Cyber Security, Information Systems Security Officer (ISSO)

Conexon is a rapidly growing company working with Rural Electric Cooperatives to build advanced fiber to the home (FTTH) networks nationwide. We are currently looking for a Cyber Security, Information Systems Security Officer to join the IT team.

As a Senior ISSO, you are primarily responsible for the Assessment and Authorization (A&A) process, establishing and maintaining compliance with relevant regulations, standards, and contract requirements related to the NIST Cybersecurity Framework (CSF). You will support the company’s information security, technology, and information risk management. As the Cyber Security ISSO for Conexon, establish and maintain a corporate wide information security management program to ensure information assets are adequately protected. Identify, evaluate, and report on information security risks in a manner that meets compliance and regulatory requirements, and aligns with and supports Conexon’s risk posture. Support all technology-related risk and compliance issues across the organization including customer privacy, business continuity, identity and access management, data security, and data integrity.

As part of managing the company’s CSF/A&A process, you are expected to draft and update documents in support of security authorization packages, including System Security Plans (SSPs). This includes Risk Assessment Reports, Security Assessment Plans, and Reports, Contingency Plans, Incident Response Plans, Standard Operating Procedures, Plans of Actions and Milestones, Remediation Plans, and Configuration Management Plans. Implement controls to ensure that the organization's practices remain observant to all pertinent laws, regulations, and industry standards. Coordinate audit, exam, and assessment functions with executive management, IT and business unit leadership, regulatory agencies, and audit firms; and lead the effort within IT to appropriately respond to audit/exam findings and recommendations. Oversee the enterprise business continuity planning functions.

This role involves understanding complex digital systems, performing regular security assessments, and developing strategies to mitigate potential risks. The ideal candidate should have a strong technical background, a deep understanding of cybersecurity threats and vulnerabilities, and experience in creating and deploying cybersecurity solutions. With the ability to perform cybersecurity analysis, design, evaluation, and inspection of IT infrastructure.

Principal Accountabilities:

• Lead security authorization activities in compliance with CSF, e.g., NIST, for multiple US federal government programs.
• Design and develop system security plans to include information security controls at the networking, computing, and enclave levels for multiple programs.
• Develop, implement, and monitor a strategic, comprehensive enterprise information security and security controls at the networking, computing, and enclave levels for multiple programs.
• Oversee information security and customer privacy program that includes management of risk assessments, service provider relationships, and incident response. Define and facilitate the information security and customer privacy risk assessment process, including the reporting and oversight of action plans to address findings.
• Assists systems architects, engineers, and developers in the identification and implementation of appropriate information security functionality to ensure uniform application of security policy and enterprise solutions.
• Assess and mitigate system security threats/risks throughout the program life cycle and work with the Systems Administration or Engineering teams to mitigate the risks.
• Oversee continuous monitoring efforts and other program compliance activities.
• Communicate and collaborate with technical and non-technical stakeholders to gather, clarify, prioritize, and validate requirements.
• Ensure that system change requests are aligned with business needs technical feasibility and have no impact on the security posture.
• Leads the evaluation of Cyber Security risks (external & internal threats, platform & application vulnerabilities, data protection, etc.), testing controls designed to mitigate risk, communicating issues and findings to management, devising solutions for business improvements, and following-up on corrective actions, may participate on and lead professional teams to execute technical audit projects focused on evaluating the effectiveness of Cyber Security governance, tools and operations, may evaluate the design, effectiveness and efficiency of information technology and security processes, procedures, and technical controls including solution implementations, identify and address systemic gaps in Cyber Security risk management.
• Responsible for ensuring the appropriate operational security posture is maintained for the information system (IS) on multiple security domains.
• Develops, reviews, evaluates, and verifies self-testing results to validate security requirements.
• Ensure the appropriate organizational operational security posture.
• Review and evaluate the effects on security of system changes, including interfaces with other IT projects and documents all changes. Develops and reviews necessary change management processes and artifacts to support updates to systems.
• Develop, train, test, and refine an incident response plan for security incidents.
• Develop, maintain, and oversee effective disaster recovery planning, policies, and standards to align with enterprise business continuity management program goals.
• Oversee and coordinate the development of implementation plans and procedures to ensure that business-critical services are recovered in the event of a disaster or security event. Provide direction, support, and internal consulting in these areas.
• Regular attendance is required, working at the worksite during regular business hours and/or assigned hours.
• Other duties as assigned.

Knowledge, Skills & Abilities

• History of cloud compute environment controls and cloud solution management experience
• Demonstrated expert knowledge of information security practices and architecture across public and private cloud and as-a-service solutions.
• Ability to perform work accurately and completely, and in a timely manner.
• Demonstrated expert knowledge of modern security controls, technologies, concepts, and languages.
• Proven history of mature solution design, implementation, documentation, training, and delivery
• Ability to evaluate and communicate information security risk related to enterprise and client assets – Advanced.
• Ability to identify metrics and measure improvement of capability maturity and strategy execution – Advanced.
• Ability to follow-up on inquiries in a timely manner
• Ability to independently manage and lead technical projects.
• Ability to solve complex problems quickly and effectively.
• Ability to build relationships with team members that transcend a project.
• Ability to deliver quality through attention to detail.
• Ability to build relationships and collaborate within a team, internally and externally.
• Excellent communication skills, verbal and written.

Required Qualifications:

• Bachelor's degree in an engineering, or equivalent technical discipline with 10+ years of relevant experience
• Demonstrated knowledge and experience with security evaluation tools and scans to determine system compliance and report results to Customer management.
• Demonstrated domain knowledge of customer systems, networks, and how they interconnect.

Desired Qualifications:

• Current CISSP, Security+, Network+ Certification
• Experience with cloud environments and designing systems to work the cloud.
• System Administrator Security Course (SASC)
• Experience with the tools used to maintain security compliance records and status.