Head of Information Security

Req ID: 421154 

BASIC PURPOSE: The Head of Information Security is responsible for establishing and maintaining a comprehensive information security program that protects the organization from cyber threats, ensures regulatory compliance, and fosters a culture of security awareness. The incumbent of this role will play a pivotal role in safeguarding Love’s data, systems, and reputation from cybersecurity threats as well as shaping the company’s cybersecurity strategy and working collaboratively across departments to mitigate risks and drive business growth as well as safeguarding.

MAJOR RESPONSIBILITIES:

      Leadership

• Lead the information security function across the company to ensure consistent and high-quality information security management in support of the business goals.
• Partner with leaders both inside and outside the organization to develop deep, strategic relationships while driving results aligned to Love’s strategic priorities
• Innovate using knowledge and awareness of industry trends to identify new opportunities
• Champion a culture of shared ownership and constant organizational evolution
• Enable a high performing team culture that is characterized by exceptional customer service, innovation, financial discipline, operational excellence, and continuous improvement
• Manages and mentors a top-performing security team, fostering professional growth
• Partner with individuals, teams, and organizations to drive value and meaningful result

      Cybersecurity Strategy

• Shape the information security strategy, aligning it with organizational priorities, securing stakeholder support, and defining the operating model in line with risk management
• Develop, implement and monitor a comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy and recovery of information assets owned, controlled or/and processed by the organization
• Oversee the Identity Management function withing IT and works with various stakeholders across the company to align technical capabilities with business needs

      Risk Management

• Develop a consultative relationship with line-of-business leaders, Enterprise Risk Management, Audit, Legal and HR management teams to ensure alignment as required
• Manage information security risk of business growth initiatives by partnering with business leaders and IT business relationship managers throughout the company
• Provide clear risk mitigating directives for projects with components in IT, including the mandatory application of controls
• Works effectively with business units to facilitate information security risk assessment and risk management processes, and empowers them to own and accept the level of risk they deem appropriate for their specific risk appetite
• Create and manage a unified and flexible, risk-based control framework to integrate and normalize the wide variety and ever-changing requirements resulting from global laws, standards and regulations
• Develop and oversee effective disaster recovery policies and standards to align with the enterprise business continuity management (BCM) program goals.

Budget

• Manage the cost-efficient information security organization, consisting of direct reports and dotted line reports (such as individuals in business continuity and IT operations). This includes hiring (and conducting background checks), training, staff development, performance management and annual performance reviews
• Facilitate and support the development of asset inventories, including information assets in cloud services and in other parties in the organization's ecosystem.

      Reporting and Communication

• Establish and maintain a metrics and reporting framework, measuring program efficiency, effectiveness, and resource allocation while enhancing information security maturity. Regularly reports program status to stakeholders at executive and board levels to increase cybersecurity awareness, maintain support, and assess outcomes

      Security Architecture

• Liaise with a variety of IT teams to build alignment between the security and enterprise (reference) architectures, thus ensuring that information security requirements are implicit in these architectures and security is built in by design

      Security Posture

• Liaise with external agencies, such as law enforcement and other advisory bodies, as necessary, to ensure that the organization maintains a strong security posture and is kept well-abreast of the relevant threats identified by these agencies
• Build and nurture external networks consisting of industry peers, ecosystem partners, vendors and other relevant parties to address common trends, findings, incidents and cybersecurity risks
• Monitor the external threat environment for emerging threats, and advises relevant stakeholders on the appropriate courses of action
• Develop and oversee effective disaster recovery policies and standards to align with the enterprise business continuity management (BCM) program goals.
• Coordinate and participate in security audits, assessments, and penetration testing to validate the effectiveness of security controls

      Security Awareness

• Direct the creation of an information security awareness training program for all employees, contractors and approved system users, and establishes metrics to measure the effectiveness of this security training program for the different audiences
• Integrate security into the project delivery process by providing and promoting the adoption of information security policies, practices, and guidelines. This includes the development, socialization, approval, and implementation of security policies.

      Vendor Risk Management

• Create a risk-based process for the assessment and mitigation of any information security risk in the ecosystem consisting of supply chain partners, vendors, consumers and any other third parties
• Ensure that information security requirements are included in contracts by liaising with vendor management and procurement organizations
• Oversee technology dependencies outside of direct organizational control. This includes reviewing contracts and the creation of alternatives for managing risk

      Incident Response

• Coordinate the development of implementation of incident response plans and procedures to ensure that business-critical services are recovered in the event of a security event; provides direction, support and in-house consulting in these areas
• Manage and contain information security incidents and events to protect corporate IT assets, intellectual property, regulated data and the company's reputation

      EDUCATION & EXPERIENCE:

•        Demonstrated experience and success in senior leadership roles in risk management, information security, and IT or OT security
• Knowledge and understanding of relevant legal and regulatory requirements, such as:  Payment Card Industry/Data Security Standard, HIPPA, State & Federal data privacy laws, and International data privacy laws
• Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT as well as those from NIST, including 800-53 and Cybersecurity Framework
• Sound knowledge of business management and a working knowledge of information security risk management and cybersecurity technologies
• Up-to-date knowledge of methodologies and trends in both business and IT

• Degree in business administration or a technology-related field, or equivalent work- or education-related experience
• Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC) or other similar credentials is preferred
• Experience successfully executing programs that meet the objectives of excellence in a dynamic business environment is preferred
• Experience with contract and vendor negotiations is preferred

      SKILLS:

• Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate information security and risk-related concepts to technical and nontechnical audiences at various hierarchical levels, ranging from board members to technical specialists
• Strategic leader and builder of both vision and bridges, and able to energize the appropriate teams in the organization
• Ability to lead and motivate the information security team to achieve tactical and strategic goals, even when only "dotted line" reporting lines exist
• Excellent stakeholder management skills
• Excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives
• Poise and ability to act calmly and competently in high-pressure, high-stress situations
• High degree of initiative, dependability and ability to work with little supervision while being resilient to change
• High level of personal integrity, as well as the ability to professionally handle confidential matters and show an appropriate level of judgment and maturity
• Has good judgment, a sense of urgency and has demonstrated commitment to high standards of ethics, regulatory compliance, customer service and business integrity.
• Ability to listen, build rapport, and develop credibility as a strategic partner
• Know when to push an agenda and when to let a situation quietly develop, rest, or advance
• Strong soft skills such as humility, active listening, creativity, and diplomacy

PHYSICAL DEMANDS:

• Requires prolonged sitting, some bending and stooping.
• Occasional lifting up to 25 pounds.
• Manual dexterity sufficient to operate a computer keyboard and calculator.
• Requires normal range of hearing and vision.
• Possible on-call availability.

#LI-Onsite

Job Function(s): Corporate 

Love’s Travel Stops & Country Stores is the industry-leading travel stop network in the United States. For more than 55 years, we’ve provided customers with highway hospitality and “Clean Places, Friendly Faces.” We’re passionate about serving drivers with clean, modern facilities stocked with fuel, food and supplies. We offer meals from popular restaurant chains, trucking supplies, showers and everything needed to get back on the road quickly. The Love’s Family of Companies includes:

• Gemini Motor Transport, one of the industry’s safest trucking fleets
• Speedco, the light mechanical and trucking service specialists
• Musket, a rapidly growing, Houston-based commodities supplier and trader
• Trillium, a Houston-based alternative fuels expert