With the high visibility we have online, Information Security is a critical top priority here at QuinStreet. We are looking for an accomplished Senior Information Security Consultant to report to the VP of Information Security & Compliance to help build out, implement and manage an extensive Information Security program with a wide-variety of coverage and influence.
This is a highly dynamic role that will involve support for both broad range security risk assessments around company-wide policies and procedures, and application security as it relates to our development life cycle. This individual will work very closely with our Vice President of Information Security.
Risk Management
Establish and maintain our global security approach that fosters appropriate, demonstrable, and coordinated security policies and procedures.
Lead information security risk assessments for the business.
Establish and maintain a company-wide program that utilizes third party testing, risk assessments and vulnerability management relating to the information security of systems, networks, and related administrative activities, for both internal and client-facing product applications.
Governance
Establish and/or enhance and maintain an information security program that fosters appropriate, demonstrable, and coordinated information security policies and procedures, and controls to monitor and test compliance with those policies.
Lead effort in obtaining certifications such as SOC 2, ISO 27001, 27017, and 27018 certifications.
Work with senior management and coordinate responses to any Information Security incidents Ensure that all identified remediation activities resulting from Risk Assessments, and Security Incidents are tracked to completion.
Manage third party reviews, testing and certification processes.
Work closely with vendors to ensure that their internal information security environment and processes meet or exceed the information security policies and standards.
Training & Awareness
Assist in the enhancement of the company’s existing information security training curriculum.
Identify, communicate and facilitate information security best practices throughout the company.
Create and deliver effective, timely, and actionable information security communications for internal use and for dissemination to clients.
Resiliency
Collaboratively lead disaster recovery and business continuity planning practices and exercises.
Lead security incident response events, including assembling necessary team to investigate, developing action plan for forensics, synthesize findings, develop communication plans for internal and external stakeholders.
Qualifications
BA/BS in business or computer science or related field and/or relevant work experience
Must have thorough knowledge of information security principles, practices, and processes
Must be able to develop and draft policies, processes and 3rd party communications regarding information security
Have at least one of the following industry recognized certifications (e.g. CISSP, CISM, CISA, or equivalent)
Minimum 5 years of experience in technology organizations
Strong knowledge of US and International regulatory requirements
Strong knowledge of Information Security and Risk Management
Minimum of 2 years’ experience performing Information Security Compliance Assessments and working with remediation plans.
Experience with IT security concepts, assessment processes, and high-level controls used for validating compliance. Understanding of major GRC security regulations/assessment processes (NIST 800-53, NIST 800-37, ISO 27001, SOC 1/2 and related primary security regulations would be extremely useful).
Not required, but nice to have
Conducts in-house penetration testing and code-reviews (nice to have)
Conduct regular security assessments of internally developed applications (nice to have)
Provide security guidance to our developers to ensure that our continuous stream of new applications and services are as robust as possible (nice to have)