Chief Information Security Officer

Qualifications

Stanford’s CISO will be an adaptable, innovative leader with the capacity to establish and deliver a measurable value proposition to campus partners and customers within the overall vision for Stanford’s role in advancing the university’s teaching, research, and healthcare mission. The CISO leads through trust, influence, subject-matter expertise, collaboration, and governance more than positional authority.

Success in the role requires a range of qualities and experiences and a core set of interpersonal skills that enable success in the university’s decentralized organizational environment:

• Undergraduate degree or equivalent combination of training, education, and experience
• 10 years of experience in information-security policy or operations
• Experience developing and managing information security programs and a proven track record of implementing organization-wide solutions that protect information assets
• A solid understanding of information security and data privacy concepts, threats, and technologies, including industry standards and best practices
• Knowledge of relevant legal and regulatory requirements related to data and information security
• A track record of advancing equity, inclusion, and diversity
• A track record of recruiting, directing, motivating, and guiding the development of a team of information security professionals
• Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate security- and risk-related concepts to technical and non-technical audiences, including executive leadership and governing board members
• Comfort with ambiguity
• Experience in developing and implementing information security practices in a diverse, highly decentralized ecosystem
• Preference for experience leading in an academic environment

University IT

University Information Technology (UIT), a unit of Business Affairs, is responsible for the strategy, planning, and delivery of information technology, and for convening the IT leaders of Stanford University, Stanford Medicine, and SLAC organizations through the CIO Council to create an overarching IT-wide vision for the role of IT as well as for shared goals, standards, and ambitions established in the Campus IT Plan relative to the promise, potential, cost, and risks of information technology. Led by Steve Gallagher, University Chief Information Officer, UIT strives to maintain agility, anticipating and adapting to the needs of the university, evolving at the leading edge of the global technology landscape, and delivering on its commitment to being user-focused, collaborative, innovative, and transparent.

The divisions comprising UIT include:

• Client Experience and Solutions. User-facing services and associated enabling technologies. The front face of UIT service, helping clients acquire and use technology successfully.
• Enterprise Technology. Implements and maintains information systems that support university operations. In addition, this unit partners with schools, business units, and cross functional groups to identify and implement efficient, cost-effective IT solutions.
• IT Infrastructure. All on-premise enterprise data center and communications facilities engineering, as well as all enterprise data networking, communications, and related supporting technologies.
• Research Computing. A joint effort with the Dean of Research and UIT to build and support a comprehensive program to advance computational research at Stanford. This includes offering and supporting traditional high-performance computing systems as well as systems for high throughput and data intensive computing.
• Service Strategy. Coordinates multiple integrated processes to support the proactive management of the UIT service portfolio, project management processes, vendor management services, and financial management.
• Information Security Office. Provides services to protect the information assets of importance to Stanford.
• Office of the CIO. Integrates and coordinates internal governing processes and a university IT governance framework, defines the organizational vision, develops and delivers strategic messaging and communication, and sustains alignment and consistency.

Office of the Chief Risk Officer

The Office of the Chief Risk Officer, a unit of Business Affairs, strives to be a valued partner and advisor to management, faculty, and the Audit, Compliance, and Risk Committee of the Board of Trustees.

The departments comprising OCRO include:

• Internal Audit. Provides independent, objective assurance and consulting services designed to add value and improve the operations of Stanford University and the Stanford University Hospitals. Brings a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
• Ethics and Compliance. Coordinate the University’s ethics and compliance activities, including chairing the Compliance, Ethics and ERM Steering Committee and coordinating the activities of the Compliance Officers’ Network (now known as the Compliance and Risk Administrators Network). Assess the adequacy of compliance activities, evaluate overall program effectiveness and recommend and implement modifications to the program as necessary. Administer an Ethics and Compliance Helpline and oversee and coordinate investigations of potential misconduct. Report results of ethics and compliance program activities to senior management and the Audit, Compliance and Risk Committee of the Board.
• Privacy Office. Promotes Stanford’s commitment to protecting the privacy of the University’s community including its students, alumni, faculty, staff, research participants, and affiliated parties.
• Office of Risk Management. Evaluates risk from the standpoint of the entire University, rather than a single department or area; Eliminates or modifies conditions or practices, wherever practical, which may cause loss; assumes risks whenever the amount of potential loss would not significantly affect the University's financial position; and purchases insurance from whatever source (agent, broker, or insurance company) is deemed to be in the best interests of the University.
• Enterprise Risk Management. Coordinates the University’s enterprise risk management efforts to provide a framework and processes for the identification, assessment, mitigation and monitoring of risks to the achievement of the University’s mission and goals.
• Information Security Office. Dotted line. Information Security Office. Provides services to protect the information assets of importance to Stanford.

The job duties listed are typical examples of work performed by positions in this job classification and are not designed to contain or be interpreted as a comprehensive inventory of all duties, tasks, and responsibilities. Specific duties and responsibilities may vary depending on department or program needs without changing the general nature and scope of the job or level of responsibility. Employees may also perform other duties as assigned.

Consistent with its obligations under the law, the University will provide reasonable accommodation to any employee with a disability who requires accommodation to perform the essential functions of his or her job.

Stanford is an equal employment opportunity and affirmative action employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, protected veteran status, or any other characteristic protected by law.