Manager, Information Security

**Position**:Manager, Information Security & Compliance (CISO)

**Location**: Markham

**Details**: Full-time, hybrid

**The Company**:
Founded over 100 years ago in 1921, Black & McDonald is an integrated, multi-trade service provider that safely delivers high-quality construction, facilities management, and technical solutions to government, institutional and industry clients. We are a forward-thinking organization with a strong track record of delivering customer-focused solutions and operational excellence.

**Position Overview**:
Reporting to the Vice President, IT and collaborating closely with the senior leadership, the Manager Information Security & Compliance (Black & McDonald's **CISO**) is **accountable for the enterprise information security program and related compliance and governance structures**

The CISO ensures security programs are in place to mitigate cyber risks, comply with regulatory requirements and to respond to incidents if/when they occur. In this position you will manage an IT team responsible for implementing programs as well as day-to-day security operations.

**Key Accountabilities**:

- Leads information security and compliance function.
- **Develops and implements information security management program** in accordance with recognized security and technology governance frameworks such as CIS, ISO and COBIT and in alignment with business priorities.
- Collaborates with the VP, IT and other senior executives and officers to provide leadership, operational expertise and strategic direction to the organization and all operational teams.
- Reviews IT and security governance structures, processes, & procedures to prevent security breaches, major incidents, and non-compliance with regulatory requirements.
- **Monitors and conducts ongoing assessments** of security standards necessary for breach prevention, detection, and remediation.
- Assesses security infrastructure, cloud environments, including access management, firewall protection, and vulnerability assessment and testing and makes recommendations for improvement.
- Provides reports to executive management and other stakeholders on IT and security matters,
- Delivers user education programs on security to support compliance objectives and improve security awareness.
- Implements security incident response plans and serves as the response lead during incidents.
- Facilitates development of IT and security policies, standards and procedures and performs ongoing assessments to ensure continuous improvement and reports on compliance.
- Contributes to the **business strategies and plans**, bringing security and governance expertise; ensures the security strategies align with the company's strategic goals.
- Provides mentorship, staff development and participates in succession planning.
- Coaches and develops team members on risk management.
- Manages other initiatives as required.

**Education and Qualification Requirements**:

- Post-secondary education in IT or a suitable combination of education and experience.
- Industry certifications such as **CISSP, CCSP, CISA, CISM or similar are expected**.
- Knowledgeable in frameworks such **as COBIT 5, ISO 27002, and ITIL** and using these to assess and address IT governance and control gaps in organizations.
- Ability to develop policies and procedures relating to IT/security governance and educate IT colleagues on governance and controls issues, particularly segregation of duties, documentation standards required, audit logs and audit trails, etc.
- Proven experience in overseeing/developing IT security architecture and security improvement roadmaps.
- Experience with cloud computing environments
- Exposure with various security tools and methodologies, including network security, vulnerability management, vulnerability & penetration assessments, anti-malware, and endpoint security management.
- Ability to keep current with IT security developments and vulnerabilities.
- Proven experience in relationship and stakeholder management.
- Ability to obtain background checks and disclosure of personal and financial information if needed for access to restricted parts of our IT infrastructure.