Director IT Security & Risk Management

at  Workplace Safety and Insurance Board

Reporting to the Chief Innovation & Technology Officer, this role plans, directs, leads, and manages the activities of IT Security & Risk Management to develop, implement, and maintain a comprehensive cyber security and IT risk program that closely aligns with WSIB’s business objectives and Enterprise Risk Management’s strategy and program, reflects the security posture and risk appetite and tolerance of the WSIB, and provides assurance to the Board of Directors that appropriate IT risk mitigation strategies are in place to preserve business value and meet compliance requirements. This role works with other jurisdictions (federal, provincial and municipal) to share cyber security intelligence and best practices and represents the WSIB at provincial and national cyber security gatherings. It is also responsible for overseeing the development and management of disaster recovery plans for critical applications, and ensuring continuity of IT operations by managing and overseeing IT business continuity plans.
This role is accountable for institutionalizing critical IT cyber security and risk management activities; directly assessing and holistically managing all aspects of cyber security and IT risk brought to bear on the enterprise; and directing the planning and implementation of enterprise IT system, business operation, and facilitating defenses against security breaches and vulnerability issues and providing reports to ITC senior management, Cluster Chiefs, EC and occasionally the Board of Director on the current state of risk and remediation activities. This role is responsible for auditing existing systems, while directing the administration of security policies, activities, and standards. This role is also responsible for developing and implementing an enterprise-wide security information education and awareness program, including development of mandatory onboarding and annual training for all staff as well as periodic testing of awareness status.
As a member of the IT senior leadership team, the Director contributes to the development and execution of ITC’s business strategy, and ensures its alignment with the enterprise’s business strategy and the delivery of capabilities required to achieve business success. The Director develops the strategic IT Security & Risk Management goals and translates them into tactical plans, and provides leadership to ensure goals are attained.
This role is responsible for the development and effective management of the budget for IT Security & Risk Management.
This role is also responsible for identifying emerging issues and trends, and driving innovation and prioritization of initiatives to ensure IT Security & Risk Management is prepared to meet the current and future needs of the organization.
The role reports on emerging issues and trends and status to Chiefs and EC and periodically to the Board of Directors.

JOB REQUIREMENTS:

1. Education requirements:

1. Collaborate with peers to develop ITC’s strategic business plan, as led by IT Strategy & Enterprise Architecture, and identify and recommend programs, projects and initiatives that align with and support corporate strategies lead the development and articulation of operational plans, goals and objectives for IT Shared Services in support of the ITC strategic business plan, and corporate and cluster initiatives.

• Lead the development of the IT Security & Risk Management operational plan and roadmap, and ensure its integration with the overall ITC and enterprise strategic plans.
• Work with the IT senior leadership team on the service portfolio and governance required to prioritize resources.
• Act as a trusted advisor, and build and maintain relationships with other IT leaders and enterprise executives to develop a clear understanding of needs. Ensure cost-effective delivery of IT security and risk management services to meet those needs, and respond with agility to changing priorities.
• Leverage influencing and negotiation skills across IT and the enterprise to enable cost-effective and innovative shared solutions in achievement of business goals.
• Direct the development of IT Security & Risk Management sourcing strategy and provide executive oversight for strategic vendor and partner relationship management within IT Security & Risk Management.
• Participate in the assessment of external and internal technology capabilities required to achieve desired business strategies.
• Oversee and manage the development, testing and maintenance of disaster recovery and business continuity plans.
• Maintain currency on new technologies and platforms, and provide direction on what emerging technologies should be assimilated, integrated and introduced within IT Security & Risk Management to ensure IT capabilities respond to the needs of the enterprise’s business strategy.

1. Provide strategic direction and oversight for the design, development, and implementation of IT Security & Risk Management programs and plans that fulfill the needs of the enterprise, including policies, procedures, standards, practices, and tools to identify and mitigate all business risks inherent in the use, ownership, operation, and adoption of IT within WSIB.

Maintain oversight and overall accountability for operational performance and compliance with legislative requirements, corporate policy and financial controls.

• Lead and manage the IT Security & Risk Management functions in: developing and implementing a comprehensive IT Risk Management strategy, program and plan; developing key information security program policies, priorities, initiatives, plans, practices and tools; developing and directing the implementation of disaster recovery plans; and, working in collaboration with Internal Audit and the ITC Leadership Team to support internal and external audits of risk and security functions and internal controls.
• Manage, monitor and report on the status of risk-management strategies and plans.
• Direct the development and implementation of an enterprise-wide security information education and awareness program, including development of mandatory onboarding and annual training for all staff as well as periodic testing of awareness status
• Provide closer linkage and communication between the WSIB’s Enterprise Risk Management strategy programs, plans, processes, and activities with those in ITC to ITC staff.
• Participate as a member of the senior management team in governance processes of the IT risk and security strategies; ensure ITC staff understand that IT risk management is broader than information security: it encompasses security threats, late project delivery, not achieving enough value from IT, increasing regulatory compliance, obsolete or inflexible IT architecture, technology obsolescence, business continuity and disaster recovery, and IT service delivery problems.
• Provide vision, and lead and be accountable for developing and supporting strategic security planning by prioritizing defense initiatives and coordinating the evaluation, deployment, and management of current and future security technologies using a risk-based assessment methodology, within the context of the WSIB’s business objectives, the sensitivity and criticality of business activities, and the security needs and controls as determined by the threats most relevant to those activities.
• Develop and communicate security strategies and plans to executive team, staff, partners, customers, and stakeholders.
• Direct the design and implementation of disaster recovery and business continuity plans, procedures, audits, and enhancements.
• Develop, implement, maintain, and oversee enforcement of policies, procedures, and associated plans for system security administration and user system access based on industry-standard best practices.
• Develop strategies in response to external environment potential threats and work with the ITC leadership team to manage security incidents/events to protect IT assets that include intellectual property, regulated data, and the company’s reputation
• Oversee the execution of approved information security projects and internal/external security audits and provide regular status reporting on progress of such projects.
• Provide oversight of related legal and regulatory compliance.
• Ensure that the following IT governance and management processes are optimized across the WSIB, as appropriate: Managed Risk; Managed Security; and Managed Continuity.

1. Foster a business-oriented culture and mindset driven by continual service improvement techniques, and support continuous improvement programs and processes to achieve and improve upon desired outcomes.

• Lead the identification and implementation of continuous improvement opportunities and solutions to enhance IT security operations, including the analysis of data to drive issue avoidance and identify and resolve problems, improve security services, and drive continuously improve the end-user experience.
• Leverage influencing and negotiation skills across IT and the enterprise to enable cost-effective and innovative shared solutions in achievement of business goals.
• Champion IT Security & Risk Management’s involvement in the IT organization’s innovation efforts.

1. Manage financial, physical and human assets in a fiscally responsible manner including developing and forecasting annual operating and capital budgets; monitoring and reporting on variances based on projections; and evaluating overall expenditures.

• Ensure efficiency and effectiveness of day-to-day security operations in cooperation with our vendor partners.
• Develop and control the annual operating and capital expenditure budget for IT Security & Risk Management to ensure it is consistent with overall strategic objectives of IT and the enterprise and is within plan. Ensure budgets are complete, accurate and in line with ITC and corporate goals.
• Forecast future skill needs to acquire and develop an IT workforce with the appropriate mix of enterprise knowledge, technical skills and competencies that balance between growing the agility required to achieve digital business objectives and ensuring the core IT functions are reliable, stable and efficient.
• Build and maintain a staffing model that can support the requirements of a best-in-class organization of IT security and risk operations. Select, train, develop, organize and motivate a highly qualified and effective team, capable of providing optimum staff support for the enterprise. The development includes technical abilities as well as leadership and interpersonal skills.

1. Build and maintain active interaction and dialogue and constructive working relationships with other WSIB leaders and employees to assess and discuss business and organizational issues, their implications and potential solutions, and to promote an effective team approach to the attainment of corporate goals and objectives.

Establish and maintain effective relationships with appropriate external contacts or business partners other workers compensation boards, government agencies, stakeholders and industry groups and organizations. This includes external information sharing with organizations like the Canadian Centre for Cyber Security, other compensation boards and the provincial government Cyber Security Division. This also includes attending CISO level events and sharing information nationally with Community of Practice on behalf of WSIB

• Work in partnership with Enterprise Architecture to to ensure that processes are built using relevant technology and data sources.
• Collaborate with the CTIO, Corporate Risk, and Enterprise Architecture to align IT, cyber security and enterprise risk management.
• Collaborate with Enterprise Risk Management and the ITC leadership team in the development of a comprehensive IT Risk Management program and plan.
• Work closely with Internal Compliance to ensure effective monitoring is in place, and with the ITC leadership team in the undertaking of security audits and in addressing deficiencies.
• Presents and discusses with ITC senior management, Cluster Chiefs, EC and occasionally the Board of Directors, the current state of risk and remediation activities.
• Work closely with the ITC leadership team to identify IT risks (including security threats, late project delivery, not achieving enough value from IT, increasing regulatory compliance, obsolete or inflexible technology, outdated business continuity and disaster recovery plans, and IT service delivery problems), define mitigation plans, and put in place the appropriate governance structure and activities within ITC to ensure compliance to IT risk management
• Support Client Engagement & Service Delivery teams in the delivery of solutions for the WSIB.
• Work closely with IT Business Planning & Performance to ensure achievement of metrics, and compliance with relevant internal and external regulatory requirements.
• Manage complex negotiations and contracts with service providers.
• Resolve complex incidents and problems in collaboration with other IT functions.
• Work closely with IT Infrastructure Services in the implementation of disaster recovery plans.
• Serve on IT planning and policy-making committees; engage in the development of enterprise technology standards, governance processes and performance metrics to ensure IT Security & Risk Management delivers value to the enterprise.