Apply on Employer Site

City of San José · 2 days ago

Head of Cyber Risk and Compliance (Enterprise Technology Manager)

San Jose, CA

Full-time

Hybrid

Director/Executive

$171K/yr - $209K/yr

7+ years exp

The City of San José is seeking an experienced leader to serve as the Head of Cyber Risk and Compliance. This role focuses on Governance, Risk, and Compliance (GRC), Identity and Access Management (IAM), and Risk Management, providing senior-level leadership for cybersecurity governance and regulatory compliance.

Environmental ConsultingInnovation ManagementOffice AdministrationRecycling

No H1B

Security Clearance Required

U.S. Citizen Only

Responsibilities

Representing the cybersecurity program in executive meetings, steering committees, and inter-agency collaborations

Collaborate with external partners, including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Department of Justice’s Federal Bureau of Investigation (FBI), and State agencies, on compliance, risk, and threat intelligence initiatives

Promote Citywide cybersecurity awareness programs, with emphasis on governance, risk, and compliance accountability

Lead the planning, execution, and delivery of complex cross-functional projects, ensuring alignment with organizational priorities and stakeholder expectations

Lead enterprise risk assessments, threat modeling, and business impact analyses by establishing standardized frameworks to evaluate organizational risk posture and align findings with enterprise objectives

Oversee cross-departmental collaboration to identify vulnerabilities, analyze threats, assess potential impacts, and translate results into actionable mitigation strategies that inform executive decision-making

Oversee regulatory compliance initiatives, ensuring continuous audit readiness and timely fulfillment of reporting requirements to meet federal, state, and industry standards

Provide governance and oversight to maintain adherence to applicable framework, regulatory and certification requirements

Coordinate with internal and external auditors and deliver clear risk mitigation and compliance reporting to executive leadership and regulatory bodies

Integrate risk management processes into City projects, procurement, and vendor engagements

Collaborate with IT operations and emergency management teams on disaster recovery and business continuity planning

Lead the City’s cybersecurity GRC program, ensuring alignment with frameworks such as NIST CSF, ISO 27001, CJIS, PCI DSS, and other applicable standards

Develop, implement, and enforce Citywide cybersecurity policies, standards, and procedures

Provide metrics and dashboards on risk posture, policy adoption, and compliance to executive leadership

Direct the City’s IAM strategy, including identity lifecycle management, single sign-on (SSO), multi-factor authentication (MFA), and privileged access management (PAM)

Ensure secure onboarding, offboarding, and role-based access controls (RBAC) across City departments

Implement and govern Zero Trust principles to reduce insider and external access risks

Partner with IT and business units to advance identity governance and automation

Develop and maintain the enterprise Disaster Recovery Plan as well as information systems contingency plans for each system. Perform table-top exercises in accordance with City policy (e.g., every other year)

Qualification

GovernanceRiskCompliance (GRC)IdentityAccess Management (IAM)Cybersecurity frameworksRisk ManagementCloud SecurityRegulatory ComplianceCybersecurity PoliciesProject ManagementMulti-TaskingCommunication SkillsLeadershipProblem Solving

Required

Bachelor's degree from an accredited college or university with coursework in computer science, information systems, business administration, or closely related field

Seven (7) years of experience managing, maintaining and implementing significant technology programs, computer system infrastructure and design, network operations, security design, application development and configurations and system/service administration

Five (5) years of supervisory and project personnel management experience, of which at least two (2) years should be supervisory experience over a technical team

Possession of a valid State of California driver's license

Passing the San Jose Police Department (SJPD) background check is also a condition of employment

Seven or more (7+) years of experience in information security and/or compliance (FISMA, SOX, PCI, HIPAA, etc.), risk management, including threat modeling, vulnerability assessment, and/or incident response

Five or more (5+) years directly managing and leading cross-functional technical cybersecurity teams

Experience managing complex, multiple and/or cross-departmental/divisional projects at once

Skilled in program management, executive communication, and collaboration with internal stakeholders, external auditors, and partner agencies

Strong knowledge of regulatory frameworks and standards applicable to government, including NIST Cybersecurity Framework, NIST 800-53, CJIS, PCI DSS, and HIPAA

Proven ability to ensure audit readiness, manage internal controls, develop and enforce policies, and oversee third-party risk management programs

Ability to communicate security-related concepts to a broad range of technical and non-technical audiences, acting as a bridge between IT and business process owners

Experience working with third-party service providers in the delivery of outsourced cybersecurity contract services to augment and/or run cybersecurity programs and/or in assessing and selecting security tools

Strong understanding of cloud security, including familiarity with security challenges and solutions in cloud environments (Azure, Hyperconverged Infrastructure, private cloud, etc.)

Strong understanding of secure network architecture, VPNs, secure web gateways, firewalls, and network segmentation as it relates to risk mitigation

Familiarity with Identity and Access Management (IAM) operations, including access reviews, password management, multi-factor authentication (MFA), privileged account management, and other access controls

Familiarity with Identity and Access Management (IAM) authentication protocols and concepts, including SAML, SSO, LDAP, OAuth, Open ID, etc

Possess and maintain a current, terminal-level cybersecurity credential such as: Certified Information Systems Security Professional (CISSP); Certified Information Systems Auditor (CISA); Certified Information Security Manager (CISM); Certified in the Governance of Enterprise IT (CGEIT); Certified in Risk and Information Systems Control (CRISC); and/or an equivalent professional, industry-recognized certification acceptable to the City

Ability to obtain and maintain SECRET Security Clearance within a reasonable period of time acceptable to the City