Director - Information Security

MAIN JOB RESPONSIBILITIES / COMPETENCIES
As the Director - Information Security within STAAR Surgical’s Information Technology team, this individual plays a critical role working closely with the business and across the Information Technology organization defining, delivering and supporting information security programs, procedures, technologies and supporting roadmaps.  In summary, this position provides: leadership within the Information Security team; manages information security related budgets; works across the enterprise to identify, evaluate and resolve diverse and highly complex information security concerns; selects frameworks, methods and techniques for identifying and advocating effective security risks and solutions; and develops and administers information security programs, schedules and performance criteria.

This role will be responsible for managing a team of information security professionals, including providing leadership, direction, guidance and mentoring to team members.  In addition, this role will also have project management responsibilities.
   •    Directs the efforts of others in the achievement of the strategic and operational objectives of the group.
   •    Responsible for managing STAAR Surgical’s Information Security function, including:
     o    Works across the business and IT, at all levels of management, to define, establish, communicate and achieve strategic, tactical and operational objectives for the     information security function.
     o    Defines, implements and monitors security strategies, policies, standards, guidelines and procedures, including:  General IT Use Policies; BYOD policies; and IT general and technical controls and procedures in support SOX compliance.
     o    Defines, implements and supports best-fit solutions for STAAR Surgical’s Information Security strategy.
     o    Effectively manages delivery of new Security technology through proper SDLC policies and procedures.
     o    Manages the hiring, staffing and maintaining of a diverse and effective workforce. 
     o    Responsible for career development, planning and performance discussions of team members.
     o    Influences individuals within and outside the IT department. 
     o    Prepares and presents reports to all levels of leadership and staff.
     o    Establishes and maintains budgets, operational plans and performance requirements.
•    Manages periodic user access reviews of in-scope SOX systems.
•    Works with engineering and development teams to define and refine information security and systems management policies and settings.
•    Works with Procurement and Internal Audit to develop a robust third-party security risk management program.
•    Monitors and assesses vendor and 3rd party information security reports/lists. 
•    Evaluates new and emerging products, technologies and make recommendations to leadership concerning introduction of new technologies. 
•    Coordinates, administers, manages and monitors the use of access control systems security tools and intrusion detection systems to identify anomalous events and security infractions that exploit system vulnerabilities, including dispositioning and reporting of events to relevant regulatory bodies in accordance with established policies and procedures.
•    Integrates information security controls into an environment to identify and mitigate risks. 
•    Provides analysis of potential risk to information security and recommends solutions. 
•    Creates and maintains information security documentation. 
•    Communicates information security procedures to users. 
•    Reviews and recommends changes to information security policies, including STAAR Surgical IT use policies, Data Sensitivity, Privacy and Personally Identifiable Information Security Policies and procedures.
•    Stays apprised of current and upcoming cybersecurity and privacy regulations to understand how it impacts STAAR, including mapping these requirements to current data security projects and policies.
•    Leads cross-functional teams that perform information security reviews and audits and review designs for information security issues.
•    Acts as a subject matter expert and local leader for information security direction, training and guidance for less experience information security engineers. 
•    Instructs, directs, mentors, assigns and oversees work of less-experienced team members.
•    Other duties as assigned. 

REQUIREMENTS

EDUCATION & TRAINING
•    Bachelor’s degree or equivalent combination of education/experience. Master’s degree preferred.
•    Security professional certification required: CISSP (preferred), NIST, CISA, CISM, CEH.

EXPERIENCE
•    8-10 years relevant work experience.
•    Experience in identifying and utilizing a global risk-based management model, and application and integration of globally accepted security standards
•    Experience implementing security technologies and capabilities, including: email security/gateways; Endpoint Detection & Response (EDR); Security Incident & Event Mgmt. (SIEM), Extended Detection & Response (XDR), Firewalls, Intrusion Detection & Prevention (IDS/IPS), Network Access Controls (NAC), Data Classification and Loss Prevention (DLP), Configuration Mgmt. Controls, Identity Management, Privilege Access Mgmt. (PAM), Encryption at Rest/Motion, Public Key Infrastructure (PKI), Vulnerability Mgmt. and Security Operation Centers (SOC)
•    Experience in engineering, implementing, configuring, administering and maintaining next-generation firewall solutions (e.g., Fortinet, Palo Alto, etc.)
•    Experience in coaching and mentoring both team members and business partners

SKILLS
•    Possesses expert knowledge, skills and abilities required to resolve the most/highly complex privacy and information security concerns.
•    Expert knowledge of cybersecurity practices, system development methodology, project management, analytical/problem solving skills and relevant development and technology skills.  
•    Clearly understands short and long-term business and IT goals & objectives, and aligns Security direction accordingly.
•    Understands impact of emerging IT and business trends and their implications for the company and its customers security concerns.
•    Demonstrates strong understanding and knowledge of privacy compliance frameworks such as GDPR, CCPA, and other international regulations, etc.
•    Expert knowledge implementing generally accepted information security frameworks such CIS, CSA, COBIT, ENISA, NIST, etc.
•    Advanced knowledge of network security and technologies that pertains to communications, computer systems and related infrastructures. 
•    Has strong management and communications skills, technical depth, and a passion for cybersecurity and risk management to protect and defend the information assets STAAR
•    Excellent facilitation and communication skills.
•    Must possess excellent facilitation and communication skills, and able to adapt to the level and nature of their audience.
•    Ability to communicate in Japanese and/or Mandarin is a plus. 

STAAR Surgical is an Equal Opportunity/Affirmative Action employer and all qualified applicants will receive consideration without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, protected veteran or disability status, or any other characteristic protected by law.