The CISO position requires a visionary leader with sound knowledge of business management and cybersecurity technologies covering the corporate network and the broader digital ecosystem. As the organization's senior IT security officer, the CISO has enterprise-level responsibility for all data/information security policies, standards, evaluations, roles, and organizational awareness. The CISO is responsible for the establishment and overall management of the information security program for the company, and must proactively work with business units and ecosystem partners to implement practices that meet agreed-on policies and standards for information security. He/She must understand Information Technology and oversee a variety of cybersecurity and IT related risk management activities necessary to ensure the achievement of business outcomes.
The CISO should understand and articulate the impact of cybersecurity on (digital) business and be able to communicate this at all levels of the organization, up to the board of directors. The CISO serves as the process owner of the appropriate second-line assurance activities not only related to confidentiality, integrity and availability, but also to the safety, privacy and recovery of information owned or processed by the business in compliance with regulatory requirements. The CISO understands that securing information assets and associated technology, applications, systems and processes in the wider ecosystem in which the organization operates is as important as protecting information within the organization's perimeter. A key element of the CISO's role is working with executive management to determine acceptable levels of risk for the organization.
• Develop, implement, maintain, and monitor a comprehensive strategic information security program to ensure that appropriate levels of confidentiality, integrity, availability, safety, privacy and recovery of information assets are met
• Provide leadership through strong working relationships and collaboration to develop strategic goals for information security compliance and risk mitigation
• Liaise with external partners as necessary to ensure the organization maintains a strong security posture against relevant threats and advancing threat landscape
• Develop a KPI, metrics and reporting framework to measure the efficiency, effectiveness, and continuous increase in the maturity of the information security program
• Lead and coordinate the development and maintenance of information systems security policies, procedures, standards, and guidelines in compliance with corporate, federal and state laws and regulations
• Develop and maintain the Computer Security Incident Response Plan. Provide hands on leadership of the C-SIRT team to contain, investigate, and prevent future breaches of personal or confidential information
• Identify and assess risks in implementing business innovations. Provide assessment of those risks to business stakeholders
• Design and execute penetration tests and security audits
• Monitor compliance with the organization's information security policies and procedures among employees, contractors, alliances, and other third parties
• Oversee the development and implementation of training programs and communications to make systems, network, and data users aware of and understand security policies and procedures
• Work with legal, risk and compliance staff to ensure all information owned, collected, and controlled by or on behalf of the company is processed and stored in accordance with applicable laws and other regulatory requirements. Collaborate and liaise with privacy officer to ensure that data privacy requirements are included in the security program
• Stay well-informed of best practices in the IT security field, coordinate and/or evaluate new and emerging security practices and technologies, and recommend and promote adoption as appropriate
• Work closely with Information Technology, and the Security Operations Center (SOC) to identify cybersecurity risks and develop remediation strategies
• Inform IT security architecture to include engineering best practices for security controls
• Manage an information security risk mitigation plan based on sound risk analysis
• Develop and mature the organization’s security assessment program. Perform regular security assessments of effectiveness of policies/procedures and systems security safeguards
• Ensure the timely remediation of security vulnerabilities within the environment and produce compliance KPIs;
• Consult IT and technical teams on addressing security risk, providing security information and input to strategic and tactical planning, and the appropriate and effective use of IT resources;
• Implement, manage and enforce information security directives within regulatory mandates to protect PHI, including Federal HIPAA and HITECH and any applicable state laws.
• Cooperate with the regulatory bodies in any lawful compliance reviews or investigations related to patient health information security
• Support compliance through participation in regulatory compliance and information security committees
• Serve as the information security lead on the Privacy Council;
• Build external relationships to identify external cybersecurity threats impacting the industry and influence threat intelligence sharing.
• Monitor changes in legislation and accreditation standards that affect information security.
• Bachelor’s degree in a related field (Computer Science or related field).
Advanced degree preferred.
• 10-15 years of progressive IT Security experience, including cybersecurity and risk management, within a large corporate environment with at least 5 years in a management role
• Must possess professional security management certification such as a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), or other similar credentials
• Demonstrated knowledge of common information security management frameworks such as ISO/IEC 27001 and or HITRUST, ITIL, COBIT and NIST, and an understanding of relevant legal and regulatory requirements such as Payment Card Industry/Data Security
• Demonstrated experience of leading an advanced security program including sophisticated technologies in a defense-in-depth architected environment
• Knowledge of network related protocols and security event log management and reporting tools.
• Experience with maintaining operational computer and network security, firewall administration, virus protection, intrusion detection and prevention, automated security patching, and vulnerability scanning systems
• Experience with data breach management and managing an actual data breach.
• Demonstrated experience with leading a SOC utilizing advanced threat and intelligence technology
• Leadership qualities, and proven experience as an effective manager and influencer of people
• Outstanding interpersonal and communication skills
• High degree of integrity and trust, and ability to work independently
• Ability to weigh business risk and enforce appropriate information security measures
Otsuka Pharmaceutical Company is a global healthcare company with the corporate philosophy: “Otsuka-people creating new products for better health worldwide.” Otsuka researches, develops, manufactures and markets innovative products, with a focus on pharmaceutical products to meet unmet medical needs and nutraceutical products for the maintenance of everyday health.
In pharmaceuticals, Otsuka is a leader in the challenging area of mental health and also has research programs on several under-addressed diseases including tuberculosis, a significant global public health issue. These commitments illustrate how Otsuka is a “big venture” company at heart, applying a youthful spirit of creativity in everything it does.
Otsuka Pharmaceutical Company is a subsidiary of Otsuka Holdings Co., Ltd. headquartered in Tokyo, Japan. The Otsuka group of companies employed 45,000 people worldwide and had consolidated sales of approximately USD 11 billion (€ 9.9 billion) in 2016.
All Otsuka stories start by taking the road less travelled. Learn more about Otsuka Pharmaceutical Company on its global website at www.otsuka.co.jp/en. Learn more about Otsuka in the U.S. at www.otsuka-us.com.
Disclaimer: This job description is intended to describe the general nature and level of the work being performed by the people assigned to this position. It is not intended to include every job duty and responsibility specific to the position. Otsuka reserves the right to amend and change responsibilities to meet business and organizational needs as necessary. Otsuka is an equal opportunity employer. All qualified applicants are encouraged to apply and will receive consideration for employment without regard to their protected veteran or disabled status, or any protected status.