding improving Carters security capabilities
and defense levels
Foster and manage relationship with 3rd party MSSP/SOC provider
to establish a true partnership with Carters organization
Develop business metrics to measure the effectiveness of the
security management program and increase the maturity of the program over
time
Ensure the protection, integrity, confidentiality, and
availability of information in the custody of or processed by the Company
by: respond in a timely manner to a loss or misuse of information assets;
participate in investigations of suspected information security misuse or in
compliance reviews as requested by auditors; communicate unresolved security
exposures, misuse or noncompliance situations to management.
Research and consult with key technology suppliers and industry
consultants to evaluate, select, install, and configure hardware and
software systems that provide appropriate security functions.
Develop, mentor and manage a high-performing team of security
professionals
Security Engineering - 40%
Accountable to develop, implement, integrate, and maintain the
security strategy and roadmap, including security tools and technologies.
Provide leadership and management oversight for security tool
deployment and implementation, including applicable hardware, software,
firewalls, intrusion detection systems, security event management systems,
anti-virus and malware solutions, cryptography systems, access control
systems, or any other device or solution required for enterprise cyber and
systems protection and monitoring.
Develops emergency procedures and incident response protocols;
acts as the control point during significant privacy and security incidents.
Understands potential threats, vulnerabilities, and control
techniques. Monitors network of vendors and employees to ensure the
safeguarding of information assets.
Investigates security breaches, communicates to appropriate
executive management and local information privacy and security leadership,
and pursues associated legal protocols in relation to any security
investigation, incident, or security breach.
Conducts periodic penetration testing and security audits;
establishes risk assessment criteria and methodology.
Experience and Skills
Bachelor Degree in Computer Science or related field,
preferred.
7+ years IT experience, with a preference of 5 years in the
area of information security leadership,
Proven experience in planning security strategy and IT security
projects for a multi-billion dollar organization
Must have strong knowledge of industry best practices, laws,
frameworks, and compliance standards related to data privacy and protection
Requires success experience in at least three of the following
domains: application security; security technologies and products; security
engineering; security analysis and investigations; IT SOX auditing
In-depth knowledge of platform operating systems, including
Windows, Linux, and Unix
Experience with Wide Area Network/Local Area Network/Wireless
Network, TCP/IP and related protocols
Strong knowledge of Intrusion Detections and Prevention
techniques
Proven experience leading committees or sub-committees related
to security, compliance, privacy, or risk in the organization
Understands DR planning and execution, and is able to influence
IT infrastructure, IT application, and business owners on DR planning and
practices.
Must have very strong written and verbal skills and executive
presence to interact effectively with all levels of leadership, board
members, IT staff, vendors, auditors, third-party business application
providers, and other parties impacting the company''s security state
Experience with Managed Service providers in relation to
providing security services, including establishing protocol, measuring
provider metrics, understanding contractual agreements, and general
day-to-day monitoring and operational expectations
Ability to effectively prioritize and execute tasks in a
high-pressure environment preferably in the retail industry.
3 years of direct hands-on experience or direct management of
firewall administration, intrusion detection systems, data encryption
software, security information and event management systems, and working
knowledge of switches and routers
Certified Information System Security Professional (CISSP) or
equivalent certification from a recognized professional organization such as
International Informational Systems Security Certification Consortium ISC)
2, Global Assurance Certification (GIAC), or Information Systems Audit and
Control Association (ISACA)
Prior work experience with MSSP vendor relationship