Expert, Information Security Third Party Risk Management

The purpose of this role is to maintain and grow an industry leading Information Security Third Party Risk Management (TPRM) practice to support the mission of empowering the business by building resilience against evolving cyber threats. This will include program governance, policy and guideline development, risk assessments, information protection contract clauses, continuous monitoring, compliance assessments, regulatory compliance assurance, due diligence and selection processes, technology and tool development and maintenance, cloud transformation, and stakeholder awareness and communication.

This role oversees the development and operations of the third-party security function within CN’s Chief Information Security Office (CISO). It interfaces with a variety of senior stakeholders within I&T and the business in order to develop and influence the required changes for the management of third-party security risks originating from suppliers, customers, subsidiaries, and cloud-based technology tools and platforms, to a level that is manageable and aligned to CN’s business risk tolerance. They are a senior resource with an understanding of how to apply deep technical knowledge while coordinating activities between multiple internal groups and third-party organizations to enable business objectives by ultimately managing risk to a level that is acceptable for the organization.

Main Responsibilities

Practice Development and Planning

•Align third party information security with organizational business goals

•Oversee a broad range of Information Security activities related to third party suppliers, solutions, subsidiaries and customers, including large outsourcing initiatives ( I&T infrastructure and help desk managed services)

•Develop and maintain a set of policies & guidelines specific to protecting CN's assets where they are accessed or managed by third parties

•Create and maintain a TPRM practice, including a framework for evaluating and managing third party risk

•Ensure information security requirements are integrated with procurement processes

•Proactively monitor emerging trends and evolving threat landscapes to identify innovative ideas that would position CN to be an industry leader

Operation and Execution

•Identify, assess, and report critical and high risks involving third parties

•Manage and escalate incidents such as a material control weaknesses and security breaches and working with the Security Operations Centre (SOC) as required

•Report critical non-compliances and high risks to the appropriate business stakeholders

•Write and negotiate contractual terms internally and with external partners and suppliers to ensure CN’s business goals are met relating to information security

•Ensure CN's Information Security policies & guidelines related to third parties meet regulatory requirements for security and privacy protection ( TSA directives, CCSPA requirements, privacy bills, etc.)

•Enhance existing processes through innovation and continuous improvement

•Subject Matter Expertise

•Drive action across various internal and external stakeholders by communicating technical and process requirements

•Provide leadership and expertise on matters relating to third party information security to various internal stakeholders, including I&T, Procurement, Internal Audit, Legal, Facilities Management, and Insurance teams

•Discover and bring to light innovation opportunities and influence other groups to support and implement changes that will generate business value

•Mentor resources, provide knowledge transfer, and delegate support tasks

Organizational Impact

Decision Making & Impacts

The Expert, Information Security Third Party Risk Management implements the governance, risk, and compliance capabilities required to bring Information Security risks involving third party suppliers, solutions, subsidiaries, and customers to acceptable levels required to enable to enable the organization to achieve its business objectives.

To achieve this they conduct strategic planning, create and maintain processes and tools, and coordinate activities between various internal teams and external organizations.

Level of Interaction/Influence

The Expert, Information Security Third Party Risk Management influences and drives action among various areas within the organization, including Legal, Procurement, Internal Audit, Facilities Management, Insurance, and different areas within I&T. They also drive action within external subsidiaries, suppliers, and customers.

This would include incorporating Information Security requirements into procurement processes, ensuring I&T asset inventory systems include relevant data, influencing behaviours of Solution Architects to identify and mitigate high risks, negotiating contractual terms with Legal and Facilities Management, providing expertise to Internal Audit and Insurance teams, issuing Cybersecurity Policies and conducting compliance monitoring activities on subsidiaries, influencing external agencies and service providers to better align to CN’s needs, working with customers on Information Security requirements and posture, and many other interactions with various internal and external stakeholders.

Requirements

Education/Certification/Designation

• degree in Computer Science, Information Systems or other related field, or equivalent work experience

Skills/Knowledge

•Broad skillset and depth of expertise in technical areas of information security and how they impact business objectives

•Demonstrated capability to understand the security implications of complex business operations and how they are linked to technological solutions that provide practical risk mitigation and business enablement

•Good knowledge of existing and emerging technologies and architecture principles involved in complex information and technology systems

•Significant and proven experience in applying a structured approach to problem resolution

•Sufficient knowledge on matters relating to third party information security

•Excellent written and verbal communication skills as well as business acumen

•Detail-oriented self-starter with a high level of commitment and personal motivation

•Knack for prioritizing tasks and working in a fast-paced environment

•Able to learn quickly to keep pace with rapidly evolving technology and cybersecurity environments

•Able to lead initiatives to completion with minimal management oversight

•Able to communicate in a clear, concise manner

•Experience with contract and supplier negotiations

•Able to multi-task and work effectively across multiple organizational units

•Security assessment experience

•Strong understanding of security frameworks including NIST CSF, NIST SP 800-53, and ISO-270001

•Strong understanding of regulatory requirements including SOX, PIPEDA, HIPAA and TSA

•Deep understanding of security threat landscape

•Ability to translate complex technical topics into simple business language for business audiences

•Experience developing and delivering executive level presentations

•Relationship management skills

•Experience dealing with third parties

•Strong process orientation

•Recognized security certifications ( CISSP, CISM, CRISC, CISA)

Specific skills per speciality

Experience

•Minimum 5 years experience in Information Security

•10+ years of I&T experience or 5+ years in a similar role

•10-15 years overall work experience

•Assets

•Knowledge of railway systems

•Good understanding of Cloud Computing

•Understanding of both IT and OT systems

Working Conditions

Occasional business travel (Canada and US) in accordance with CN policy

Thisposition is posted as a grade LEVEL 7. For internal candidates, note that thegrade level of the position may adjust based on the employee's experience.