Head Information Security (CISO)/Chef, Sécurité de l'information (RSSI)
Job Requisition ID: 10721
Position Status: Permanent Full Time
Position Type: Hybrid
Office Location: Ottawa (ON) preferred, Montreal (QC) and Toronto (ON) will be considered
Travel Requirement: Travel not required
Language Designation: Bilingual
Language Skill Levels (Read/Write/Speak): CBC
Security Requirement: Secret
Salary: Our salaries generally range from $ 196 189.50 to $ 235 427.40 and are based on qualifications and experience.
We have retained the services of an Executive Search firm for this recruitment. Your application will be assessed by the firm, applicants who have successfully passed the firm assessment will be invited for an interview with CMHC.
About CMHC
The work you do and the work we do together matters. We come to work every day with a common purpose: to contribute to a well-functioning housing system.
At CMHC, we hold ourselves accountable for our results and support our colleagues in their achievements. We thrive on collaboration, connecting across CMHC and involving the right people to get our work done. We have flexibility, in how, when, and where we work, within the boundaries of the business needs and the nature of your role. Our leadership style is guided by trust, where our leaders favour an adaptive approach based on the needs of their teams.
Join us and be part of a team that's committed to making a real difference and be part of something meaningful.
What’s in it for you
We’ve got the purpose, the people and the perks you need for a fulfilling career. Here’s the comprehensive and generous benefits you get when you’re a permanent employee:
- Annual paid vacation.
- Annual individual performance incentive.
- Defined benefit pension plan.
- Comprehensive group insurance plan to support your well-being from day one.
- Support towards your personal and professional growth with training, mentorship and more.
- An inclusive workplace culture and environment.
- While positions at CMHC require some in-office presence, alternative work arrangements may be considered for Indigenous candidates.
About the role
Reporting to the SVP Technology and Business Transformation, the Head Information Security (CISO) is a critical role in providing strategic leadership and oversight for CMHC's global security posture. This position oversees the protection of the organization’s information assets, physical and virtual infrastructure, and operations against an evolving threat landscape. The incumbent is responsible to develop and implement a security strategy, governance framework, and operational plan that align with CMHC's vision, mission, and values and risk appetite. The Head, Information Security (CISO) also manages security risks, ensure compliance with security standards and regulations, communicate, and promote a security culture, and foster strategic partnerships with internal and external stakeholders.
What you’ll do:
Strategy and governance:
- Create, manage and maintain CMHC’s information security strategy and governance framework (including cybersecurity) to be a unified, flexible and risk-based approach aligned with CMHC’s overall business objectives, ensure it continues to evolve and remain compliant with global laws, standards and regulations compliance requirements and in adoption of the cybersecurity framework (ISO) 2700X, ITIL, National Institute of Standards and Technology (NIST) Cybersecurity Framework).
- Lead and develop objectives, priorities, operational business plans, policies and standards to reflect industry security leading best practices and oversees the audits and assessments to maintain the standards of CMHC’s security governance.
- Facilitate a cybersecurity governance structure governed by a cybersecurity steering committee/advisory board to manage and contain cybersecurity incidents/ events to protect corporate IT assets, intellectual property, regulated data, and the company's reputation.
- Develop and provide regular reporting on the current status of the cybersecurity program to enterprise risk teams, senior business leaders and the board of directors as part of a strategic enterprise risk management program, thus supporting business outcomes.
Security, emergency, risk management and incident response:
- Leads the strategic security and emergency planning prioritizing defence initiatives and providing oversight to the security and emergency management functions while monitoring the external threat environment for emerging threats.
- Identify, assess and mitigate information security risks across the organization and lead the response to security incidents by ensuring minimal business impact and that lessons learned are shared and implemented across teams.
- Oversees the analysis, design and deployment of the infrastructure security procedures and practices that enhance the integrity and privacy of the organization’s IT.
Security Partnerships and Visibility:
- Build and maintain strategic relationships with external partners, industry groups, and regulatory bodies, law enforcement and other advisory bodies to enhance CMHC’s visibility, security posture and is kept abreast of the relevant threats.
Security First Culture:
- Champion a security-first culture across the organization. Promote a comprehensive security training programs for employees, partners, and stakeholders. Ensure comprehensive security management trainings and communications to elevate security awareness.
What you should have:
- An undergraduate degree in management information systems, information security, information technology, information systems management. An equivalent combination of education and/or experience can be considered.
- Thirteen (13) years of a combination of experience in information technology or information security roles, with at least 5 years in a senior leadership role.
- Experience with the framework of the financial regulations and guidelines of the Office of the Superintendent of Financial Institutions (OSFI), the compliance and integration of these standards into the organization’s security and risk management frameworks.
- Demonstrated experience identifying cyber vulnerabilities and devising solutions for risk improvement.
- The knowledge of current trends and best practices in threat risk assessment, vulnerability assessment, redundancy and disaster recovery practices.
- The knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT as well as those from NIST, including 800-53 and Cybersecurity Framework.
- Sound knowledge of business management and a working knowledge of cybersecurity risk management and cybersecurity technologies.
- Superior written and oral communication skills (French and English). Ability to deliver a persuasive, clear presentation of ideas that will convince others and gain acceptance of proposals in a variety of settings and styles to a variety of stakeholders (senior management in particular).
It would be great if you also had:
- One of the following certifications: Global Information Assurance Certification (GIAC), Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Privacy Professional (CIPP), Certified in Risk and Information Systems Control (CRISC), Certified Information Systems Auditor (CISA) or System Administration, Networking and Security (SANS).
- Experience with contract and vendor negotiations and working with outsourcing partners.
Posting closing date : Note, the competition will remain active until filled.
Our commitment to diversity, equity, and inclusion
We’re committed to employment equity and encourage women, Indigenous Peoples, persons with disabilities, veterans and persons of all races, ethnicities, religions, abilities, sexual orientations, and gender identities and expressions to apply. We also welcome applications from non-Canadians who are eligible to work in Canada.
CMHC is an inclusive workplace where diversity of thought – and of people – are recognized, valued, and considered essential to achieving our mission.
Learn more about our commitment to diversity and inclusion
What happens after you apply
We know that applying for a new job can be both exciting and daunting, and we appreciate your effort. Learn more about our hiring process. If you are selected for an interview or testing, please advise us if you require an accommodation.
If you applied before and you were not successful don’t worry – we're always posting new positions, so don’t hesitate to give it another shot. We’re excited to see what you bring to the table this time around!