The California Public Employees’ Retirement System (CalPERS) is seeking an executive (Career Executive Assignment) to provide direction and policy guidance to CalPERS’ Information Security Office, the Information Technology Services Branch (ITSB) and the enterprise.
The CISO, who will report to CalPERS’ general counsel, will have “broad authority and management responsibility for protecting the privacy, confidentiality, integrity and availability of CalPERS information and services,” says the duty statement for the position. “The CISO aligns services responsible for information security, privacy and security operations to enable CalPERS business objectives within acceptable levels of security and privacy risk.”
The position has been open since February, when the former CISO, Liana Bailey-Crimmins, was appointed state chief technology officer and moved to the California Department of Technology.
Responsibilities of the CISO role include:
- Administration of a strategic, comprehensive information security and privacy program to ensure appropriate levels of confidentiality, integrity, availability and privacy of information assets owned, controlled and/or processed by CalPERS. Creation of “a risk-based process for the assessment and mitigation of any information security risk in the ecosystem consisting of supply chain partners, vendors, consumers and any other third parties.” (40 percent);
- Oversees the information security and privacy governance structure through the hierarchical governance program, including the Information Security Steering Committee. Provides regular reporting on the status of the information security program and emerging risks to enterprise risk teams, senior business leaders and the Board of Administration as part of a strategic enterprise risk management program. (25 percent)
- Manages and provides policy direction for the CalPERS privacy program, balancing privacy and business usage for information relating to CalPERS members, business partners and stakeholders. Improves the use of the data to drive security and protection to CalPERS, its members, employees and third-party associates. (20 percent)
- Create internal networks among the information security team and line-of-business executives, corporate compliance, audit, physical security, legal and HR management teams to ensure alignment. Maintain external networks consisting of industry peers, ecosystem partners, vendors and other relevant parties to address common trends, findings, incidents and cybersecurity risks. Serve as a liaison with external agencies, such as law enforcement and other advisory bodies, to ensure that the organization maintains a strong security posture and is kept well-abreast of the relevant threats identified by these agencies. (15 percent)
Because the position comes with access to sensitive information, applicants are subject to background checks and financial-disclosure rules.
The requirements for the position include:
- Minimum of seven to 10 years of experience in a combination of risk management, information security and IT jobs (at least five in a senior leadership role).
- The ability to communicate information security and risk-related concepts to technical and nontechnical audiences at various hierarchical levels, ranging from board members to technical specialists.
- Knowledge and understanding of relevant legal and regulatory requirements such as Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard.
- Project management skills: financial/budget management, scheduling and resource management.
- Knowledge of common information security management frameworks, such as International Standard Organization/International Electrotechnical Commission (ISO/IEC) 27001, Control Objectives for Information and Related Technology (COBIT), as well as those from the National Institute of Standards and Technology (NIST), including 800-53 and Cybersecurity Framework.
- Professional security management certification is desirable, such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or other similar credentials.
The CISO position has a monthly salary range of $10,831 to $12,903, and the recruitment will remain active until the position is filled. For more information, see the job posting or contact Veronica Ortiz-Torres.
