Job Description

The Chief Information Security Officer (CISO) will lead REI’s information security and privacy team and partner across the co-op to identify and manage risk in our technology, data and business practices. This leader will enable the co-op to excel as a digital forward retailer as REI continues to grow its member community. As the expert advisor for choices the co-op makes to reduce risk, this individual leads security architecture and engineering, vulnerability management, security portfolio and program management, security operations center, compliance, risk assessment and management, and identity and rights management. The CISO is the champion and advocate for IT security, raising awareness and understanding across technology and the organization, working closely with REI’s enterprise risk management and asset protection teams.

The CISO contributes to REI’s success by developing, recommending and leading planning, strategies, and implementation of REI’s IT security program to ensure that the IT environment (applications, infrastructure, SaaS, Cloud Services, on-premise datacenters…) is secure and protected from intentional or inadvertent alteration, disclosure or destruction. The CISO leads, coordinates, and collaborates with other IT leaders and staff to implement tools and processes throughout the security development lifecycle for intrusion detection and protection. This leader actively keeps abreast of new technology and IT service delivery methods to ensure REI is up to date with current IT security practices. Reporting to the Chief Technology Officer, this person will lead a team of ~25 information security professionals.

Key Responsibilities

• As a member of the Leadership Team, develop and implement a comprehensive information security strategy aligned with the co-op business goals.
• Collaborate with IT and business leaders to integrate security measures into all aspects of the organization, from planning to execution, aligned with company strategies and priorities.
• Direct the development, recommendations and championing of IT policy, strategy, standards and procedures for information and system security, disaster recovery and business continuity. Oversee the IT Disaster Recovery and Business Continuity program, ensuring plans are in place and tested per policy.
• Lead architecture and engineering, vulnerability management, security operations, compliance, and risk management.
• Direct the Identity and Access Management organization, including day-to-day operations, governance, and strategies
• Accountable for identifying and assessing IT security-related issues currently and potentially impacting IT and business performance.
• Oversee IT security architecture including but not limited to roadmaps, assessments, principles, standards and security development lifecycle. Align with Enterprise Architecture on architecture principles and standards.
• Set, monitor, and enforce security elements within application, infrastructure and data architectures. Communicate and collaborate with all other IT disciplines regarding integration and effectiveness of information security measures.
• Oversee the Security Operations Center and ensure effective intrusion detection, incident response and threat management aligned with best practices.
• Oversee vulnerability management including scanning, testing, remediation, and reporting.
• Accountable for consistent compliance with all applicable regulations, standards and controls (e.g., audit, PCI, data, vulnerability, disaster recovery, encryption, testing, privacy, etc.), collaborating with REI’s Enterprise Risk Management.
• Conduct regular security assessments and audits to identify risks; develop and implement mitigating actions.
• Lead and champion efforts to educate the organization on security threats and how they can be best prevented. Provide guidance and direction for the physical protection of information systems assets to other functional units.
• Report to leadership on information security effectiveness and make recommendations to improve or optimize where required.
• Actively participate in Technology strategic planning, applying current knowledge and future vision of technology and systems that will enable REI’s growth and performance objectives. Stay abreast of latest security trends, technologies and threats, and proactively implement best practices.
• Report to Executive Leadership and Board of Directors on the effectiveness of the security program and recommend improvements.
• Leveraging a strong financial acumen, develop budgets and forecasts, including staffing needs, tools and equipment, services, maintenance, and future projects. Effectively manage resources, spend and investments within set guardrails
• Lead and mentor a team of security professionals, fostering a culture of security awareness and continuous optimization.
• Perform supervision, including hiring, firing, conducting performance reviews, setting performance goals, promotions, salary increases, developing team members, and managing performance and discipline.
• Ensure the team, including both internal and 3 rd parties, is properly skilled and staffed to handle the demand. Make recommendations to management regarding team composition and structure.
• Guide the team in the analysis of business requests and needs to ensure effective utilization of staff, funding and other resources.
• Perform vendor management and, in partnership with REI’s procurement function. Play a lead role on vendor selection, performance management, and contracting for products, services and support.
• Provide accurate, timely and relevant information about the status of information security projects, personnel and activities.

Essential Leadership Behaviors

The Essential Leadership Behaviors required by the future Chief Information Security Officer connect directly to the REI values, mission, strategy and the quadruple bottom line that measures REI’s success.

• Team Leadership : inspire and motivate the security team, fostering professional growth and development.
• Strategic Thinking : develop a vision and comprehensive strategies that create and sustain competitive advantage.
• Collaboration & Influence : build strong relationships across the organization and at all levels; gain leadership support to drive security initiatives.
• Results Orientation : mobilizing cross-functional team as needed, ensure quality deliverables are achieved under tight deadlines.
• Decision Making & Judgement : make difficult and informed decisions in a timely manner aligned with the company’s values, objectives and priorities.
• Personal leadership : lead by example, demonstrate continuous learning, take initiative, and shows resilience in challenging times.
• Co-op Way : lead the Co-op Way and act as role model for REI’s Leadership Behaviors at all times.

Professional Qualifications and Experience

The Professional Qualifications and Experience required by the future Chief Information Security Officer are imperative to the success of the candidate and the long-term success of the co-op. 

• Education: Bachelor's degree in Information Security, Computer Science, or a related field; advanced degree strongly preferred.
• Information security leadership experience : minimum of 15 years, with at least 5 years in a senior leadership role.
• Industry experience : proven experience developing and implementing security strategies in a retail environment.
• Security standards : strong knowledge of security frameworks, standards, and regulations (e.g., PCI, NIST). Relevant certifications (e.g., CISSP, CISM, CISA) are highly desirable.
• Communication & Influence : excellent communication and interpersonal skills, extensive experience collaborating and influencing at all levels, including C-suite , to get things done.
• High Performing Security Engineering and Operations Engineering Leadership : e xperience attracting, developing and challenging world class security engineering and operations talents across geographies with a passion for excellence.
• Information Security and Privacy : deep information security and privacy experience for digital forward customer centric organizations.
• Risk Assessment and Management : elevated risk assessment and management experience in large scale digital organizations collaborating with enterprise asset protection.
• Change Management : e xperienced change agent to drive innovation and transformational change within organizations. Successfully managed large-scale IT transformations and enterprise-wide programs, winning hearts and minds.
• Technology Strategy and Execution : e xperience developing, planning and implementing the company’s technology strategy, with special focus on execution and ensuring timely delivery, with a strong point of view on best practices.
• Industry Trends & Best Practices : p ossesses a thoughtful point of view on industry trends impacting commerce, customer and employee experience. Has an informed perspective on best-in-class experiences and technologies.

Job Tags

Similar Jobs