Chief Information Security Officer

Job Description

Chief Information Security Officer

The SVP for Information Security:
• Is the senior information security person in Sony Pictures Entertainment, Inc. (SPE), and is responsible for leading, implementing, and managing a comprehensive information security program in all parts of SPE, including subsidiaries.
• Acts as the primary cyber risk management advisor to the business leaders of SPE and SPE subsidiaries.
• Is one of the senior leaders of the larger Sony Group information security community and helps shape policy and approaches Sony-wide.

Key Responsibilities

Lead, implement, and manage a comprehensive information security program in all parts of SPE.
• Develop and execute strategies, plans, and processes for SPE information security that align with SPE business objectives, and with the kinds of cyber risk SPE businesses may encounter.
• Develop, justify, and manage the SPE information security budget.
• Ensure the program stays up to date as the SPE businesses, technology, and cyber threat all evolve.

Collaborate Broadly in Order to Be a Business Enabler
• Collaborate with business executives, information technology, privacy, legal, corporate communications, and any other groups within and external to SPE that may be necessary to the proper shaping, implementation, and operation of the information security program throughout SPE.
• Collaborate and build networks with industry peers, relevant industry consortia, government bodies, and law enforcement in order to stay up to date on the cyber threat and to help shape industry best practices.

Implement and Oversee Infosec Governance Processes

Establish Policy, Standards, and Guidance
• Advise and facilitate the adoption of information security policy and standards issued by the Sony Group CISO. Develop and approve implementation guidelines for SPE and subsidiary organizations. Ensure the implementation guidance is in line with the organization's requirements and business needs, as well as in compliance with applicable laws, regulations, and standards.
• Partner with information technology groups to evolve the SPE technical information security architecture and adjust the information security program as appropriate.

Define and Explain the Information Security Program to Participants and Stakeholders. Measure Compliance, Progress, and Effectiveness
• Use automated and manual reporting, assessments from various organizations in SPE, SGC, and external organizations to monitor cyber risk, measure process effectiveness, and assess compliance. Share with all SPE and SGC stakeholders and use the data to adjust the program.

Communicate Program Status, Cyber Risks, and Recommendations to Management
• With SPE Privacy and Legal, sponsor and organize the SPE information security and privacy committee. In this committee, regularly present to SPE leadership the key cyber-business risks, risk treatment recommendations, and information security program status.

Promote Standardization of information security across SPE companies
• Balance this standardization with the need to adapt the information security efforts to the needs and peculiarities of each business organization, industry regulations and local laws and regulations.

Define, Build, and Evolve the Information Security Organization and Workforce
Operate the SPE Cyber Risk Management Process

In Partnership with Development Organizations, Improve, or if Necessary, Implement a Secure Development Lifecycle.
• Collaborate with development groups to develop and implement processes to embed information security throughout the system development and operation lifecycle, as appropriate.
• Ensure information security teams have the technical skills necessary to support and participate in secure development processes.
• For development done by vendors, ensure that appropriate information security contract requirements and progress reviews are incorporated into the contract, as appropriate.
Operate and Improve Processes to Discover, Treat, and Manage Risks in Operational Systems
• Ensure that risk assessments are performed regularly on operational and developmental Sony systems. Ensure that the quality of the risk analysis and assessment method(s) is maintained and kept current with evolving standards.
• Apply risk judgement to develop, coordinate, and track risk treatment recommendations and plans.

Perform Third-party Cyber Risk Management
• Operate and improve a process to evaluate the information security risk to SPE or SPE subsidiaries of important SPE business partners and communicate these risks to management.
• With business and legal groups, ensure that contracts with third parties include information security requirements/contract clauses that align the contract with Sony and SPE security and risk objectives.

Lead and Improve Cyber Incident Response and Recovery
• Ensure that incident response plans are documented, and roles and responsibilities for both minor and major cyber incidents are clear and are practiced and improved regularly. This includes ensuring that cyber incident management is properly integrated in overall SPE crisis response processes.
• Serve as a bridge /escalation point between information security and the business in all phases of incident response and recovery.
• Provide regular updates to SPE management, and as appropriate, the SGC CISO, during an incident.
• Ensure that root cause analysis is carried out after significant incidents, and that lessons are incorporated into the program, and shared with all Sony information security teams.

Improve And Operate Information Security Training Programs
• Ensure that all users with access to Sony systems have up-to-date awareness training that helps them recognize, avoid, and report cyber threats and suspicions.
• Devise and operate a similar program for senior management.
• Do the same for more specialized roles, for instance systems developers, as appropriate.
• Regularly update the various curricula to keep pace with business, technology, and threat changes.

Qualifications & Experience:
Overall Acumen
• Position requires at least 15 + years of information security leadership experience at comparable sized organizations

Leadership Experience
• Experience and demonstrated success in the executive levels of a large company.
• Demonstrated ability to make complex decisions, particularly when confronted with difficult trade-offs.
• Ability to build strong relationships at all levels of the SPE businesses.
• Ability to understand business priorities and imperatives, and then devise ways to implement or support.
• Demonstrated strong leadership abilities, and ability to lead in situations in which many team members and stakeholders do not work directly for you.
• Excellent communication (verbal and written) and interpersonal communication skill in order to communicate and collaborate effectively with leadership, business personnel, project teams and management and others.

Information Security Expertise
• Demonstrated strong information security leadership ability. At least 10 years of experience in a regional or global information security role, including at least 5 years' experience leading an information security program, or leading a team in some area of information security.
• Demonstrated ability to keep abreast of changes in the SPE businesses, the threat, information technologies, and information security te

[more...]

Jobcode: Reference SBJ-d8z40k-3-137-161-222-42 in your application.