Stanford University seeks an accomplished and strategic leader to serve as its University Chief Information Security Officer (CISO) and provide Stanford-wide leadership in information security strategy and operations. Through central and distributed staff, the CISO provides the overall direction and priorities for information security programs, including policy development, awareness, annual security assessments, vendor risk evaluation, risk mitigation, network traffic analysis, and regulatory compliance. The CISO convenes the Stanford CISO Council, which includes the CISOs from Stanford Medicine and the SLAC National Accelerator Laboratory and information security leaders from academic units. Additionally, the CISO serves on the University IT Leadership Team, the senior staff of the Office of the Chief Risk Officer, the university's CIO Council, and the Stanford Privacy Governance Council.
The CISO brings Stanford stakeholders together in a commitment to best practices in information security that appropriately balances mission, risk, and compliance expectations. Inspiring active collaboration among an array of partners, the CISO also provides university-wide leadership related to information security policy, roadmaps, investments, and programs. The CISO advocates for the University's comprehensive information security needs and works with academic, business, and technology leaders across the university, including information security leaders in schools and distributed units, the Office of the General Counsel, the Office of the Chief Risk Officer, and the University Privacy Office, to assess and manage risks while balancing security strategies with other institutional priorities.
Reporting to the Chief Information Officer with a dotted line reporting relationship to the Chief Risk Officer, the CISO leads the Information Security (ISO) Office, which manages core information-security activities across the university.
Responsibilities
Provide vision and leadership to ensure the University's information security programs adequately protect information assets, appropriately balance security strategies and university priorities in ways consistent with the risk posture of the university, and incorporate evolving directions and best practices in information security consistent with industry standards.
Play a leading role in the development of university-wide strategies, policies, and practices regarding information security, educating constituents as to their value while promoting their broad adoption and verifying adherence to agreed-upon standards. Effectively collaborate with faculty in various strategic and consultative capacities to vet and enhance policy.
Work with university leadership, the Privacy Office, and various Stanford governance groups to implement and manage policies, practices, and programs in support of information security strategy, while working collaboratively with security staff Stanford-wide.
Advise the University CIO, Chief Risk Officer, and other senior university leaders on information security directions, policy, and resource requirements. Regularly report to university senior leaders on the status of the information security programs, education awareness, events and incidents, and information security trends.
Actively engage with the CIO Council to collaborate on the direction of IT process and data security to reinforce responsibilities and accountability in the decentralized university environment. Maintain a close working relationship with key university offices (e.g., the Office of the General Counsel, Office of the Chief Risk Officer, Office of the Dean of Research, etc.) to review security and privacy programs in light of legal, regulatory, and other business considerations.
Collaborate with colleagues in the schools, hospitals, SLAC, and business units on information security issues related to the development, implementation, and maintenance of university information technology services, both hosted locally and in the cloud.
Lead and develop team members to be domain experts and trusted partners to colleagues in UIT and across Stanford.
Provide guidance and direction to the information security staff of Stanford's schools, departments, and functional areas such as finance, student affairs, and auxiliary services.
Perform various management functions related to the Information Security Office, including budgeting, vendor evaluations, and personnel management.
Promote continual investment in ISO as a center of excellence in information security. Develop and maintain a rolling multi-year business plan to resource the University's information security needs; communicate with budget leaders the value and impact of requested security investments. Set priorities and direct the implementation of new information security solutions that have university-wide impact.
Evolve Stanford's model for identifying and mitigating security vulnerabilities, responding to incidents, and recovering from security incidents. Lead Stanford's response during significant security incidents and effectively engage with and provide updates to highest level stakeholders.
Work with partner groups to align attack and penetration testing and security assurance programs with overall approaches to enterprise risk management Stay abreast of information security issues and trends, emerging solutions, and regulatory changes, especially those affecting higher education, while incorporating all into strategic direction-setting.
Serve as a subject matter expert for regulatory requirements and compliance issues as applied to technology (e.g. DMCA, CMMC, FISMA, GDPR, HEOA P2P, HIPAA, PCI, other).
Provide thought leadership and outreach and education programs to inform investments made and practices managed across Stanford. Report regularly to the university community on developments in information security in order to increase understanding of, engagement in, and compliance with established standards and emerging best practices.
Represent Stanford in national and inter-institutional conversations relevant to information security to support knowledge-sharing, resource development, and vendor engagement.
Qualifications
Stanford's CISO will be an adaptable, innovative leader with the capacity to establish and deliver a measurable value proposition to campus partners and customers within the overall vision for Stanford's role in advancing the university's teaching, research, and healthcare mission. The CISO leads through trust, influence, subject-matter expertise, collaboration, and governance more than positional authority.
Success in the role requires a range of qualities and experiences and a core set of interpersonal skills that enable success in the university's decentralized organizational environment:
Undergraduate degree or equivalent combination of training, education, and experience
10 years of experience in information-security policy or operations
Experience developing and managing information security programs and a proven track record of implementing organization-wide solutions that protect information assets
A solid understanding of information security and data privacy concepts, threats, and technologies, including industry standards and best practices
Knowledge of relevant legal and regulatory requirements related to data and information security
A track record of advancing equity, inclusion, and diversity
A track record of recruiting, directing, motivating, and guiding the development of a team of information security professionals
Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate security- and risk-related concepts to technical and non-technical audiences, including executive leadership and governing board members
Comfort with ambiguity
Experience in developing and implementing information security practices in a diverse, highly decentralized ecosystem
Preference for experience leading in an academic environment
University IT
University Information Technology (UIT), a unit of Business Affairs, is responsible for the strategy, planning, and delivery of information technology, and for convening the IT leaders of Stanford University, Stanford Medicine, and SLAC organizations through the CIO Council to create an overarching IT-wide vision for the role of IT as well as for shared goals, standards, and ambitions established in the Campus IT Plan relative to the promise, potential, cost, and risks of information technology. Led by Steve Gallagher, University Chief Information Officer, UIT strives to maintain agility, anticipating and adapting to the needs of the university, evolving at the leading edge of the global technology landscape, and delivering on its commitment to being user-focused, collaborative, innovative, and transparent.
The divisions comprising UIT include:
Client Experience and Solutions. User-facing services and associated enabling technologies. The front face of UIT service, helping clients acquire and use technology successfully.
Enterprise Technology. Implements and maintains information systems that support university operations. In addition, this unit partners with schools, business units, and cross functional groups to identify and implement efficient, cost-effective IT solutions.
IT Infrastructure. All on-premise enterprise data center and communications facilities engineering, as well as all enterprise data networking, communications, and related supporting technologies.
Research Computing. A joint effort with the Dean of Research and UIT to build and support a comprehensive program to advance computational research at Stanford. This includes offering and supporting traditional high-performance computing systems as well as systems for high throughput and data intensive computing.
Service Strategy. Coordinates multiple integrated processes to support the proactive management of the UIT service portfolio, project management processes, vendor management services, and financial management.
Information Security Office. Provides services to protect the information assets of importance to Stanford.
Office of the CIO. Integrates and coordinates internal governing processes and a university IT governance framework, defines the organizational vision, develops and delivers strategic messaging and communication, and sustains alignment and consistency.
Office of the Chief Risk Officer
The Office of the Chief Risk Officer, a unit of Business Affairs, strives to be a valued partner and advisor to management, faculty, and the Audit, Compliance, and Risk Committee of the Board of Trustees.
The departments comprising OCRO include:
Internal Audit. Provides independent, objective assurance and consulting services designed to add value and improve the operations of Stanford University and the Stanford University Hospitals. Brings a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Ethics and Compliance. Coordinate the University's ethics and compliance activities, including chairing the Compliance, Ethics and ERM Steering Committee and coordinating the activities of the Compliance Officers' Network (now known as the Compliance and Risk Administrators Network). Assess the adequacy of compliance activities, evaluate overall program effectiveness and recommend and implement modifications to the program as necessary. Administer an Ethics and Compliance Helpline and oversee and coordinate investigations of potential misconduct. Report results of ethics and compliance program activities to senior management and the Audit, Compliance and Risk Committee of the Board.
Privacy Office. Promotes Stanford's commitment to protecting the privacy of the University's community including its students, alumni, faculty, staff, research participants, and affiliated parties.
Office of Risk Management. Evaluates risk from the standpoint of the entire University, rather than a single department or area; Eliminates or modifies conditions or practices, wherever practical, which may cause loss; assumes risks whenever the amount of potential loss would not significantly affect the University's financial position; and purchases insurance from whatever source (agent, broker, or insurance company) is deemed to be in the best interests of the University.
Enterprise Risk Management. Coordinates the University's enterprise risk management efforts to provide a framework and processes for the identification, assessment, mitigation and monitoring of risks to the achievement of the University's mission and goals.
Information Security Office. Dotted line. Information Security Office. Provides services to protect the information assets of importance to Stanford.
The job duties listed are typical examples of work performed by positions in this job classification and are not designed to contain or be interpreted as a comprehensive inventory of all duties, tasks, and responsibilities. Specific duties and responsibilities may vary depending on department or program needs without changing the general nature and scope of the job or level of responsibility. Employees may also perform other duties as assigned.
Consistent with its obligations under the law, the University will provide reasonable accommodation to any employee with a disability who requires accommodation to perform the essential functions of his or her job.
Stanford is an equal employment opportunity and affirmative action employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, protected veteran status, or any other characteristic protected by law.
Why work at Stanford?Stanford University has changed the world, over and over again.We are one of Silicon Valley's largest employers - and also one of the most unique. Our mission is to educate future leaders and promote interdisciplinary, world-class research and teaching. This passion makes Stanford an intensely creative, rewarding, and challenging place to work. At the same time, our traditions of respect and collaboration sustain a humane, supportive environment in which to pursue your life and your career.At Stanford you'll work with bright, diverse, dedicated people. You'll find encouragement to learn and grow. You'll enjoy excellent benefits and an outstanding environment. How will it change you?
