Top law firm is seeking a Director of Information Security to be responsible for proposing, implementing and managing policies, strategy and operational processes for the Firm's Information Security initiatives. The Director will work the CIO and General counsel to develop, monitor and implement Information Security policies that manage Firm's exposure and mitigate risks. The Director will serve as a liaison to firm clients in all matters of information security including completion of client audits and review of RFPs and outside counsel guidelines. The Director will coordinate Firm's response to data breaches, cyber incidents and all other related matters. Director will work with all IT teams to enact processes and implement tools that monitor and reduce threat vectors. Director will manage and mitigate security threats by ensuring that Firm's infrastructure is protected by a layered defense including firewalls, intrusion detection and prevention systems, antivirus, monitoring and other mechanisms. Director will be responsible for evaluation and recommendation of security products/services and operational procedures. Director will develop and lead security awareness programs and will serve as the subject matter expert for Firm's security policies and practices.
Manage, recruit and retain Information Security staff.
Review and identify Firm's exposure to data breaches, non-compliance and other areas of risk. Work with Firm departments, Firm clients and General Counsel to address information security concerns.
Respond to client and Firm security audits and provide input on RFPs as needed.
Work with clients and Firm departments to track and implement outside counsel guidelines, regulatory compliance requirements and other restrictions related to accessibility and protection of information.
Lead firm activities to achieve and maintain compliance with information security standards such as state and federal privacy laws, ISO 27002/1, etc.
Coordinate Firm’s operational response to all information security incidents. Work with vendors and other parties to resolve issues related to such incidents.
Report on information security incidents to Firm Management.
Review and opine on all changes to firm systems, applications and policies that may affect the security of Firm and client information.
Advise the Firm on current information, threats and mitigation practices/tools related to information security and regulatory compliance issues.
Develop an annual security plan. Monitor systems, processes, and practices for deviation from the plan.
Work with IT Team to monitor, across diverse platforms, specific activities as they occur.
Analyze security analysis reports for security vulnerabilities and recommend practical and measurable mitigation options.
Develop, maintain and publish security standards, procedures and guidelines. Monitor alignment to those standards.
Lead deployment and operation of security related infrastructure.
Monitor internal control systems to ensure that appropriate information access levels are maintained.
Assist with resolution of escalated incidents.
Conduct tabletop exercises to train IT staff, identify operational gaps and document remediation processes.
Help the Firm instill an information security risk-aware culture.
Measure and report on effectiveness and efficiency of security activities and capabilities.
Oversee IT security throughout entire lifecycle of production systems.
Develop and lead information security projects, manage vendor and third part activities, etc.
Skills and Experience
Ability to diagnose issues, break down information and identify pertinent issues and use the distilled information to create actionable mitigation plans quickly.
Experience with leading ad-hoc multidisciplinary teams to resolve urgent issues.
Working knowledge of how a law firm operates, OCGs, etc.
Experience with making sound and quick decisions in crisis situations.
Experience with tracking details and managing complex projects.
Proven ability to meet challenging deadlines.
Demonstrated ability to prioritize tasks and effectively handle multiple responsibilities in a multifaceted environment.
Strong work ethic with excellent use of discretion and judgment.
Excellent written communication skills. Experience with writing Information Security policies and guidelines.
CISSP or other major security certification highly desired.
5 plus years of work experience leading information security in a large multi-location organization.
Prior experience managing an Information Security team in a law firm or a professional services organization is strongly desired.