Chief Information Security Officer

Back Click Here to Apply

Title :

Chief Information Security Officer

Location :

Denver

Job Summary

Gibson Dunn is a leading global law firm, advising clients on significant transactions and disputes. Our exceptional teams craft and deploy creative legal strategies that are meticulously tailored to every matter, however complex or high-stakes. The firm’s work is distinguished by a unique combination of precision and vision.

Gibson Dunn is looking for a Chief Information Security Officer. The CISO will lead Gibson Dunn’s cybersecurity team tasked with protecting the digital assets and data of a global law firm with twenty offices in eight countries serving the world’s most sophisticated organizations.  The CISO will be responsible for three key areas to ensure a secure yet operationally efficient environment for our world-class team: (i) cybersecurity governance and risk management; (ii) cybersecurity program management; and (iii) incident response and coordination.  The CISO is responsible for oversight of people, processes, technology, and governance of the cybersecurity program.

The Chief Information Security Officer (CISO) is a senior member of the Firm’s leadership team with a critical role in ensuring the security and operational excellence of Gibson Dunn, a leading global law firm with twenty offices across the United States, Europe, the Middle East, and Asia.  The CISO manages and directs all aspects of Gibson Dunn’s cybersecurity strategy and program, ensuring the security and secure integration of technical applications as well as the confidentiality, availability, and integrity of Firm data and client data entrusted to the Firm.  The CISO is responsible for developing, implementing, and maintaining reasonable risk-based administrative, technical, and physical safeguards across a global infrastructure, inclusive of vendor management.  The CISO is a core member of the Firm’s incident response team, and plays a leading role in ensuring preparedness and world-class response to security events.

A collaborative team player and thought partner, the CISO works closely and constructively with other senior leaders, colleagues, clients, and vendors.  The CISO oversees and coordinates security efforts across the Firm, including close coordination with information technology, legal, human resources, communications and marketing, facilities management, and other internal teams to identify, prioritize, and implement security initiatives and standards.

A senior executive, the CISO demonstrates exceptional technical expertise and knowledge of relevant industry standards and certifications, as well as strong understanding of relevant legal requirements and their application, exceptional judgment, and the executive leadership skills to develop, implement, maintain, and adapt a comprehensive cybersecurity program to ensure the security of the Firm in a complex and evolving threat landscape.

This position is open to all U.S. office locations of Gibson Dunn.

Responsibilities include:

Cybersecurity Governance and Risk Management

  • Develop and implement the Firm’s comprehensive cybersecurity strategy, reflecting the Firm’s operational drivers and desired business outcomes, risk tolerance, and evolving risks, threats, and vulnerabilities.
  • Develop senior leader awareness and buy-in of cybersecurity program and initiatives, including reporting to leadership on cyber initiatives and strategy, program assessments, changes to risk profiles, and specific events.
  • Build cybersecurity team and define program governance, including defining roles and responsibilities.
  • Establish, with senior leaders, cyber risk thresholds and risk management approach.
  • Build and implement cyber risk quantification and risk prioritization of initiatives.
  • Develop protocols to periodically review the appropriateness of the cybersecurity program, inclusive of administrative and technical controls and processes, with such review to include risk assessments, industry standard compliance reviews, and periodic, risk-based penetration testing.
  • Develop vendor cybersecurity risk management program.
  • Coordinate with senior leadership to ensure adequate resourcing of cybersecurity program.

Cybersecurity Program Management

  • Oversee people, processes, and technology at all levels of the cybersecurity program to enable global operations.
  • Develop and maintain all relevant information security policies and procedures, including for network infrastructure, specific applications, and services.
  • Develop and maintain designated risk-based cyber safeguards, including access controls, MFA, encryption, asset classification, change management, patch management, network segmentation, firewalls, detection technologies including network and endpoint security, insider threat protection, logging and network monitoring, and vulnerability management.
  • Develop secure lifecycle processes and operations, reflecting risk, threat, and vulnerability identification.
  • Ensure continuous monitoring of the threat landscape and modify security technologies and procedures as appropriate.
  • Manage cybersecurity audits, inclusive of client security audits and RFPs.
  • Oversee development and implementation of role-based cybersecurity awareness programs and trainings.
  • Collaborate closely with OGC to ensure cybersecurity program meets all legal and contractual requirements.
  • Manage, in close collaboration with IT team, all aspects of security for technology initiatives.
  • Conduct regular internal and coordinate external security assessment, penetration tests, and red/purple team exercises to proactively test the effectiveness of security controls.
  • Coordinate with compliance on remediation and program management.
  • Assist in the design and implementation of disaster recovery procedures, integration points with business continuity and managing the rollout of IT-enabled recovery and continuity procedures.

Incident Response and Coordination

  • Maintain Firm Incident Response Plan, including incident escalation framework and key incident-specific playbooks (e.g., ransomware), and serve as lead cybersecurity representative in incident response.
  • Ensure appropriate tactical incident response protocols and processes to detect, respond, and remediate cybersecurity events.
  • Oversee investigation capability, to include leveraging internal and external forensics and evidence collection and preservation, under the supervision of the OGC, as appropriate.
  • Maintain Firm Business Continuity and Disaster Recovery (BC/DR) Response Plan, and serve as lead member of disaster recovery team.
  • Conduct tabletop exercises to build response capability at all levels (e.g., tactical security response through strategic leadership response).
  • Lead after-action reviews and identify and implement lessons learned to drive security improvements.

Qualifications

  • Ability to manage and lead multiple complex projects in a fast-paced, dynamic operational environment, including ability to support flexible schedule for 24×7 crisis operations.
  • Demonstrated ability to diagnose complex system problems and develop innovative solutions.
  • Demonstrated ability to participate in cross-functional planning, coordination, and task execution situations involving the full spectrum of system integration.
  • Excellent oral and written communication skills, including ability to express complex technical concepts effectively, both verbally and in writing, and the ability to effectively communicate to a variety of stakeholders with varying levels of technical expertise and seniority.
  • Ability to effectively and collaboratively negotiate among stakeholders, including third parties, with conflicting needs to drive alignment on key security matters.
  • Strong leadership and mentorship skills and genuine passion for growing a team
  • Innovative problem-solver with strong critical thinking skills and action-oriented decision-making.
  • Excellent judgment and ability to successfully lead in crisis situations.
  • Growth mindset and commitment to learning.
  • Demonstrates mature understanding of the sensitive nature of our business and the importance of ensuring the protection of Firm data and the data entrusted to us.
  • Collaborative and enthusiastic team player.

Experience

  • Bachelor’s degree in a technical field; the ideal candidate will have a graduate degree in a technical field with at least 10 years of prior relevant experience.
  • Relevant certifications such as CISSP, CISM, GIAC GSE, CCNP, CCNA, Security+, SANS, SCNP, etc. highly preferred.
  • Detailed technical expertise of cloud architectures, especially Microsoft Azure and Google Cloud, networks, routers and switches, wireless technologies, active directory, and leading software applications.
  • Expert level knowledge of developing and implementing defense-in-depth security program, including installing, deploying, documenting, and troubleshooting network perimeter security technologies such as firewalls, proxy servers, intrusion prevention/detection (IDS/IPS), anti-virus, anti-malware, and unified threat management (UTM).
  • Experience supervising managed security service providers (MSSPs).
  • Experience implementing a risk management framework and leveraging governance, risk, and compliance (GRC) concepts and tools.
  • Experience maintaining ISO 27001 certification and other industry standards, such as NIST CSF, NIST 800-53, NIST 800-171, and HITRUST, as appropriate, and working knowledge of Zero Trust architecture.
  • Experience overseeing vendor security audits and developing, implementing and maintaining a vendor risk management program.
  • Working knowledge of relevant legal requirements, including GLBA, SOX, HIPAA, DFARS, GDPR, and CCPA/CPRA.

Gibson Dunn will consider for employment qualified Applicants with Criminal Histories in a manner consistent with the requirements of local law.

Compensation & Benefits:
The annual compensation range for this position is $350-500k. The salary offered within this range will depend upon qualifications and other operational considerations.
Benefits offered for this position include health care; retirement benefits; paid days off, including sick time, and vacation time; parental leave; basic life insurance; Flexible Spending Accounts; as well as discretionary, performance-based bonuses.

GIBSON DUNN & CRUTCHER LLP IS COMMITTED TO THE PRINCIPLES OF EQUAL EMPLOYMENT OPPORTUNITY FOR ALL PARTNERS, EMPLOYEES AND APPLICANTS AND, IN ACCORDANCE WITH THE APPLICABLE FEDERAL AND STATE LAWS, DOES NOT DISCRIMINATE ON THE BASIS OF SEX, RACE, CREED, COLOR, RELIGION, MATRICULATION OR POLITICAL AFFILIATION, NATIONAL ORIGIN, ALIENAGE OR CITIZENSHIP STATUS, ANCESTRY, AGE, MARITAL STATUS OR PARTNERSHIP STATUS, FAMILY RESPONSIBILITIES, DISABILITY, MEDICAL CONDITION, PERSONAL APPEARANCE, GENETIC INFORMATION, PREDISPOSING GENETIC CHARACTERISTICS, SEXUAL ORIENTATION, MILITARY STATUS, STATUS AS A VICTIM OF DOMESTIC VIOLENCE, STALKING AND SEX OFFENSES, ARREST OR CONVICTION RECORD, OR ON ANY OTHER BASIS PROHIBITED BY LAW.