Chief Information Security Officer

The Chief Information Security Officer (CISO) is responsible for the design, implementation, and management of the global information security program in alignment with JM business objectives. The role is a mix of hands-on engagement and leadership. The CISO establishes the standards, practices, and controls to ensure the information security program protects company data and assets and follows required compliance, regulations, and parent company expectations. Scope of the role includes management of corporate and industrial cyber security,  cyber threat intelligence, corporate and industrial voice and data networks and data protection. The position reports to the Chief Information Officer (CIO) and chairs the JM Information Security Council. CISO is responsible for informing leadership of risks, mitigations, and readiness as well as building awareness of cyber security within the organization.

Applicants can expect to make between $200,000 to $250,000 upon hire. In addition, this position is eligible for a target incentive bonus under our variable incentive plan, as well as to participate in our long-term incentive program. Pay within this range will vary based upon relevant experience, skills, and education among other factors.
 

Responsibilities:

Security Strategy:

• Directs the assessment, mitigation, and actions to reduce cyber security risks for corporate and industrial assets and data
• Establishes and maintains information security policy and standards
• Directs the reviews and processing cyber intelligence.
• Reviews all information security plans across enterprise to ensure alignment with business requirements, JM policies, and standards.
• Facilitates continuous risk assessment, analysis, and mitigation activities.
• Maintains current knowledge of technical security services and mechanisms and monitors advancements in information security and emerging technologies to manage risks and ensure compliance.
• Actively participates in the external information security communities and parent company Cyber Security Council to foster effective communications, knowledge sharing, and best practices.

Security Governance:

• Organizes and facilitates the Information Security Council meeting to review, align and approve appropriate information security policies, practices, standards, resources, and controls.
• Maintain process to  safeguard and verify the safety, confidentiality, integrity, and availability of  business and industrial systems and data.
• Facilitates development and application of data loss prevention standards
• Support internal and external  audits, coordinate IT audit responses, and track observations to closure. Proactively report issues and challenges to timely completion of audit actions.
• Ensures testing and verification of changes to reduce likelihood of repeat findings from internal or external audits.
• Manage AI Governance group responsible for the evaluation of operational, cyber  and data risks of AI and the required people, process, and technical controls.
• Conduct related ongoing compliance monitoring activities in coordination with JM's other compliance and operational assessment functions.
• In coordination with Legal and designated personnel, is responsible for supporting JM's compliance with data privacy laws.

Security Awareness and Advocacy:

• Initiate, facilitate and promote activities to foster information security awareness at corporate, service and manufacturing locations.
• Demonstrates visible leadership across the organization to identify, report and resolve cyber risks
• Communicate and maintain list of approved uses of tools and technology that meet JM standards

Security Operations:

• Responsible for the design, operations, and improvements to security infrastructure of the organization and key security initiatives, tools, and standards, (e.g., virus protection, security monitoring, intrusion detection, local and remote access control policies and other technical security services and mechanisms).
• Directs an effective Security Operations Center (SOC) for monitoring of corporate and industrial networks and systems
• Ensures secure design and operations of global voice and data networks
• Perform security assessments of 3rd party information system suppliers and technologies (e.g., cloud solution providers, LLM, AI solutions).
• Recommend to the CIO adequate information security staffing needs to support the organization.
• Maintain incident response playbook and conduct tabletop exercises to test the readiness and response capabilities for corporate and industrial systems.
• Manage installation and operations of hardware and software for physical security cameras and access systems

Requirements: (education, skills, and abilities)

• BA/BS degree with a master's degree in a business or security discipline preferred
• Minimum 15 years of relevant information technology, risk, security, and compliance experience in a global environment; must have a broad range of exposure to all aspects of information security and a significant depth of technical expertise
• Minimum 10 years of management experience; experience in building and/or running information security teams. Preferred experience at a director level or above.
• Demonstrated experience securing both corporate (IT) and industrial technology (OT) environments with direct knowledge of process control manufacturing systems
• Established contacts with law enforcement agencies (FBI, CISA, Secret Service) cyber protection bureaus
• Experience working at executive levels and cross functionally across geographically distributed operations to support business strategic goals and plans.
• Strong communication skills and demonstrated ability to interact with team members, and executive management.
• Strong technical skills relevant to cyber and internet security such as intrusion detection / intrusion prevention, vulnerability management, firewalls, security event management, threat intelligence and zero trust architecture.
• Experience with large information security projects, assessments, audits, threat detection, and response.
• Experience developing and communicating policies and standards
• Strong leadership, communication, influencing, and negotiation skills.
• Strategic thinker, keeping big picture in mind while ensuring execution excellence.
• Ability to manage complexity, prioritize, and make effective decisions in complex, cross-functional, changing environments.
• Proven leadership of high-performing cross-functional global teams.
• Information security certification (e.g., CISSP, CISM, etc.) preferred.
• Industrial control experience required.

Skills Abilities:  

• Expert
  • Security Frameworks (NIST CSF, ISO27001, IEC 62443, HIPAA)
  • Networking design, routing, and segmentation
  • Vulnerability, threat management, and security operations (SEIM, SOAR)
• Solid
  • Microsoft Office 365, Purview design, and management
  • Security Architecture Design – Zero Trust
  • Desktop Operating Systems (Windows, Apple)
  • Server Operating Systems (Linux, Windows, VMware)
  • eDiscovery and Forensics
  • Vendor and Cloud Security Management
  • Experience reporting and presenting information security concepts, strategy, performance, and incident response to executive leaders.
• Proficient in Microsoft PowerPoint, Excel, Word, PowerBI and Copilot.
• Verbal and written communications in English
• Travel Requirements: Moderate - (11 - 29 days per year)
• Environment and Physical Activities: Work environment is typical of an office setting.

Please Keep in Mind

If you do not meet 100% of these requirements, we at JM still want to hear from you. So, if you are interested in the role, we encourage you to apply so we can learn how your skills and talents can contribute to our team.

Benefits

Johns Manville (JM) offers a wide range of benefits to employees. Some are subsidized by the company and others are fully employee-paid. Health benefits include a choice of comprehensive medical plans, a dental plan, vision plan, wellness program and critical illness insurance. JM sponsors a 401(k) plan which includes a sizeable company match. JM offers paid vacation and also provides paid sick and parental leave for eligible employees.

Additionally, Johns Manville provides basic life Insurance, short-term and long-term disability coverage, an employee assistance program, and business travel accident coverage. Supplemental life insurance and accidental death and dismemberment insurance are available as well. The company also offers a variety of tax saving accounts; health spending account, traditional flexible spending account, and a dependent care spending account. JM also offers a tuition reimbursement program for undergraduate and certain graduate programs.

Johns Manville supports employee growth with vast educational opportunities and a company-wide mentoring program. This program pairs employees and leaders to grow skills, build stronger internal networks and strengthen the company’s succession planning process. Johns Manville also offers soft and hard skills training facilitated by internal and external presenters. Our talent management team prioritizes the holistic growth of our workforce.

Diversity & Inclusion

Johns Manville believes diversity and inclusion in our workplace is critical for the long-term success of our company. We are committed to retaining, developing and attracting a diverse workforce that fosters an inclusive work environment in which all employees are treated with dignity and respect. This is the right thing to do for our employees, our company and our communities.

Incumbent must be physically able to perform essential job functions. Reasonable accommodations may be made to enable individuals with disabilities to perform essential job functions.

We are proud to be an Equal Opportunity/Affirmative Action employer. We maintain a drug-free workplace and perform pre-employment substance abuse testing.