Head of Information Security

C3 AI is seeking an Information Security expert to own and lead the Information Security program at C3 AI. As the Head of Information Security, you will be responsible for protecting the organization's assets, applications, systems, and technology while enabling and advancing business initiatives.

Responsibilities:

Security Architecture & Strategy

• Develop, implement, and monitor comprehensive enterprise cybersecurity and IT risk management program leveraging secure processes, procedures and systems used to prevent, detect, mitigate, and recover from cyberattacks.
• Build and drive a cybersecurity strategy and framework, with initiatives to secure the organization's cyber, information and technology assets while providing leadership to the enterprise's Information Security organization.
• Formulate best practices and set security standards, while preparing and documenting Information Security policies, procedures and protocols.
• Lead security assessment processes of internal assets, encompassing penetration testing, vulnerability management, and secure software development.
• Analyze the costs, value, and risks of cybersecurity activities and recommend actions within a budget

Threat Management & Mitigation

• Continuously evaluate and manage the cyber and technology risk posture of the organization.
• Proactively spot security issues and threats, devising robust processes and systems to safeguard against them.
• Manage a robust incident management process.
• Convey Information Security and data privacy operational goals, relaying their impact to stakeholders.
• Keep aHead of security needs by implementing programs or projects that mitigate risks.
• Ensure that all internally written code is cyber secure by performing regular application security and penetrations tests.
• Conduct real-time analysis of immediate threats, triage and remediate as necessary.
• Lead cybersecurity operations and implement disaster recovery protocols and business continuity plans with business resiliency in mind.
• Make sure that data and intellectual property is safe from external and internal threats.
• Lead security incident investigations and forensic data collection activities during a security breach and conduct post-mortem exercises to prevent reoccurrence.
• Act as the focal point for security incident response planning and cyber security breach remediation.

Security Operations and Awareness

• Lead the effort for conducting vulnerability scans, reviews, and remediation activities to ensure a secure environment and to ensure that the products and services that C3.ai develops are secure.
• Manage the ongoing security awareness training and education program for employees
• Provide leadership and fostering a culture of cybersecurity awareness and ensuring continued training and development.

Governance

• Implement and manage the cyber governance, risk, and compliance frameworks and processes.
• Lead compliance endeavors, including external audits, regulatory compliance initiatives, and overarching security evaluations.
• Collaborate with the Security Committee to develop and implement Information Security policies, standards, procedures, and guidelines.
• Interact with related disciplines through committees to ensure the consistent application of policies and standards across all technology projects, systems, and services.
• Partner with business stakeholders across the company to raise awareness of risk management concerns and assist with business technology planning.
• Conduct and lead Information Security risk assessments, support audits (SOC 2, HIPAA, ISO 27001/27017, Cyber Essentials), and select controls to mitigate risks.
• Work with the legal/privacy teams to ensure compliance with privacy regulations.

Stakeholder & External Communication

• Report on Cybersecurity by providing the business leaders, board of directors or senior executives in area of cybersecurity risk profile and posture of organization, notable cybersecurity incident and improvement programs.
• Engage with outside stakeholders, including customers, vendors, partners, compliance bodies, and other legal/regulatory authorities.
• Deliver strategic risk guidance, evaluating and suggesting technical standards and controls.
• Work with executive leadership to determine acceptable levels of risk for the organization.
• Work with the most senior levels or the organization to liaise with external agencies, such as law enforcement and other advisory bodies, as necessary, to ensure that the organization maintains a strong security posture.
• Communicate with executive leadership on IT risk issues and the security program.

Qualifications: 

• Bachelor's degree in computer science, Information Management Systems, Cybersecurity or related field. Advanced degree preferred.
• Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or other similar credentials. CCNA, CEH, ISO27001 auditor or implementer experience is a plus.
• Minimum 10 years of experience in Information Security management
• Significant experience in leading an Information Security program with a deep understanding of Information Security and compliance frameworks such as COBIT, ISO27001/27017, NIST, SOC 2, HIPAA, etc. Knowledge of government-related security frameworks such as FedRAMP and CMMC is a plus.
• Knowledge of privacy regulations/legislation such as GDPR, CCPA/CPRA.
• Experience with contract and vendor negotiations and management including managed services.
• Knowledge of cybersecurity and privacy principles used to manage risks related to the use, processing, storage, and transmission of Information or data.
• Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate Information Security and risk-related concepts to technical and nontechnical audiences at various levels in the company.
• Strong leadership abilities, with the capacity to articulate and implement a strategic vision for the organization's security posture.
• Proficiency in cyber security tools, especially endpoint security solutions, intrusion prevention systems, data loss prevention systems.
• Experience with and understanding of vulnerability assessment, application security testing and penetration testing tools and services.
• Proficient in leading security incident investigation and response.
• Well-versed in cloud technology and security, including GCP, Azure and AWS security, Office 365 security, cloud DLP.
• Knowledge in industry standard software development practices
• Hands-on experience in security assessment, cloud architecture, threat modeling, and policy writing.
• In-depth comprehension of secure SDLC, DevSecOps, or security automation.
• Ability to communicate effectively with customers and other external Information Security and privacy professionals.

Candidates must be authorized to work in the United States without the need for current or future company sponsorship.