Westat is an employee-owned corporation providing research services to agencies of the U.S. Government, as well as businesses, foundations, and state and local governments. Westat's research, technical, and administrative staff of more than 2,000 is located at our headquarters in Rockville, Maryland, near Washington, DC.
Westat is committed to building a diverse workforce and a culture of inclusivity, belonging and equity for all. We believe that our greatest strength draws on the different backgrounds, cultures, perspectives and experiences of our employees.
Westat is seeking a Director, Information Systems Security Officer (ISSO) to lead our Client Security Services (CSS) team. This leadership role is a critical member of the Chief Information Security Officer's (CISO's) team and acts as an interface between the CISO's strategic and process-based activities and the CSS team they will lead. The Director must be able to provide direction and mentoring for staff, interact directly with internal and external clients, manage resources, meet deadlines, and provide regular status and service-level reports to management.
The candidate should have experience managing direct reports and working with Federal Government clients and have extensive experience, securing information systems in accordance with the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF, i.e. NIST 800-37 and 800-53). Expertise in leading project teams and developing and managing projects is essential for success in this role. In addition to supporting the CISO's policies and strategies, the Director must be able to prioritize work efforts — balancing operational tasks with longer-term strategic security efforts.
This role offers a hybrid work arrangement, requiring the Director to be on-site 2 day/week.
Job Responsibilities:
• Manage a staff of information security professionals, hire and train new staff, conduct performance reviews, and provide leadership and coaching particularly in the areas of FISMA/NIST security compliance, and including technical and personal development programs for team members.
• Work with the CISO to develop budget projections based on short- and long-term goals and objectives.
• Monitor and report on client facing security activities that include security authorization documentation creation, security control evidence gathering, risk remediation, and security assessment coordination.
• Propose changes to existing policies and procedures to ensure operating efficiency and regulatory compliance.
• Maintain FISMA authorization to operate (ATO) for information systems.
• Assist resource owners and IT staff in understanding and responding to security audit failures reported by auditors.
• Provide security communication, awareness, and training for audiences, which may range from senior leaders to field staff.
• Work as a liaison with vendors and the legal and purchasing departments to establish mutually acceptable contracts and service-level agreements.
• Manage production issues and incidents and participate in problem and change management forums.
• Work with various stakeholders to identify information asset owners to classify data and systems as part of a control framework implementation.
• Serve as an active and consistent participant in the information security governance process.
• Work with the CISO and IT and business stakeholders to define metrics and reporting strategies that effectively communicate successes and progress of the security program.
• Provide support and guidance for legal and regulatory compliance efforts, including audit support.
• Manage outsourced vendors that provide information security functions for compliance with contracted service-level agreements.
• Formulate recommendations to resolve problems impacting the quality and effectiveness of security controls in software development projects.
• Participate in information security working groups.
Basic Qualifications:
• Typically requires a bachelor’s degree and a minimum of 10 years of IT leadership experience, or an equivalent combination of education and experience.
• Advance knowledge of FISMA, FedRAMP, HIPAA, PII, and the entire NIST Risk Management Framework Remote v5.
• Proven project management skills and experience in creating and managing project plans, including budgeting and resource allocation.
• Certified Information Systems Security Professional (CISSP) or Certified Information Security Manager (CISM), required.
• Experience with on premise and cloud environments.
• Experience with developing and managing plans of action and milestones (POA&M).
Preferred Qualifications:
• Experience with GDPR and CMMC.
• Experience with Nessus Tenable.
• Ability to develop and guide information security team members and IT operations personnel, and work with minimal supervision.
Westat offers a well-rounded and comprehensive benefits program focused on wellness and work/life balance. Subject to plan requirements, employees may participate in:
- Employee Stock Ownership Plan
- 401(k) Retirement Plan
- Paid Parental Leave
- Vacation Leave (20 days per year)
- Sick Leave (10 days per year)
- Holiday Leave (7 government holidays and 2 floating holidays)
- Professional Development
- Health Advocate
- Employee Assistance Program
- Travel Accident Insurance
- Medical Insurance
- Dental Insurance
- Vision Insurance
- Short Term Disability Insurance
- Long Term Disability Insurance
- Life and AD&D Insurance
- Critical Illness Insurance
- Supplemental Life Insurance
- Flexible Spending Account
- Health Savings Account
This opportunity will be posted for a minimum of 5 days and applications will be accepted on an ongoing basis.
Westat is an Equal Opportunity Employer and does not discriminate on the basis of race, creed, color, religion, sex, national origin, age, veteran status, disability, marital status, sexual orientation, citizenship status, genetic information, gender identity or expression, or any other protected status under applicable law.
#LI-WST1