Senior Manager, Information Security - Hybrid
The Senior Manager, Information Security reports to the Chief Information Officer and leads a highly collaborative and results-oriented team tasked with developing and implementing a comprehensive information security strategy to safeguard the firm's sensitive data, intellectual property, and client information. This strategic leader will collaborate with internal stakeholders, legal professionals, and IT teams to ensure the confidentiality, integrity, and availability of our information assets. The Senior Manager, Information Security, will also play a critical role in overseeing and managing relationships with third-party vendors to ensure that the firm's cybersecurity standards are upheld throughout the supply chain.

RESPONSIBILITIES

1. Security Strategy and Planning:
   • Develop and implement a robust information security strategy aligned with the firm's business goals and regulatory requirements.
   • Evaluate and assess the firm's current security posture, identifying vulnerabilities and recommending appropriate measures for improvement.
   • Conduct security best practice analysis of: servers; group policy; desktops/laptops; applications; mobile devices, routers/switches; firewalls; and printers.
   • Develop least privilege access policy relative to requirements for Windows environment and audit file share access permissions.
   • Assist with completion of “Project Security & Privacy” template.
2. Risk Management:
   • Conduct risk assessments and regularly update risk profiles to proactively address potential threats and vulnerabilities.
   • Collaborate with legal teams to ensure compliance with industry regulations and client-specific security requirements.
3. Incident Response and Management:
   • Establish and maintain an incident response plan to effectively respond to and mitigate security incidents.
   • Lead investigations into security breaches and incidents, providing timely and accurate reports to executive leadership.
   • Collaborate with vendors to develop and test incident response plans, ensuring a coordinated and efficient response in the event of a security incident.
   • Clearly define the roles and responsibilities of both the vendor and the law firm in the event of a data breach or other security events.
4. Security Awareness and Training:
   • Develop and deliver ongoing cybersecurity training programs for employees to enhance awareness and promote a culture of security.
   • Foster a proactive security mindset across the organization.
5. Technology Evaluation and Integration:
   • Stay abreast of emerging security technologies and trends, evaluating their relevance and potential impact on the firm.
   • Collaborate with IT teams to integrate security measures into technology infrastructure and applications.
6. Vendor Management: By actively managing vendor relationships in this comprehensive manner, the Senior Manager, Information Security ensures that the entire ecosystem surrounding the law firm operates with a unified commitment to information security, safeguarding not only the firm's data but also the data entrusted to it by clients and other stakeholders.
   1. Risk Assessment and Due Diligence:
      • Conduct thorough risk assessments of potential vendors before engagement, evaluating their cybersecurity practices and assessing their ability to safeguard sensitive information.
      • Implement a due diligence process that includes evaluating the vendor's security policies, incident response capabilities, and overall cybersecurity posture.
   2. Contractual Agreements:
      • Work closely with the legal team to incorporate robust cybersecurity clauses into contracts with vendors. These clauses should outline specific security requirements, standards, and expectations.
      • Ensure that vendor contracts include provisions for regular security audits and assessments to monitor compliance.
   3. Security Audits and Assessments:
      • Periodically audit and assess vendor security controls and practices to ensure ongoing adherence to contractual agreements and industry standards.
      • Collaborate with internal audit teams or external experts to conduct comprehensive assessments of critical vendors.
   4. Continuous Monitoring:
      • Establish mechanisms for continuous monitoring of vendor activities related to information security.
      • Implement tools and processes to track and evaluate changes in the vendor's security posture over time, promptly addressing any identified risks or vulnerabilities.
   5. Regular Reporting and Communication:
      • Provide regular updates to executive leadership on the status of vendor security, highlighting any emerging risks or areas of improvement.
      • Establish open lines of communication with vendors to address concerns, share best practices, and foster a collaborative approach to cybersecurity.
   6. Contract Renewals and Review:
      • During contract renewals, revisit and update cybersecurity clauses based on changes in the regulatory environment, industry standards, or the firm's own security policies.
      • Evaluate the vendor's performance against cybersecurity metrics and consider this information when deciding on contract renewals.
   7. Training and Awareness:

• Provide guidance and training to vendors on the firm's security policies and expectations.
• Foster a shared responsibility for security, encouraging vendors to adopt a proactive approach to cybersecurity.

QUALIFICATIONS

• Proven experience as an Information Security Manager or in a senior leadership role within information security.
• Strong understanding of cybersecurity frameworks, principles, technologies, and best practices.
• Strong understanding of ISO security and privacy standards. (ISO 27001/27701)
• Familiarity with relevant legal and regulatory requirements.
• Excellent communication and interpersonal skills.
• Strong team-orientation and ability to collaborate across business segments and with personnel at all levels of the organization.
• High-level presentation skills.
• Very strong leadership, analytical, project management, negotiation and problem solving skills.
• Proven management skills and demonstrated ability to foster an inclusive team where everyone has opportunities to develop and succeed.
• Experience with successfully leading, developing, and managing change management initiatives that served to advance organizational information security performance.
• Maintain expert understanding of key market trends in functional area.
• Demonstrated critical thinking skills.
• Preferred certifications include:
  • Certified Information Systems Security Professional (CISSP)
  • Certified Authorization Professional (CAP)
  • Certified Information Security Manager (CISM)
  • GIAC Security Leadership (GSLC)
• Bachelor’s and/or Master’s degree in Information Security, Computer Science, or a related field.

To Apply: Please email resume to: cfleck@chelsearecruiters.com