Develops strategy and oversight to ensure AARP's applications and infrastructure are designed, built, and implemented to the highest security standards to meet and exceed constituents' expectations of security and privacy. Oversees the Governance, Risk, and Compliance (GRC) and Threat and Vulnerability Management (TVM) programs and will be expected to establish the programs’ long-term strategy and vision, oversee the execution of all initiatives related to the programs, and align with the overall objectives of the organization.
- Identifies security gaps and risks and develops mitigation plans.
- Leads the GRC program and associated reporting, risk discovery, and risk prioritization efforts.
- Leads the Threat and Vulnerability Management program, including oversight of third parties managing daily TVM activities, such as scanning, reporting, and remediation.
- Leads the development and interpretation of security policies and procedures.
- Develops quantitative risk insights to senior management to ensure data-driven decision making for future investments and initiatives
- Evaluates the design and effectiveness of the information security control environment, both operational and technical.
- Assists in security compliance efforts (e.g., CIS-CSC) and anticipates new compliance requirements.
- Works closely with legal, compliance, finance, and internal audit on issues and projects.
- Evaluates and recommends new and emerging security products and technologies.
- Stays current on emerging security threats, vulnerabilities, and controls.
- Evangelizes security within AARP and serves as an advocate for member trust.
- Engages with business unit stakeholders and partners to identify information security solutions required to meet organizational, regulatory, and strategic security requirements and objectives.
This role is highly technical and requires knowledge of a broad spectrum of information security domains, including, but not limited to, threat and vulnerability management, compliance and audit, incident management, policy development, and infrastructure security. Requires a high degree of autonomy and internal judgment for programs under the individual's umbrella. Is expected to lead cross-functional teams to ascertain risks, provide insight into existing and emerging technologies, to recommend solutions to management, and have input into the overall information security strategy of the organization. Will have decision-making authority for any element relating to the programs for which they are accountable and to those of junior staff. Will be required to outline the strategy for the information security program, establish ownership of individual initiatives, and drive initiatives to completion. Is expected to interact with multiple partners in both technology and business units to communicate, drive, and deliver on their respective domains. Will be a key function in the organization and will impact not only the team's long-term success, but will ensure constituents' trust in AARP remains resolute.
- 8+ years of relevant information security experience, with 2-3 years of experience leading a GRC program and 2+ years of experience leading a TVM program. Certification in information security a plus (SANS, GIAC, CISSP, etc.).
- Knowledge of information security frameworks, such as ISO 27001/2, NIST, and CSC.
- Experience in threat modeling and risk assessment approaches.
- Experience managing a TVM program and its associated functions.
- Knowledge of quantitative risk measurement processes.
- Experience in identifying security risks and driving them to remediation.
- Experience with GRC tools, such as RSA Archer.
- Extensive experience overseeing the use of security scanning tools, such as Qualys.
- Knowledge of information security regulations applicable to AARP organizations, i.e. HIPPA, PCI DSS, and various state/national privacy laws.
- Experience developing information security policies, procedures, and standards.
AARP offers competitive benefits with a 401K, 100% company funded pension plan, health, dental, vision and life insurance, STD/LTD, paid vacation and sick, and other benefits.