New York, NY 10012 US
The Information Security Architect is responsible for establishing and maintaining portions of the Scholastic Technology Service (STS) Security Program, which is designed to ensure that the company’s technology systems and information assets are adequately protected.
The Security Architect:
- Plays a critical role to assure that the various technical, process and people elements of Scholastic's security program result in a security posture consistent with policy, regulatory, and customer expectations and requirements.
- Is not only expert in the diversity of current risks and threats and means of addressing them, but also brings a broad technology background, including development and technology operations. This broad background enables the security architect to liaise with a wide variety of technology leaders to build trust, provide guidance and work in a consultative fashion to design and implement effective security constructs, controls, and mitigations.
- Is a process owner for Scholastic’s Information Security (IS)-related risk assessment and identification activities, for the company's systems and information assets and for its technology-dependent strategic business objectives.
- A crucial element of this role is working with senior executives, line-of-business managers and other key decision makers to determine acceptable levels of residual risk for the company as a whole and for various internal departments and organizations.
- Is a proven thought leader, problem solver and integrator of people and processes, as well as an effective internal consultant.
o In-depth knowledge of Scholastic’s business environment, to ensure that the company’s systems and services are appropriately protected and fully functional.
o Solid domain competencies in a number of risk-related disciplines, including security, business continuity management, business continuity management, privacy and compliance.
Primary Responsibilities and Activities:
• Ensure that the customer and market facing security demands and expectations are well known (as they evolve and change over time), and that the related security designs either meet or are evolving to meet those demands.
• Meet customer and business expectations in avoidance of business risk, with regard to information security and privacy issues.
• Work directly with business units and other internal departments and organizations to facilitate IS risk analysis and risk management processes, identify acceptable levels of residual risk, establish roles and responsibilities related to information classification and protection, and to ensure that other managers are taking effective remediation steps.
• Create, disseminate and (as required) update documentation of Scholastic’s matrix of identified IS risks and controls.
• Play a critical role in managing executive level relationships across the technology and business organizations.
• Coordinate information security and risk management projects with Scholastic personnel from the STS organization, lines of business, and other internal departments and organizations.
• Review risk assessments, analyze the effectiveness of Scholastic’s IS control activities and report on them, with actionable recommendations to STS Management.
• Be the central point of design and review and establish standards for the technical aspects of security to ensure that security components integrate into a comprehensive and effective security posture. These aspects or components include: infrastructure and network; data protection mechanisms; policy; hardening and deployment standards and practices; application security.
• Work closely with the enterprise architecture function to ensure that security needs and constructs are included in all aspects of enterprise technology.
• Serve as a technical expert resource to infrastructure and operations staff on choosing, implementing, and configuring tools, products, and solutions to meet security objectives.
• Serve as reviewer and approver of all requested exceptions to technical standards as related to security.
• Follow up on deficiencies identified in monitoring reviews, self-assessments, automated assessments, and internal and external audits to ensure that appropriate remediation and mitigation measures have been taken.
Education and Training:
- Minimum Bachelor of Science required, with a focus on Information Technology or Information Security and architecture-related disciplines (e.g. computer science; security; enterprise architecture; software engineering). A business degree is beneficial.
- Candidates with the following certifications are preferred: ISC2, SANS, ISACA, or other recognized security professional credentialing organization
- 8-10 years or experience in an enterprise technology environment, ideally with customer-facing systems and services. Numerous roles are applicable – operations, application development, networking, systems and infrastructure architecture, or other as applicable.
- 5-7 years of experience in security roles with increasing responsibility and business-leadership exposure. Previous roles may include information security analyst, application security or penetration testing, network-related security roles (firewall, intrusion detection, data loss prevention), or audit/compliance such as working to maintain SOX, PCI, and/or HIPAA compliance.
Evaluation of Success:
• The scope of the Security Architect’s role will be determined by the Corporate Information Security Office (CISO) and/or the Director, Information Compliance & Risk Management who will be responsible for evaluating the Security Architect’s performance.
• The Security Architect’s performance will largely be evaluated on the basis of success in identifying IS-related risks, and developing and implementing effective policies, with regularly tested controls, to manage those risks.
Required Knowledge and Skill:
• Solid understanding of application security, including secure coding practices and standards, penetration testing and overall secure SDLC practices. Working knowledge of the use of common application frameworks in Java, .NET and others to avoid common classes of application vulnerabilities (e.g. OWASP Top Ten) is required.
• Strong infrastructure security skills including IDS/IPS, firewall, SIEM, server and OS hardening, malware detection, physical security, transport and at-rest encryption on file systems, DB, and other data persistence mechanisms.
• Previous experience in strategic planning and associated processes for budgeting and portfolio decision-making for business or technology goals is required. The ability to distill requirements from non-technical staff and working relations and build road-maps and prioritize over time is also required.
• A track record of contributing to and leading cross-functional teams delivering technology services and solutions for internal business stakeholders or customers.
• Prior exposure to security and/or risk-related compliance audit is strongly preferred.
• Formal project management experience and/or skills are a plus.
Key Behaviors and Competencies
• In-depth understanding of strategic business risks.
• Ability to develop a comprehensive understanding of Scholastic’s business, market and industry and relate that knowledge to identified operations- and IS-related risks.
• Knowledge necessary to propose relevant responses to changing business risks and regulatory changes.
• Proven ability to communicate with people at all levels — from developers to the board of directors.
• Excellent written and verbal communication skills — including the ability to effectively communicate security- and risk-related concepts to technical and nontechnical audiences — and strong interpersonal and collaborative skills.
• Strong skills as a negotiator, to facilitate commitment to, and sign-off on, appropriate levels of residual risk from line-of-business managers.
• High level of personal integrity, with the ability to handle confidential and otherwise sensitive matters professionally and with the appropriate level of judgment and maturity.
• High degree of initiative, dependability and ability to work with little supervision.
• Capable of successfully handling multiple high priority tasks in a team setting.