Business Information Security Manager

Are you interested in managing a team that partners with technology leaders and supported business areas to provide thought leadership and information security guidance on a wide array of business strategy objectives for a fortune 200 company? If so, then we are looking for you!


We are currently seeking a highly motivated and qualified individual to join our IT Risk Management team in Richmond, VA as a Business Information Security Manager - BISM. The successful candidate will function in this role to support various business services and operating companies. We are open to remote working arrangements.


Responsibilities Include:
• Representing the Chief Information Security Officer (CISO) to Altria's business lines and/or operating companies, delivering comprehensive risk assessment and mitigation strategies crafted to improve the overall cybersecurity posture of the company.
• Managing the Business Information Security Officer (BISO) team in the delivery of comprehensive cyber services to improve risk understanding and cyber-strategies across the enterprise (e.g. corporate risk metrics)
• Crafting and managing a strategy, along with quality control, of routine BISO briefings to business executives on cybersecurity threats, initiatives and open risks. Managing BISO expectations to serve as liaisons to gather information on technology strategies within support business lines
• Interpreting information security policies, standards (i.e. NIST, CIS, OWASP, etc.), and other requirements with respect to specific internal information systems and assisting with the implementation of these and other information security requirements.
• Supporting the BISOs in providing business and technical advice on a variety of IT risk issues, concerns, problems, and projects ensuring all business processes incorporate adequate information security
• Developing and presenting security and compliance requirements to technology and system owners and key business partners in support of business-area initiatives
• Providing users and management with security guidance for selecting technology products, as well as ongoing integrations and improvements of such products
• Assessing and qualifying risk related to third party service providers and supporting the Supplier Risk Management program, including driving remediation of findings and supporting contract negotiations.
• Providing support for the Threat and Vulnerability Management program, including web application security, in-house IT environments and cloud-based infrastructure, driving risk insights via reporting in support of effective vulnerability management.
• Serving as a technical leader for periodic information system and application risk assessments, including those associated with the development of new or significantly improved business applications.
• Monitoring current and proposed laws, regulations, industry standards and ethical requirements related to IT risk, information security and privacy
• Providing support for internal security assessments and corporate audit assessments, including active engagement in high-risk auditable areas, risk management and remediation of audit findings, and ongoing information security governance.
• Ensuring BISOs serve as the SME for technology operating in their supported business lines, establishing strong working relationships with IT professionals supporting those systems, and supporting effective incident response.


Key Qualifications:
• Bachelor's degree in Computer Science, Information Systems, Engineering or related subject area
• 10+ years of IT experience with 6+ years in an IT risk or information security role.
• Broad knowledge of IT technologies, operating systems, application platforms and emerging technology.
• Detailed understanding of IT information security fundamentals, risk assessment and risk management fundamentals, defense-in-depth practices, modern networking technologies and IT security controls.
• Agile development practices (e.g. SecDevOps)
• Payment Card Industry Data Security Standard (PCI DSS) compliance
• NIST security controls frameworks, including the NIST Cyber Security Framework
• Excellent verbal and written communication and interpersonal skills.
• Certified Information System Security Professional (CISSP), Certified Information System Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), or similar certification desired.