Westat is an employee-owned corporation providing research services to agencies of the U.S. Government, as well as businesses, foundations, and state and local governments. Westat's research, technical, and administrative staff of more than 2,000 is located at our headquarters in Rockville, Maryland, near Washington, DC.
Westat is committed to building a diverse workforce and a culture of inclusivity, belonging and equity for all. We believe that our greatest strength draws on the different backgrounds, cultures, perspectives and experiences of our employees.
Westat is seeking a senior information security manager to lead our Client Security Services (CSS) team. This leadership role is a critical member of the chief information security officer's (CISO's) team and acts as an interface between the CISO's strategic and process-based activities and the CSS team they will lead. The CSS Manager must be able to provide direction and mentoring for staff, interact directly with internal and external clients, manage resources, meet deadlines, and provide regular status and service-level reports to management.
You will have experience managing direct reports and working with Federal Government clients and have extensive experience, securing information systems in accordance with the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF, i.e. NIST 800-37 and 800-53). Expertise in leading project teams and developing and managing projects is essential for success in this role. In addition to supporting the CISO's policies and strategies, you must be able to prioritize work efforts - balancing operational tasks with longer-term strategic security efforts.
This role offers a hybrid work arrangement, requiring the Client Services Security Manager to be on-site 1 day/week.
- Manage a staff of information security professionals, hire and train new staff, conduct performance reviews, and provide leadership and coaching particularly in the areas of FISMA/NIST security compliance, and also including technical and personal development programs for team members.
- Work with the CISO to develop budget projections based on short- and long-term goals and objectives.
- Monitor and report on client facing security activities that include security authorization documentation creation, security control evidence gathering, risk remediation, and security assessment coordination.
- Propose changes to existing policies and procedures to ensure operating efficiency and regulatory compliance.
- Assist resource owners and IT staff in understanding and responding to security audit failures reported by auditors.
- Provide security communication, awareness and training for audiences, which may range from senior leaders to field staff.
- Work as a liaison with vendors and the legal and purchasing departments to establish mutually acceptable contracts and service-level agreements.
- Manage production issues and incidents and participate in problem and change management forums.
- Work with various stakeholders to identify information asset owners to classify data and systems as part of a control framework implementation.
- Serve as an active and consistent participant in the information security governance process.
- Work with the CISO and IT and business stakeholders to define metrics and reporting strategies that effectively communicate successes and progress of the security program.
- Provide support and guidance for legal and regulatory compliance efforts, including audit support.
- Manage outsourced vendors that provide information security functions for compliance with contracted service-level agreements.
- Formulate recommendations to resolve problems impacting the quality and effectiveness of security controls in software development projects.
- Participate in information security working groups.
- Typically requires a bachelor's degree and a minimum of 7 years of IT experience, or an equivalent combination of education and experience.
- Experience with FISMA and the entire NIST Risk Management Framework lifecycle are essential.
- Experience with GDPR and CMMC.
- Demonstrated leadership abilities, with the capability to develop and guide information security team members and IT operations personnel, and work with minimal supervision.
- Proven project management skills and experience in creating and managing project plans, including budgeting and resource allocation.
- At least one IT security certification is required (Security+, Certified Information Systems Security Professional (CISSP), GIAC Security Essentials (GSEC), Systems Security Certified Practitioner (SSCP), Certified Information Security Manager (CISM), and Certified Information Systems Auditor (CISA)).
- Knowledge of information security principles, including risk assessment and management, threat and vulnerability management, incident response, and identity and access management.
Westat offers a well-rounded and comprehensive benefits program focused on wellness and work/life balance. Subject to plan requirements, employees may participate in:
- Employee Stock Ownership Plan
- 401(k) Retirement Plan
- Paid Parental Leave
- Vacation Leave (20 days per year)
- Sick Leave (10 days per year)
- Holiday Leave (7 government holidays and 2 floating holidays per year)
- Professional Development
- Health Advocate
- Employee Assistance Program
- Travel Accident Insurance
- Medical Insurance
- Dental Insurance
- Vision Insurance
- Short Term Disability Insurance
- Long Term Disability Insurance
- Life and AD&D Insurance
- Critical Illness Insurance
- Supplemental Life Insurance
- Flexible Spending Account
- Health Savings Account
Westat is an Equal Opportunity Employer and does not discriminate on the basis of race, creed, color, religion, sex, national origin, age, veteran status, disability, marital status, sexual orientation, citizenship status, genetic information, gender identity or expression, or any other protected status under applicable law.