JOB DESCRIPTION

TRS is seeking a seasoned and strategic Chief Information Security Officer (CISO) to lead and elevate it’s Information Security and Business Continuity programs. This is a critical leadership role within a well-established discipline; continuity and forward-thinking guidance are essential to ensuring ongoing protection of TRS’ mission-critical functions.
The ideal candidate is a versatile, decisive leader with deep expertise across all areas of information security, including policy development, risk assessments, regulatory audits, incident response, training, and third-party/vendor risk management. The CISO will collaborate closely with IT and business leaders and must be comfortable navigating both technical and strategic responsibilities.
Reporting to the Chief Risk Officer, this position leads a small, high-performing team within the Risk Management Department and requires a hands-on leader who can make risk-informed decisions under pressure while continuously maturing the agency’s security posture.

Responsibilities:

• Lead and continuously enhance the agency’s Information Security and Business Continuity programs, ensuring strategic alignment with IT architecture, security engineering, and operational frameworks in accordance with NIST, ISO, and applicable state regulatory standards.
• Serve as a technical and trusted advisor on Information Security and Business Continuity to IT, Legal, and business units, embedding security and resilience into systems, contracts, and daily operations.
• Participate in technical planning and understand impact to organization.
• Conduct and oversee cybersecurity risk assessments, vendor risk reviews, and responses to internal and external audits.
• Lead and coordinate the end-to-end lifecycle of security incidents, from initial detection and investigation, to containment, forensics, and lessons-learned reporting. Serve as the technical escalation point for complex incidents.
• Maintain, test, and continuously improve business continuity and disaster recovery plans across critical operations, including data backup, replication strategies, and system failover procedures.
• Supervise and mentor a small, high impact team; ensuring coverage for both strategic planning and monitoring.
• Design and enforce technical policies, security configuration baselines, and automated compliance monitoring across hybrid infrastructure (on-premises and cloud environments).
• Design and lead a targeted security awareness program, promoting ownership and accountability across the organization.
• Monitor, track, and report on key risk indicators (KRIs), threat trends, control effectiveness, and program maturity metrics.
• Partner with auditors, regulators and external partners, to ensure compliance and manage remediation efforts.
• Engage with third-party vendors and service providers to assess security status and identify vulnerabilities.
• Stay current with emerging cybersecurity, privacy, and resilience trends, proactively integrating best practices and evolving threats into the agency’s strategic roadmap.
• Perform additional related duties as assigned by the Chief Risk Officer.

MINIMUM QUALIFICATIONS

1. A baccalaureate degree from an accredited college or university including or supplemented by 12 credits in mathematics, statistics, accounting, and/or actuarial science and four years of satisfactory full-time experience implementing the provisions of a retirement plan involving the use of mathematical, statistical, actuarial or accounting computations, 18 months of which must have been in an administrative, managerial or executive capacity or supervising professionals implementing the provisions of a retirement plan involving the use of mathematical, statistical, actuarial or accounting computations; or
2. An associate degree or 60 credits from an accredited college or university, including or supplemented by 12 credits in mathematics, statistics, accounting and/or actuarial science and six years of satisfactory full-time experience as indicated in “1”; or
3. Education and/or experience equivalent to “1” or “2” above. However, all candidates must have 60 credits from an accredited college or university, including or supplemented by 12 credits in mathematics, statistics, accounting and/or actuarial science and the 18 months of experience in a supervisory, administrative, managerial or executive capacity as described in “1” above.

PREFERRED SKILLS

• A baccalaureate degree from an accredited college including or supplemented by 12 semester credits in mathematics, statistics, accounting, economics, finance, data analytics, project management, business administration, public administration and/or actuarial science. - Minimum 6 years of relevant IT/InfoSec experience as above, including at least 18 months in a managerial role. - Minimum 5 years of hands-on experience managing or supporting Information Security and/or Business Continuity programs. - Proven ability to lead through complex security incidents, audits, and regulatory events. - Experience in public sector environments preferred. - Required certification: CISM or CISSP - Preferred certifications: CRISC, CDPSE, CBCP, or equivalent industry-recognized credentials. - Working knowledge of key security and compliance frameworks such as NIST, ISO 27001, and state/local regulatory standards. - Demonstrated success managing multiple concurrent initiatives and working autonomously in high-responsibility roles. - In-depth knowledge of Information Security, Cyber Risk Management, and Business Continuity planning. - Strong interpersonal skills, with the ability to influence cross-functional stakeholders and drive consensus without direct authority. - Exceptional communication skills, with the ability to effectively communicate technical and risk related concepts to executive leadership, non-technical stakeholders, and board-level audiences. - Demonstrated experience in designing and implementing security awareness and training programs, incorporating principles of adult learning and behavior-change. - Familiarity with GRC platforms and risk dashboards is a plus.

• Lead and continuously enhance the agency’s Information Security and Business Continuity programs, ensuring strategic alignment with IT architecture, security engineering, and operational frameworks in accordance with NIST, ISO, and applicable state regulatory standards.
• Serve as a technical and trusted advisor on Information Security and Business Continuity to IT, Legal, and business units, embedding security and resilience into systems, contracts, and daily operations.
• Participate in technical planning and understand impact to organization.
• Conduct and oversee cybersecurity risk assessments, vendor risk reviews, and responses to internal and external audits.
• Lead and coordinate the end-to-end lifecycle of security incidents, from initial detection and investigation, to containment, forensics, and lessons-learned reporting. Serve as the technical escalation point for complex incidents.
• Maintain, test, and continuously improve business continuity and disaster recovery plans across critical operations, including data backup, replication strategies, and system failover procedures.
• Supervise and mentor a small, high impact team; ensuring coverage for both strategic planning and monitoring.
• Design and enforce technical policies, security configuration baselines, and automated compliance monitoring across hybrid infrastructure (on-premises and cloud environments).
• Design and lead a targeted security awareness program, promoting ownership and accountability across the organization.
• Monitor, track, and report on key risk indicators (KRIs), threat trends, control effectiveness, and program maturity metrics.
• Partner with auditors, regulators and external partners, to ensure compliance and manage remediation efforts.
• Engage with third-party vendors and service providers to assess security status and identify vulnerabilities.
• Stay current with emerging cybersecurity, privacy, and resilience trends, proactively integrating best practices and evolving threats into the agency’s strategic roadmap.
• Perform additional related duties as assigned by the Chief Risk Officer