Client Services Security Director - Remote (local to DC metro)

Rockville, MD, United States

Job Description

Westat is an employee-owned corporation providing research services to agencies of the U.S. Government, as well as businesses, foundations, and state and local governments. Westat's research, technical, and administrative staff of more than 2,000 is located at our headquarters in Rockville, Maryland, near Washington, DC.

Westat is committed to building a diverse workforce and a culture of inclusivity, belonging and equity for all. We believe that our greatest strength draws on the different backgrounds, cultures, perspectives and experiences of our employees.

Westat is seeking a Director, Information Systems Security Officer (ISSO) to lead our Client Security Services (CSS) team. This leadership role is a critical member of the Chief Information Security Officer's (CISO's) team and acts as an interface between the CISO's strategic and process-based activities and the CSS team they will lead. The Director must be able to provide direction and mentoring for staff, interact directly with internal and external clients, manage resources, meet deadlines, and provide regular status and service-level reports to management.

The candidate should have experience managing direct reports and working with Federal Government clients and have extensive experience, securing information systems in accordance with the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF, i.e. NIST 800-37 and 800-53). Expertise in leading project teams and developing and managing projects is essential for success in this role. In addition to supporting the CISO's policies and strategies, the Director must be able to prioritize work efforts - balancing operational tasks with longer-term strategic security efforts.

This role offers a remote work arrangement, applicants should be in a commutable distance to Rockville, Maryland for in-person meetings as needed.

Job Responsibilities:

•Manage a staff of information security professionals, hire and train new staff, conduct performance reviews, and provide leadership and coaching particularly in the areas of FISMA/NIST security compliance, and including technical and personal development programs for team members.

•Work with the CISO to develop budget projections based on short- and long-term goals and objectives.

•Monitor and report on client facing security activities that include security authorization documentation creation, security control evidence gathering, risk remediation, and security assessment coordination.

•Propose changes to existing policies and procedures to ensure operating efficiency and regulatory compliance.

•Maintain FISMA authorization to operate (ATO) for information systems.

•Assist resource owners and IT staff in understanding and responding to security audit failures reported by auditors.

•Provide security communication, awareness, and training for audiences, which may range from senior leaders to field staff.

•Work as a liaison with vendors and the legal and purchasing departments to establish mutually acceptable contracts and service-level agreements.

•Manage production issues and incidents and participate in problem and change management forums.

•Work with various stakeholders to identify information asset owners to classify data and systems as part of a control framework implementation.

•Serve as an active and consistent participant in the information security governance process.

•Work with the CISO and IT and business stakeholders to define metrics and reporting strategies that effectively communicate successes and progress of the security program.

•Provide support and guidance for legal and regulatory compliance efforts, including audit support.

•Manage outsourced vendors that provide information security functions for compliance with contracted service-level agreements.

•Formulate recommendations to resolve problems impacting the quality and effectiveness of security controls in software development projects.

•Participate in information security working groups.

Basic Qualifications:

•Typically requires a bachelor's degree and a minimum of 10 years of IT leadership experience, or an equivalent combination of education and experience.

•Advance knowledge of FISMA, FedRAMP, HIPAA, PII, and the entire NIST Risk Management Framework Remote v5.

•Proven project management skills and experience in creating and managing project plans, including budgeting and resource allocation.

•Certified Information Systems Security Professional (CISSP) or Certified Information Security Manager (CISM), required.

•Experience with on premise and cloud environments.

•Experience with developing and managing plans of action and milestones (POA&M).

Preferred Qualifications:

•Experience with GDPR and CMMC.

•Experience with Nessus Tenable.

•Ability to develop and guide information security team members and IT operations personnel, and work with minimal supervision.

Westat offers a well-rounded and comprehensive benefits program focused on wellness and work/life balance. Subject to plan requirements, employees may participate in:

Employee Stock Ownership Plan

401(k) Retirement Plan

Paid Parental Leave

Vacation Leave (20 days per year)

Sick Leave (10 days per year)

Holiday Leave (7 government holidays and 2 floating holidays)

Professional Development

Health Advocate

Employee Assistance Program

Travel Accident Insurance

Medical Insurance

Dental Insurance

Vision Insurance

Short Term Disability Insurance

Long Term Disability Insurance

Life and AD&D Insurance

Critical Illness Insurance

Supplemental Life Insurance

Flexible Spending Account

Health Savings Account

This opportunity will be posted for a minimum of 5 days and applications will be accepted on an ongoing basis.

Westat is an Equal Opportunity Employer and does not discriminate on the basis of race, creed, color, religion, sex, national origin, age, veteran status, disability, marital status, sexual orientation, citizenship status, genetic information, gender identity or expression, or any other protected status under applicable law.

#LI-WST1

#remote