Director of Information Security (NJ, Newton) - Thorlabs

Purpose of the Position

The Director of Information Security is a senior leader responsible for establishing and maintaining the enterprise cybersecurity vision, strategy, culture, and program to ensure information assets and technologies are adequately protected. This person directs the planning and implementation of enterprise cybersecurity measures and practices pertaining to IT infrastructure, systems, data, application development, and business operations, while overseeing the development of policies and procedures to safeguard the organization's sensitive information.

Although the location of the position is in Newton, NJ, from time to time it may be required to undertake duties at other Thorlabs locations.

Essential Job Functions include the following, but are not limited to:

• Develops strategic and tactical roadmaps to strengthen information and cyber security technologies, services, policies, standards, and procedures to implement effective risk mitigation strategies and controls.
• Conduct regular security assessments and audits to identify potential security risks and vulnerabilities and develop mitigation strategies.
• Lead the effort to design and implement disaster recovery/business continuity plans and procedures, and lead incident response efforts in the event of a security breach, coordinating with internal and external stakeholders to minimize impact and facilitate recovery.
• Collaborate with the VP of IT, executive management, and other stakeholders to ensure alignment of security initiatives with business goals and objectives.
• Collaborate with the IT teams and other stakeholders to develop and maintain a robust enterprise incident response plan.
• Design and implement a robust security architecture for IT systems, networks, and applications, incorporating the latest security technologies and methodologies.
• Lead and actively manage security-related projects such as assessments, audits, penetration tests, and remediation efforts. Contribute to IT infrastructure projects and activities that are tangential to information and cyber security.
• Develop, implement, and update the enterprise security policies, standards, and procedures, as well as other cyber security-related policies, including those pertaining to systems access, authentication, acceptable use, and the use of artificial intelligence.
• Oversee the monitoring, analysis, and mitigation of security incidents/breaches and resulting impact to the business.
• Ensure compliance with relevant industry standards, regulations, and laws, such as ISO 27001, NIST, GDPR, and CMMC.
• Collaborate with system owners and administrators to ensure that new or updated solutions and services comply with the enterprise cyber security standards.
• Conduct regular security assessments, audits, penetration testing and vulnerability scans to identify vulnerabilities/risks and ensure ongoing security improvement.
• Evaluate third-party vendors and service providers for security compliance and ensure that security requirements are met in vendor contracts.
• Develop and deliver security training and awareness programs for employees, promoting a culture of security awareness and compliance across the enterprise.
• Define Cyber Security KPIs and risk indicators and prepare regular updates and presentations for VP of IT and other members of senior management.
• Stay updated on current and emerging security technologies, trends, and threats. Integrate relevant/appropriate leading security technologies and practices into the enterprise's security architecture.
• Lead and manage the information security team, including hiring, training, and performance management.
• Develop and manage the information security budget to ensure that resources are allocated effectively to address security needs.

The Company retains the right to change or assign other duties to this position.

Qualifications

Experience:

• 10+ years of experience leading information security teams in a mid-size to large, complex enterprise environment, with expert understanding of IT Infrastructure (both on-prem and cloud) technologies, enterprise applications, and application development security best practices.
• 10+ years’ experience with leading cybersecurity operations and teams, including intrusion detection, incident response, vulnerability management, and threat intelligence, cloud operations.
• 10+ years of senior management experience working various levels of leadership, including C-Level executives. Experience working with Boards of Directors to adopt and implement enterprise level approaches to Strong track record of information security transformation – a proven leader in the delivery of innovative cyber and risk management solutions through security rigor, and demonstrated ability to build, manage and foster a highly-productive team.
• Strong understanding and working experience with security best practices, frameworks, and regulations such as NIST, SOC2, CIS, ISO27001
• Strong understanding and working experience with various compliance and regulations, such as CMMC, ITAR, DFARS, PCI DSS, GDPR, CCPA, HIPAA.
• Strong working knowledge of security information and event management (SIEM) and data loss prevention (DLP) tools and services.
• Deep understanding of cloud, containerized environments and other modern technology stacks in infrastructure, application development and data analytics, with extensive experience implementing security controls to protect these environments.
• Information security and governance.

Education:

• A Bachelor’s required. Master’s degree in Cybersecurity, Computer Science, Information Systems, or a related technical field is preferred.

• Professional cybersecurity certifications such as CISSP, CCSP, CISM, CRISC, GSEC, CIPP, CEH are preferred.
• Strong IT project management experience required, PMP certification is a plus.

Specialized Knowledge and Skills:

• Ability to modernize information security capabilities in a hybrid technology environment with both legacy and modern technology practices and resources.
• Strong experience with web application frameworks like OWASP, and strong working knowledge on building a secure software development lifecycle.
• Must excel at preparing for and leading responses to cybersecurity incidents, including readiness testing, detection, investigation, and remediation, with a strong understanding of the business, legal, and reputational risks, and considerations that cybersecurity threats pose.
• Must have demonstrated experience with security vulnerability assessments and a proven track record of managing or co-managing remediation efforts with the operational teams.
• Excellent leadership and interpersonal skills. Strong ability to interact and influence at various levels within the organization and to work collaboratively across functions and departments toward shared objectives.
• Excellent written and verbal communication skills, with an emphasis on public speaking and executive-level presentation skills. Must have the ability to translate complex technical concepts into language suitable for a range of audiences, including C-Suite, other business, and technical leaders, as well as a member from other internal and external communities.
• Ability to project professionalism across all levels, and to handle high pressure situations in a fast-paced environment.
• Excellent project management skills with an ability to develop and deliver on relevant KPIs.

Direct Reports:

This position manages all employees of the department and is responsible for the performance management and hiring of the employees within that department.

Thorlabs values its diverse environment and is proud to be an Equal Employment Opportunity/Affirmative Action Employer. All qualified individuals will receive consideration for employment without regard to race, color, religion, gender, gender identity or expression, sexual orientation, national origin, genetics, disability, age or veteran status. Job descriptions are not intended as and do not create employment contracts. The organization maintains its status as an at-will employer. Employees can be terminated for any reason not prohibited by law.