The Director, Information Security is responsible for directing IS strategy and activities related to information security. The Director provides leadership and direction to a team responsible for designing and implementing an overall enterprise security strategy, program, and architecture that minimizes information related to loss and meets client and regulatory requirements. Develops, monitors and implements firm-wide information security policies to ensure that appropriate access to, and the confidentiality of firm, client and private information is maintained. Conducts information risk assessments as an integral part of business planning involving General Counsel, internal specialists and business owners as the need arises. Serves as a liaison to firm clients in all matters of information security including completion of client audits and review of RFPs and outside counsel guidelines. Leads and coordinates the firm’s tactical and operational response to information security incidents. Identifies and reports on information security incidents to firm management. Manages organizational risk by ensuring the protection of the enterprise infrastructure with a layered system of technical defenses including firewalls, intrusion detection and prevention, antivirus, and content monitoring. Provides risk review and approval of changes to systems, applications and facilities. Leads the evaluation and recommendation of security products, services and/or procedures to enhance productivity and effectiveness. Leads risk assessments of firm vendors and solution providers. Lead all aspects of and conducts security awareness programs and provides education on security policies and practices.
Ensures that staff members are providing quality service to internal members/departments of the Firm as well as external clients and vendors by displaying professionalism via electronic and print correspondence, over the telephone and in-person and by encouraging an atmosphere that rewards a "can do" attitude.
PRINCIPAL DUTIES AND RESPONSIBILITIES*
Manages Information Security staff, including scheduling, performance evaluation, salary recommendation and related personnel actions.
Identifies areas of risk to firm, client and private information and leads risk assessments to determine appropriate remediation, serving as a liaison to General Counsel in this regard.
Works directly with firm clients to address information security concerns and complete written and in-house security audits, negotiating and implementing requested security training and technical measures.
Works with the business to review Outside Counsel Guidelines and Requests for Proposal, confirming the firm’s ability to meet requirements and requesting changes as warranted.
Directs firm activities and resources to achieve and maintain compliance with information security standards such as state and federal privacy laws, ISO 27002/1, and GDPR.
Leads and coordinates the firm’s operational response to information security incidents that threaten firm, client and private information, directing forensics and organizing communications. Identifies and reports on information security incidents to firm management.
Approves changes to firm systems, applications and policies that may affect the security of firm, client and private information. Serves as the internal auditor for information security processes.
Works closely with senior leaders, line-of-business managers, the IT organization, and others to establish an effective security governance framework, support the delegation of authority, handle budgets, ensure effective enterprise risk management and support the establishment of measurable controls.
Serves as an internal information security consultant to the Department and Firm. Advises the department with current information about information security technologies and related regulatory issues.
Develops a strategic vision for the security program; prioritizes resources for effective security policies, practices and processes; and develops an annual security plan. Identifies enterprise systems, processes, and information resources that require security protections.
Identifies areas where existing security architecture requires change or development. Ensures local security standards align with international and national standards. Stays up to date with Security (legal requirements, policy and technology) developments in the commercial world and especially in the area of the law so that the firm remains at the forefront of any security related developments affecting the firm and the firm’s clients.
Monitors multiple logs across diverse platforms to uncover specific activities as they occur from platform to platform. Analyzes security analysis reports for security vulnerabilities and recommends feasible and appropriate options. Reports on significant trends and vulnerabilities.
Develops, maintains, publishes, and communicates enterprise-wide security standards, procedures and guidelines. Ensures that alignment to those standards is monitored and carried out.
Lead all aspects of the security infrastructure; for example identity and access management, firewalls, antivirus and intrusion detection system/intrusion prevention system. Monitors internal control systems to ensure that appropriate information access levels and security clearances are maintained. Monitors the security infrastructure for policy violations or security events, conducts security engineering, assists with resolution of escalated incidents and participates in problem management activities.
Improves security awareness and instills a risk-aware culture in the organization, ensuring that personnel fully understand the risk implications of their IT assets.
Measures and reports on the effectiveness and efficiency of security activities and capabilities. Manages, monitors, and matures security processes (for example, identity and access management; and threat and vulnerability management).
Oversees IT security within the system development lifecycle, change management, production systems support and technology-enabled projects (user administration, security logging, secure process flow, security standard methodologies).
Develops and leads information security projects, adhering to budgets, project plans, and business objectives.
Negotiates security-related software licensing and support agreements.
Assumes additional responsibilities as assigned.
Critical thinking and planning abilities required.
Able to breakdown raw information and undefined problems into specific, workable components that in-turn clearly identify the issues at hand.
Makes logical conclusions, anticipates obstacles and considers different approaches that are relevant to the decision making process.
Team player with ability to effectively meet challenges, influence and drive consensus within the team.
Enterprise business knowledge
Solicits information on enterprise direction, goals and industry competitive environment to determine how own function can add value to the organization and to customers.
Makes decisions and recommendations clearly linked to the organization's strategy and financial goals, reflecting an awareness of external dynamics.
Identifies risks and obstacles to plans. Defines scarcity and conflicts of resource needs, and potential constraints.
Investigates risks within various project elements, assesses impact, and develops contingency plans to address major risks.
Knowledge of security issues, techniques, and implications across all existing computer platforms required.
Knowledge in networking, databases and systems operations is required.
Leadership skills are required.
Collaboration and influence skills are required.
Proven interpersonal and communication skills.
Demonstrated ability to prioritize tasks and effectively handle multiple responsibilities in a multifaceted environment.
Demonstrated problem solving abilities, analytical skills, and proven ability to meet challenging deadlines required.
Strong work ethic; excellent use of discretion and judgment. Excellent written communication skills.
Ability to work under stress and multi-task on various assignments; Detail orientation is a must.
Bachelor's Degree in Computer Science, Management or related work experience.
CISSP or other major security certification preferred.
5-7 years’ work experience leading information security in a large and sophisticated environment; or other equivalent combination of education and experience that provides the required knowledge and skills.
Prior experience managing an Information Security, compliance or internal controls team preferred.
WilmerHale is an Equal Opportunity Employer. All qualified applicants will receive consideration without regard to race, color, religion, gender, sexual orientation, gender identity, national origin or ancestry, age, disability or veteran status, or other protected status.
Wilmer Cutler Pickering Hale and Dorr LLP (WilmerHale) provides legal representation across a comprehensive range of practice areas that are critical to the success of its clients. The law firm’s leading intellectual property, litigation/controversy, regulatory and government affairs, securities, and transactional groups participate in some of the highest-profile legal and policy matters. With a staunch commitment to public service, the firm is renowned as a leader in pro bono representation. WilmerHale has more than 1,000 lawyers in 12 cities worldwide.