Assistant Vice President Deputy CISO

s
Company: The Hanover Insurance Group
Location: Worcester, MA 01605

Apply

The Hanover is seeking an Assistant Vice President Deputy CISO to join our growing team in our Worcester, MA office.

The AVP, Deputy Chief Information Security Officer is responsible for the day-to-day Cybersecurity operations including threat prevention, detection, application security as well as identity and access management. The Deputy CISO role works in concert with the CISO and supports the overall Cybersecurity program providing leadership to develop, support, and advance strategies, programs, and projects designed to continually improve and enhance The Hanover’s information security program.

Responsibilities/Essential Functions:

  • Mature the Security Operations Center at The Hanover which will include and rationalization of security tools, technologies, processes, and procedures in place today to determine those that are appropriate to the detection of threats and attacks against company infrastructure and information.
  • The Deputy CISO will direct the tactical company response to attacks and incidents including the containment and eradication strategy to ensure minimal impact to business operations.
  • Serve as the delegate for the CISO when not available and regularly respond to inquiries and make decisions on behalf of the CISO.
  • Define, implement and mature the Application Security Engineering program.
  • Participate in the maturation of the Identity & Access management program inclusive of The Hanover’s Cloud environment.
  • Maintain relationships with industry groups inclusive of Financial Services industry groups (e.g., FS-ISAC).
  • Regularly review operation of security controls and recommend changes designed to improve effectiveness and/or counter emerging risks.
  • Maintain threat, attack and risk models and perform regular analysis to ensure risks are adequately mitigated.
  • Make appropriate recommendations for security enhancements to the CISO including tools, technologies, services, policies, procedures, and other areas as needed.
  • Manage budgets, maintain financial forecasts, develop and present business cases.
  • Establish objectives and milestones and manage activities to deliver high quality results within budget and schedule.
  • Hire, lead, develop and coach staff and other resources (e.g., advisors and counsel) as needed to fulfill obligations.
  • Serve as a member of the overall IT Leadership team building strong. Collaborative partnerships across the organization.
  • Other duties and obligations as assigned by the CISO.
  • Manage and oversee the Security Operations Center
  • Oversee all processes and projects managed by the Security Operations Center Team
  • Implement and mature a Security Information Event Monitoring System.
  • Produce monthly, quarterly and annual metrics related to the Security Operations Center
  • Develop annual Cybersecurity operations strategy to detect and counter threats and attacks
  • Define and lead table top exercises with business and technology teams to ensure ongoing preparedness for Cyber Incident Response.
  • Manage and oversee all Cybersecurity incidents impacting the company
  • Implement, manage and mature tooling to ensure ongoing availability for critical data.
  • Ensure appropriate planning, training, and tabletop exercises and in place to respond effectively to threats and incidents
  • Lead efforts to evaluate and select vendors for security assessments, penetration testing, and other similar security services
  • Manage the enterprise process for identification and remediation of technical vulnerabilities in partnership with CIO teams across the organization
  • Ensure effective tools, technologies and processes are in place to identify and report vulnerabilities for remediation
  • Coordinate and report on vulnerability remediation.
  • Implement a robust, risk based, Application Security program inclusive of dynamic and static scanning capabilities.
  • Mature the program to ensure inclusion in the DevSecOps process with appropriate gating prior to production release.
  • Support all activities performed by the Cybersecurity team associated with the deployment and maintenance of all Cybersecurity detection systems such as the Security Incident Event Management system, threat intelligence system, and other detection and automation tools
  • Provide annual budget planning and participate in the development of the annual strategy
  • Develop and implement Cybersecurity training programs for team members according to their role and responsibilities
  • Manage projects with the IT and product development teams and for projects internal to Cybersecurity
  • Assist with general administrative activities in collaboration with all team members
  • Manage vendors’ activities and relationships as needed including SOWs, maintenance renewals, licensing updates, etc.
  • Prepare project plans and associated documentation
  • Prepare status reports and other management metrics as needed
  • Establish self-audit disciplines for set policies and standards which are owned by security.
  • Manage the design and implementation of an operational reporting framework that will provide regular metrics and statistics about Cybersecurity operations; analyze trends in security events, activities, etc. to better understand risks, insufficiencies in our solutions, staffing and processes; report security metrics and statistics to the CISO and other key stakeholders Manage all SOC requirements with regards to Cybersecurity metrics and ensure that metrics are gathered daily.
  • Manage all Cybersecurity metrics for the CISO dashboard and other reporting requirements
  • Manage the vulnerability threat assessment report and ensure all stakeholders are effectively informed of the status of system vulnerabilities.

Position Requirements:

  • Bachelor’s degree or equivalent business experience in Computer Science, Business Management, or MIS is preferred.
  • Certified training in security management, risk and compliance solutions and practices. CISSP, C-CISO, CISA, CISM, GSEC, CRISC, or related certification(s) required.
  • 10+ years of broad technology experience in application development and infrastructure services with a strong record of success in managing information security. Specific focus on resiliency / continuity planning, auditing and risk management preferred.
  • Deep working knowledge of industry best practices (NIST, ISO, SANS, COBIT, CERT) and Legislative and Regulatory and Industry Compliance Requirements (SOX, PCI, HIPPA, etc.).
  • Must be a coach and active developer of new and emerging talent.
  • The ability to understand, manage and approach security with an eye towards risk management is key (i.e. operate in gray space).
  • Must have experience managing complex information technology programs, preferably within the financial services or information security industries.
  • Experience managing vendor sourced solutions and consultants, ensuring vendor performance and deliverables meet specifications.
  • Intelligent, articulate and persuasive leader with excellent interpersonal, verbal, written communication and presentation skills.
  • Must possess the ability to communicate security-related concepts, the state of security and risks, as well as cost effective program design and mechanics to a broad range of stakeholders including: A Board of Directors, senior business executives, technical and non-technical associates, customers, business partners, vendors, etc.

Personal and Professional Competencies:

  • Has a track record of being an inspiring leader with an inclusive approach who has built followership at all levels across an organization including their peer group and direct report teams.
  • Highly motivated, self-directed and have the ability and desire to have real impact on an organization.
  • Accomplished and effective change leader with prior people management responsibility. Candidates should have demonstrable evidence of their ability to implement and drive adoption of risk management programs.
  • Exhibits the ability to work well under pressure to provide results in a short time frame.
  • A highly responsive, goal-oriented individual who will bring significant energy and drive to directly impact a growing business.
  • Must have the desire and demonstrated ability to roll-up sleeves and work with team members in a hands-on management capacity.
  • Must direct members across the organization, ensuring alignment of resources across functions and matrix. Creative, innovative and thorough approach with the ability to operate autonomously.

EEO statement:
“The Hanover values diversity in the workplace and among our customers. The company provides equal opportunity for employment and promotion to all qualified employees and applicants on the basis of experience, training, education, and ability to do the available work without regard to race, religion, color, age, sex/gender, sexual orientation, national origin, gender identity, disability, marital status, veteran status, genetic information, ancestry or any other status protected by law.

Furthermore, The Hanover Insurance Group is committed to providing an equal opportunity workplace that is free of discrimination and harassment based on national origin, race, color, religion, gender, ancestry, age, sexual orientation, gender identity, disability, marital status, veteran status, genetic information or any other status protected by law.”

As an equal opportunity employer, Hanover does not discriminate against qualified individuals with disabilities. If you require a reasonable accommodation, as a candidate for employment, please inform The Hanover Talent Acquisition office.