Expert, Information Security Third Party Risk Management

Expert, Information Security Third Party Risk Management

At CN, we work together to move our company—and North America—forward. Be part of our Information & Technology (I&T) team, a critical piece of the engine that keeps us in motion. From enterprise architecture to operational technology, our teams use the agile methodology to automate and digitize our railroad ensuring our operations run optimally and safely and our employees can focus on value-added tasks. You will be able to develop your skills and career in our close-knit, safety-focused culture working together as ONE TEAM. The careers we offer are meaningful because the work we do matters. Join us

Job Summary

The purpose of this role is to maintain and grow an industry leading Information Security Third Party Risk Management (TPRM) practice to support the mission of empowering the business by building resilience against evolving cyber threats. This will include program governance, policy and guideline development, risk assessments, information protection contract clauses, continuous monitoring, compliance assessments, regulatory compliance assurance, due diligence and selection processes, technology and tool development and maintenance, cloud transformation, and stakeholder awareness and communication.

This role oversees the development and operations of the third-party security function within CN’s Chief Information Security Office (CISO). It interfaces with a variety of senior stakeholders within I&T and the business in order to develop and influence the required changes for the management of third-party security risks originating from suppliers, customers, subsidiaries, and cloud-based technology tools and platforms, to a level that is manageable and aligned to CN’s business risk tolerance. They are a senior resource with an understanding of how to apply deep technical knowledge while coordinating activities between multiple internal groups and third-party organizations to enable business objectives by ultimately managing risk to a level that is acceptable for the organization.

Main Responsibilities

Practice Development and Planning

• Align third party information security with organizational business goals

• Oversee a broad range of Information Security activities related to third party suppliers, solutions, subsidiaries and customers, including large outsourcing initiatives (e.g. I&T infrastructure and help desk managed services)

• Develop and maintain a set of policies & guidelines specific to protecting CN's assets where they are accessed or managed by third parties

• Create and maintain a TPRM practice, including a framework for evaluating and managing third party risk

• Ensure information security requirements are integrated with procurement processes

• Proactively monitor emerging trends and evolving threat landscapes to identify innovative ideas that would position CN to be an industry leader

Operation and Execution

• Identify, assess, and report critical and high risks involving third parties

• Manage and escalate incidents such as a material control weaknesses and security breaches and working with the Security Operations Centre (SOC) as required

• Report critical non-compliances and high risks to the appropriate business stakeholders

• Write and negotiate contractual terms internally and with external partners and suppliers to ensure CN’s business goals are met relating to information security

• Ensure CN's Information Security policies & guidelines related to third parties meet regulatory requirements for security and privacy protection (e.g. TSA directives, CCSPA requirements, privacy bills, etc.)

• Enhance existing processes through innovation and continuous improvement

• Drive action across various internal and external stakeholders by communicating technical and process requirements

• Provide leadership and expertise on matters relating to third party information security to various internal stakeholders, including I&T, Procurement, Internal Audit, Legal, Facilities Management, and Insurance teams

• Discover and bring to light innovation opportunities and influence other groups to support and implement changes that will generate business value

• Mentor resources, provide knowledge transfer, and delegate support tasks

Organizational Impact

Decision Making & Impacts

The Expert, Information Security Third Party Risk Management implements the governance, risk, and compliance capabilities required to bring Information Security risks involving third party suppliers, solutions, subsidiaries, and customers to acceptable levels required to enable to enable the organization to achieve its business objectives.

To achieve this they conduct strategic planning, create and maintain processes and tools, and coordinate activities between various internal teams and external organizations.

Level of Interaction/Influence

The Expert, Information Security Third Party Risk Management influences and drives action among various areas within the organization, including Legal, Procurement, Internal Audit, Facilities Management, Insurance, and different areas within I&T. They also drive action within external subsidiaries, suppliers, and customers.

This would include incorporating Information Security requirements into procurement processes, ensuring I&T asset inventory systems include relevant data, influencing behaviours of Solution Architects to identify and mitigate high risks, negotiating contractual terms with Legal and Facilities Management, providing expertise to Internal Audit and Insurance teams, issuing Cybersecurity Policies and conducting compliance monitoring activities on subsidiaries, influencing external agencies and service providers to better align to CN’s needs, working with customers on Information Security requirements and posture, and many other interactions with various internal and external stakeholders.

Requirements

Education/Certification/Designation

• B.S. degree in Computer Science, Information Systems or other related field, or equivalent work experience

Skills/Knowledge

• Broad skillset and depth of expertise in technical areas of information security and how they impact business objectives

• Demonstrated capability to understand the security implications of complex business operations and how they are linked to technological solutions that provide practical risk mitigation and business enablement

• Good knowledge of existing and emerging technologies and architecture principles involved in complex information and technology systems

• Significant and proven experience in applying a structured approach to problem resolution

• Sufficient knowledge on matters relating to third party information security

• Excellent written and verbal communication skills as well as business acumen

• Detail-oriented self-starter with a high level of commitment and personal motivation

• Knack for prioritizing tasks and working in a fast-paced environment

• Able to learn quickly to keep pace with rapidly evolving technology and cybersecurity environments

• Able to lead initiatives to completion with minimal management oversight

• Able to communicate in a clear, concise manner

• Experience with contract and supplier negotiations

• Able to multi-task and work effectively across multiple organizational units

• Security assessment experience

• Strong understanding of security frameworks including NIST CSF, NIST SP 800-53, and ISO-270001

• Strong understanding of regulatory requirements including SOX, PIPEDA, HIPAA and TSA

• Deep understanding of security threat landscape

• Ability to translate complex technical topics into simple business language for business audiences

• Experience developing and delivering executive level presentations

• Relationship management skills

• Experience dealing with third parties

• Strong process orientation

• Recognized security certifications (e.g. CISSP, CISM, CRISC, CISA)

Specific skills per speciality

Experience

• Minimum 5 years experience in Information Security

• 10+ years of I&T experience or 5+ years in a similar role

• 10-15 years overall work experience

• Knowledge of railway systems

• Good understanding of Cloud Computing

• Understanding of both IT and OT systems

Working Conditions

Occasional business travel (Canada and US) in accordance with CN policy

Thisposition is posted as a grade LEVEL 7. For internal candidates, note that thegrade level of the position may adjust based on the employee's experience.

About CN

CN is a world-class transportation leader and trade-enabler. Essential to the economy, to the customers, and to the communities it serves, CN safely transports more than 300 million tons of natural resources, manufactured products, and finished goods throughout North America every year. As the only railroad connecting Canada’s Eastern and Western coasts with the Southern tip of the U.S. through a 19,500 mile rail network, CN and its affiliates have been contributing to community prosperity and sustainable trade since 1919. CN is committed to programs supporting social responsibility and environmental stewardship. At CN, we work as ONE TEAM, focused on safety, sustainability and our customers, providing operational and supply chain excellence to deliver results.

For internal candidates, note that the grade level of the position will depend on the employee's experience.

CN requires that all employees be fully vaccinatedagainst COVID-19 and provide proof thereof as a condition of employment. TheCompany’s vaccination mandate extends to employees of our wholly ownedsubsidiaries as well as CN’s contractors, consultants, agents and suppliers andanyone who accesses CN properties in Canada.

CN is an employment equity employer and we encourage all qualified candidates to apply. We thank all applicants for their interest, however, only candidates under consideration will be contacted. Please monitor your email on a regular basis, as communication is primarily made through email. 

FAQ
Check here for answers to your CN hiring questions. Applying for a Job at CNDoes CN offer entry-level positions?

Yes, we have many positions ranging from entry to senior levels, both in the field and in corporate and IT functions. All available positions are posted onto our Careers website.

Does CN hire students, interns, and new graduates?

Yes, Internship opportunities are posted onto our Careers website, when available.

What's the best way to apply for a position at CN?

Search and apply for a job on our Careers website. Once you’ve created a profile you’ll be able to apply for additional openings and view the status of your application(s). We do not accept resumes by email, fax or mail.

Can I apply for more than one job at the same time?

Yes, feel free to apply to any jobs you're qualified for.

What is the rehire process for former CN employees?

The application process for a former CN employee is the same as for all other candidates.

Does CN accept foreign applicants?

CN requires that applicants be legally eligible to work in Canada or the US. This includes Citizens, Permanent Residents, or anyone in possession of a work permit with certain conditions. At this time, CN does not provide immigration assistance to foreign applicants.

My Job ApplicationWhat is my application status?

To see your application status, go to our Careers website and login to your candidate profile. It may take some time before your status is updated, as we receive a high volume of applications on a daily basis. If you are being considered for a job, you will be contacted by a member of our Recruitment Team.

Can I withdraw an application?

Yes, if you change your mind about a particular job, you may withdraw your application at any time. If you've already received a job offer, you can simply decline it.

I completed an Online Assessment, what are my next steps?

The Recruitment Team will notify you by email whether or not you will be moving on to the next step of the recruitment process, based on your online assessment results. If successful, you will be invited to the next available recruitment session hosted in the location you have applied to. Keep in mind that it can take several weeks before a session becomes available.

I was unsuccessful with the online assessment - how long must I wait before I can re-apply?

You will have to wait a period of 6 months before you are eligible to re-apply to a position that requires the same testing.

I am having technical difficulties with the online assessment.

For online assessment troubleshooting and support please contact cnrecruitment@cn.ca .

I was not selected for a job and would like feedback on my application.

Due to the high number of applications we receive, we cannot provide feedback as to why each candidate was not progressed.

Using our career siteHow do I create a Careers profile?

Click the Create a Profile button in the upper right-hand corner of our Careers website and complete the form and captcha.

Can I edit a previously submitted cover letters, resumes, and/or documents?

No, once an application has been submitted, you cannot upload additional documents, revise questions, nor replace the existing resume or letters attached to that application.

I forgot my password.

If you forgot your password or need to create a new one, click on the Forgot Password link. Enter your User Name or User ID, and an email containing your password will be sent to you. Be sure to check your inbox, spam, and junk folders for the password recovery email. If you do not receive the password recovery email within 24hrs, contact your Talent Acquisition Advisor directly or send an email to cnrecruitment@cn.ca .

For all other technical issues

If you are experiencing technical difficulties with our Careers website, send us an email at cnrecruitment@cn.ca describing the technical issue(s) in detail and provide us with screenshots so that we can better assist you.

#J-18808-Ljbffr

---