Manager, Security Governance

The New York Independent System Operator (NYISO) manages the efficient flow of electricity on more than 11,000 circuit-miles of high-voltage transmission lines, dispatching power from hundreds of generating units across the state.
The Manager, Security Governance provides leadership and direction to the Security Governance, Risk, & Compliance team, with responsibility to ensure the NYISO's security program, including all policies, processes, and controls, is operating as expected to provide security and compliance with mandatory regulatory requirements and security frameworks; including NERC Critical Infrastructure Protection (CIP) Reliability Standards, CIS Critical Security Controls, NIST, and SSAE-18 (SOC1).
The Manager, Security Governance implements and oversees programs that drive strong organizational regulatory compliance and serves as the organizational subject matter expert on interpretation and application of NERC CIP Standards regulatory requirements. The Manager, Security Governance develops and leads Security Governance programs that are designed to ensure security controls, processes, and technologies are effective, well-controlled, and continuously performing as expected to protect the organization. The Manager, Security Governance serves as the expert and point of contact for internal stakeholders and external constituencies and may prepare, in collaboration with internal and external subject matter experts; comments, position statements and responses to third-party filings, orders and other issuances from regulatory agencies such the Federal Energy Regulatory Commission (FERC), Northeast Power Coordinating Council (NPCC), Department of Energy (DOE) and Department of Homeland Security (DHS).
The Manager, Security Governance develops and executes the NYISO cyber security risk management program, including security risk assessment and mitigation activities, and maintenance of the security risk register.
The Manager, Security Governance owns and is responsible for NYISO's supply chain cyber security risk management program; responsibilities include program development and execution of the processes and controls that minimize cyber risk introduced through vendor products and services; activities including vendor security risk assessments, negotiating security contract terms, and other interactions with vendors, suppliers, and external partners.
The Manager, Security Governance is responsible for NYISO's information protection program, including program development, oversight of processes and controls that minimize the risk of disclosure of NYISO's sensitive information and data; and activities including process and control development, training, , and other activities as required.
The Manager, Security Governance provides oversight and administration of applicable corporate policies, processes, and procedures.
ESSENTIAL DUTIES and RESPONSIBILITIES

• Leads the NYISO's centralized NERC Critical Infrastructure Protection (CIP) Reliability Standards compliance program, including administration, program planning, audit support, oversight of ongoing activity, process improvements, coordination with NERC/NPCC, and metrics & reporting of organizational performance. Works closely with others at the enterprise level to ensure the NERC CIP Standards program seamlessly integrates with other NYISO functions, including IT infrastructure, operations, and software development.
• Ensures a high level of organizational NERC CIP Standards compliance through effective design and management of controls, as well as compliance assurance programs that ensure a focus on NERC CIP Standards across the organization. Develops and leads cross-functional teams to achieve ongoing, compliance-oriented improvements to processes and controls, as well as to investigate and report on any instances of potential non-compliance. Communicates instances of potential non-compliance to senior leadership and Board members through both verbal and written methods as required.
• Ensures security programs, processes, controls, and technologies are effectively designed, implemented and maintained as expected to ensure they are performing to fulfill their intended function.
• Administers NYISO security policies including development of new policies, maintenance of current policies, and retirement of deprecated and/or obsolete policies. Applies a combination of security insight and strong writing skills to create policies and other security guidance that is clear and relevant for the entire NYISO organization.
• Acts as a liaison to regulating bodies to ensure timely and accurate reporting of compliance activities, including coordination of audits, spot checks, data requests, and communication of any compliance exceptions or violations. Establishes and maintains strong relationships with NERC, NPCC, and other industry entities on behalf of the NYISO. Maintains a formal record of all NERC CIP Standards compliance activities and communications.
• Leads the NYISO IT & Security response to regulatory inquiries including Notices of Proposed Rulemaking, Requests for Comments, and other similar activities. Facilitates discussions to develop a common position with other departments and documents the NYISO response.
• Represents the NYISO on NERC CIP Standards and other critical infrastructure subject matter throughout the electric industry, including engagement with regulators, utilities, transmission owners, LSE's, government and other stakeholders.
• Oversees information protection and governance activities, including controls over creation, storage, transmission and destruction of sensitive, confidential, or proprietary information with the objective of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information.

• Develops and oversees programs that minimize cyber security risks introduced through the NYISO supply chain. Works with Procurement to facilitate security risk assessments, and works closely with business partners, Procurement and solution delivery teams to ensure partner agreements protect the NYISO's interests. Works closely with Legal to develop and implement security contract language to enforce strong cyber and physical security practices with external partners.
• Oversees security risk management processes, including maintenance of the security risk register.

• Manages the Security Governance staff including performance management, performance reviews, recruiting, employee training and development.
• Provides NYISO Executives, Management, Stakeholder Groups, and Board Members with timely and appropriate risk mitigation information and advice on NERC CIP Standards compliance or security-related matters, including periodic reports on the state of NERC CIP Standards compliance.
• Advises IT staff on regulatory compliance and drives improvements to processes and technology to better support organizational compliance goals.
• Champions a culture of security, compliance and resiliency by advocating the development of effective and appropriate industry standards, regulations, and policies consistent with secure and reliable operation of the New York BES.
• Demonstrates executive-level communication skills by providing professional, well-written reports, papers, and other memoranda. Interacts with others at all levels of the organization, including the Board of Directors and Executive Leadership Team, through a clear and effective oral communication style. Provides engaging and polished presentations to both internal and external stakeholders, and actively seeks to engage and establish relationships with key business partners.

SUPERVISORY RESPONSIBILITIES
This position does possess supervisory responsibility and there are non-supervisory employees who report to this position.
EDUCATION
Bachelor's degree (BS) in Management, Computer Science, Information Technology, , or related field is required. Master of Science, MBA, or other advanced degree is preferred. Significant relevant experience may be considered in lieu of degree requirements.
EXPERIENCE
Seven years progressively more responsible experience in a combination of information security, information technology, or internal/regulatory audit positions, preferably in the energy industry. Demonstrable knowledge of auditing concepts and governance frameworks is required. Prior management experience with information technology, security, or compliance teams is preferred. Demonstrable knowledge of NERC CIP Standards is strongly preferred. Experience with contracts, budgets, and other business functions is preferred.
CERTIFICATES, LICENSES, REGISTRATIONS

• Professional certification, such as a CISM, CISA or other information security credentials, is preferred but not required.

ADDITIONAL REQUIREMENTS

• Ability to effectively communicate security and risk-related concepts to technical and nontechnical audiences.

• Exceptional writing and presentation skills
• Knowledge of technological trends and developments in the area of information security and risk management is required. Knowledge of security and control frameworks, such as ES-C2M2, NIST, and ISO27001 is strongly preferred.
• Project management skills; financial/budget management, scheduling and resource management. Ability to lead and motivate cross-functional, interdisciplinary teams to achieve tactical and strategic goals. Experience with contract and vendor negotiations.

PHYSICAL DEMANDS
While performing the duties of this job, the employee is regularly required to talk or hear. The employee frequently is required to stand, walk, sit and use hands to perform routine office tasks. The employee is occasionally required to reach with hands and arms. The employee must occasionally lift and/or move up to 15 pounds. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.
WORK ENVIRONMENT
The noise level in the work environment is usually moderate. Contact with staff and public will occur. Travel may be required to attend and/or conduct meetings, conferences and training. This position may require work on nights, weekends or holidays.
The NYISO takes pride in recruiting, developing and retaining highly talented individuals. In addition to competitive salaries, we offer a comprehensive benefits package and innovative reward programs.
The NYISO offers the flexibility to work both in the office and remotely, providing our employees with an enhanced work life balance. While the majority of the responsibilities of this role can be performed remotely, in most cases, employees will have periodic on-site requirements based on business needs.
All offers of employment will be made contingent upon the successful completion of a drug screening and background check.
The NYISO is an Equal Opportunity Employer and as such, does not discriminate in its hiring or employment practices.
Salary Range
$124,200 - $215,400 USD