Information Security Manager (Security and Risk Advisory)

Information Security Manager (Security and Risk Advisory)

Description:

Permanent Full Time

The Information Security Manager plays a crucial role in our first line of cyber defense, working closely with IT and business partners to help them understand and manage information security risks while ensuring compliance with organizational policies and standards. This position supports the delivery of comprehensive, analysis-based cybersecurity services to our internal clients across Canada, including conducting security assessments, providing expert consultations, integrating security requirements into projects, and evaluating security controls for organizational assets.

This role reports to the Director, Security Assessment and Project Support team within the Information Security Canada group. In addition to the general accountabilities below, we are particularly interested in hearing from candidates with the following specialties:

What you will do

1. Lead a team of security professionals, fostering their growth and development while ensuring the delivery of exceptional results to clients.
2. Demonstrate sound judgment by providing timely, effective updates to leadership and making informed, ethical decisions that align with organizational values and effectively solve problems.
3. Facilitate data-driven decision-making by developing and implementing reporting practices, designing dashboards, and creating effective metrics and KPIs to drive desirable outcomes.
4. Provide information security consultation to business and IT clients, ensuring alignment with organizational goals and objectives.
5. Collaborate with project and technology teams to ensure that security controls and security-by-design principles are incorporated into technology changes, while positioning security as an enabler to project timelines.
6. Evaluate the effectiveness of existing security controls and recommend improvements to enhance the organization's security posture, ensuring alignment with industry standards and regulatory requirements.
7. Foster a security-conscious culture by consistently guiding stakeholders on security best practices, standards, and policies.
8. Develop and maintain a comprehensive risk assessment framework with consistent methodologies and criteria for evaluating threats. Identify new and emerging threats by staying current with security trends and technologies and integrate relevant advancements into the team's processes.
9. Conduct threat risk assessments by identifying potential security threats, evaluating their likelihood and impact, and recommending mitigation strategies to protect organizational assets and ensure compliance with security policies. Prepare reports on findings, including recommendations for risk mitigation.
10. Review common application and network vulnerability reports to identify security weaknesses and facilitate their remediation by owners based on risk prioritization. Common types of reports include:
1. Static Application Security Testing (SAST)
2. Dynamic Application Security Testing (DAST)
3. Interactive Application Security Testing (IAST)
4. Software Composition Analysis (SCA)
5. Penetration Testing
6. Infrastructure or endpoint scans

What you will bring

1. Bachelor’s degree from an accredited college or university or equivalent experience.
2. Minimum eight years’ experience as an information security professional with at least three of those in a people management role.
3. Accreditation of at least one information security (e.g. CISSP; CISM; CISA; CCSP; CRISC; GSEC; CySA+; CASP+; SSCP)
4. Excellent communicator including demonstrated presentation and negotiation skills.
5. Must be detail-oriented while still being able to see the big picture.
6. Proven ability to influence cross-functional teams, foster relationships and build trust.
7. High proficiency in developing and reporting on relevant performance measures.
8. Able to explain complex concepts to broad range of stakeholders including management.
9. Familiar with leading Architecture, SDLC (SecDevOps), PDLC, IT/Security Risk and Service Management practices.
10. Positive attitude, strong work ethic and ability to work with a team to cultivate customer relationships.
11. Strong experience in security assessment methodologies such as Threat Risk Assessment or Threat Modelling.
12. Strong technical background with exposure to multiple aspects of information technology, networks, server, application dev, architecture, storage, cloud etc.
13. Strong knowledge of the following frameworks or regulations related to information security and IT governance: CIS Control, CMMC; COBIT; CSA CCM; FISMA; GDPR; ISO/IEC 27001; ITIL; MITRE ATT&CK; NERC CIP; NIST Cybersecurity Framework; NIST SP 800-53; OWASP Top Ten; PCI DSS; SANS Critical Security Controls; SOX; and other similar resources.
14. Experience interpreting and consulting around meeting the requirements of the Information Security Policies and Standards for a large organization.
15. Working knowledge of IT Audit processes, including design of control test procedures.
16. Ability to deliver on commitments.
17. Familiarity with Data Protection Impact Assessments (DPIAs) and privacy principles is a plus.
18. Demonstrated project management skills or extensive experience working with projects is a plus.
19. Reliability Status security clearance - this is a personnel security status that is required before an employee can gain access to Protected B information, assets or work sites as outlined by the Government of Canada.

-

The base salary for this position is between $76,400.00 - $145,000.00 annually. This represents base salary only and does not represent other variable compensation components of our total compensation (i.e. annual bonus, commission etc). If you are selected to move forward in our recruitment process, your recruiter will be able to discuss additional details of our total rewards program with you.

Be your best at Canada Life- Apply today!