Apply on Employer Site

Workday · 4 months ago

Chief Information Security Officer (CISO), Workday Government

United States

Full-time

Remote

Director/Executive

$280K/yr - $420K/yr

15+ years exp

Workday is a leading AI platform for managing people, money, and agents, and they are seeking a Chief Information Security Officer (CISO) for Workday Government. This role is pivotal in shaping and executing a comprehensive cybersecurity strategy tailored for federal government clients, ensuring compliance with stringent security requirements while building and leading a dedicated cybersecurity team.

Artificial Intelligence (AI)Cloud ComputingEnterprise SoftwareHuman ResourcesSaaSSoftware

Comp. & Benefits

No H1B

Security Clearance Required

U.S. Citizen Only

Responsibilities

Define and articulate the long-term federal cybersecurity vision and strategy, aligning with Workday's business objectives and federal agency requirements

Serve as the executive security liaison for federal agencies, building and nurturing high-trust relationships with key government security officials, auditors, and regulatory bodies

Advise the executive leadership team on critical federal cybersecurity risks, investments, and strategic initiatives

Champion a robust security culture across the organization, with a strong focus on federal compliance and best practices

Establish and chair a Security Governance Council across stakeholders to ensure alignment and effective decision-making

Act as the primary security point-of-contact for government customers, prime contractors, integrators, FedRAMP PMO, DISA, and agency sponsors, and actively participate in industry groups (e.g., ISACs, INSA, NIAC) and working groups for federal cybersecurity

Recruit, build, and lead a high-performing, dedicated federal cybersecurity team from its foundational stages. This includes defining roles, hiring top talent, and establishing effective team structures and processes

Architect, establish, and continuously mature a federal-compliant Security Operations Center (SOC). This involves selecting and implementing security tools, defining operational playbooks, establishing monitoring processes, and ensuring adherence to federal reporting requirements

Provide hands-on technical guidance and expertise to the team as needed, particularly during incident response, architectural reviews, and complex problem-solving

Mentor and develop cybersecurity professionals, fostering an environment of continuous learning and technical excellence tailored for federal security challenges

Direct and oversee comprehensive compliance with all relevant federal cybersecurity frameworks and regulations, including FISMA, FedRAMP (all levels, including High and IL4/Secret/Top Secret), NIST 800-53/800-171, CMMC (all levels), ICD 503, ITAR, CJIS, DFARS, OMB A-130, and other intelligence community directives

Lead and manage the end-to-end FedRAMP authorization process for all relevant Workday offerings, from initial strategy and documentation to security control implementation, continuous monitoring, and re-authorization efforts

Establish and enforce enterprise-wide federal risk management frameworks, conducting regular, advanced risk assessments and implementing sophisticated mitigation strategies to protect highly sensitive government data and systems. Drive continuous risk assessment and mitigation strategy

Assist in obtaining and maintaining Authority to Operate (ATO) for Workday Government offerings

Lead and manage audits and assessments by third-party or government agencies (e.g., GAO, DoD IG, DHS)

Ensure robust data loss prevention (DLP), access control mechanisms, secure disposal procedures, and advanced audit logging capabilities are implemented and continuously optimized for federal environments

Architect, implement, and continuously refine a sophisticated cyber defense strategy for all federal environments, including air-gapped and cross-domain solution (CDS) architectures

Oversee the development, implementation, and rigorous testing of federal-specific incident response and threat management plans, ensuring rapid, effective, and compliant resolution of security incidents within government sector operations, in line with FISMA/NIST SP 800-61

Coordinate with US-CERT, CISA, and government customers during major incidents

Maintain playbooks and conduct red team/blue team exercises

Direct comprehensive threat intelligence gathering and analysis pertinent to the federal landscape, proactively identifying and mitigating emerging threats, vulnerabilities, and nation-state actor activities

Ensure the SOC capabilities are optimized for federal compliance, including offline log analysis and secure data handling procedures

Participate in classified threat briefings, if cleared

Provide executive leadership and strategic guidance for the secure design, development, and deployment of Workday's SaaS solutions in federal environments, ensuring security-by-design principles are deeply embedded from conception

Design and maintain secure architectures (on-prem, cloud, hybrid)

Approve and oversee System Security Plans (SSPs) and RMF lifecycle activities

Enforce Zero Trust Architecture (ZTA) principles

Oversee vulnerability scanning and security operations (SIEM, SOAR)

Collaborate extensively with engineering, product development, and infrastructure teams to integrate cutting-edge security architectures that meet future-state federal requirements

Ensure secure coding practices and oversee STIG compliance and code scanning (SAST/DAST/IAST)

Support CI/CD pipelines with built-in security gates and interface with government DevSecOps teams

Collaborate closely with the Facility Security Officer (FSO) or Human Resources on personnel vetting and insider threat programs

Ensure proper handling of classified information, if applicable

Oversee background check compliance and clearance levels (public trust, secret, TS/SCI etc.)

Direct and manage all security audits, assessments, and continuous monitoring activities for federal systems, including rigorous penetration testing, vulnerability management, and third-party security reviews

Develop and enforce robust security policies and procedures specifically tailored to federal regulations and industry best practices. Author security policies tailored to federal environments

Drive comprehensive security awareness programs for cleared and uncleared personnel

Conduct security training aligned with DoD/DHS requirements

Ensure secure development lifecycle (SDLC) for software built under federal contracts

Conduct supply chain risk assessments (per EO 14028, OMB, and NIST 800-161)

Ensure subcontractors and partners meet required controls (e.g., NIST 800-171 for CUI)

Report regularly on the federal cybersecurity posture to executive leadership and the Board (if applicable)

Provide all required reports to federal agencies, including FISMA scorecards, Plan of Action and Milestones (POA&M) updates, and incident reports

Qualification

Federal cybersecurity frameworksSecurity Operations Center (SOC)FedRAMP authorizationCloud security principlesCybersecurity leadershipRisk managementIncident responseZero Trust ArchitectureSecurity complianceCISSP certificationCISM certificationExecutive communicationTeam buildingAnalytical skills

Required

Bachelor's degree in Computer Science, Cybersecurity, or a related technical field is required

Minimum of 15+ years of progressive leadership experience in cybersecurity, with at least 7+ years in a senior leadership or executive role specifically focused on federal government cybersecurity programs

Demonstrated executive-level experience in building and scaling cybersecurity teams, including establishing a Security Operations Center (SOC) from the ground up, with a clear focus on federal compliance

Proven executive-level experience leading and successfully managing multiple FedRAMP authorization processes (Moderate, High, and/or DoD IL4/IL5/IL6/Secret/Top Secret) for SaaS or cloud service offerings

Extensive hands-on and strategic knowledge of federal cybersecurity frameworks and regulations, including NIST SP 800-53, FISMA, CMMC (all levels), ICD 503, and classified environment security principles

Proven track record of designing, implementing, and operating security programs within secure network environments, including air-gapped and cross-domain solution (CDS) architectures

Deep technical and operational understanding of cloud security principles and best practices for highly sensitive federal data

Experience obtaining and maintaining government security clearances at the TS/SCI - Counterintelligence Scope Polygraph level

Executive-level communication and interpersonal skills, with a proven ability to engage effectively with senior government officials, C-suite executives, and technical teams