Chief Information Security Officer

The Chief Information Security Officer (CISO) is responsible for developing and maintaining a world-class, enterprise-wide information security and risk management program to ensure that information assets are adequately protected. This executive is responsible for identifying, evaluating, protecting and reporting on information security risks in a manner that meets compliance and regulatory requirements, and aligns with and supports the risk posture of the enterprise.

The CISO position requires a visionary leader with sound knowledge of business management and a working knowledge of information security technologies. The CISO will proactively work with other business functions to implement practices that meet defined policies and standards for information security. This role also oversees a variety of IT-related risk management activities and guide Business Continuity and Disaster Recovery Plans.

The CISO serves as the process owner of all activities related to the availability, integrity and confidentiality of customer, business partner, employee and business information in compliance with H&R Block’s information security policies.

At the executive leadership level, the CISO is a key member of the IT Leadership team who contributes to business and technology strategy as they identify opportunities for innovation to grow H&R Block’s market leadership position. The CISO helps define the security policies, processes, and the associated technical capabilities that helps the company achieve its goals while protecting its data.

A key element of the CISO's role is working with H&R Block’s executive management to determine acceptable levels of risk for the organization. The CISO must be highly knowledgeable about the business environment and ensure that information systems are maintained in a fully functional, secure mode. The ideal candidate is a thought leader, a consensus builder, and an integrator of people and processes.

Responsibilities include:

Vision/Strategy

• Reporting to the Global CIO, the CISO will collaborate with appropriate parties to develop the vision and strategy for H&R Block’s enterprise information security program. This includes global responsibilities for H&R Block tax and financial business operations in the U.S., Canada, Australia, India, and Ireland in addition to Wave Financial.
• Assess, manage and govern the current Information Security Program including policies, procedures, and organization to drive Block’s Information Security Program to higher levels of maturity.
• Develop and oversee the outcomes of a multi-year roadmap, evolving and reprioritizing as necessary to ensure effectiveness.
• Significantly enhance security automation capabilities to deliver greater speed, efficiency, quality, and secure outcomes.
• Operate as a trusted information security advisor to the Leadership Team, CEO and the Board of Directors.
• Represent management to the Board/committees and present H&R Block’s security profile, industry position, risks, issues, strategies, execution, etc.
• Provide information security leadership to the IT operations and Applications/Data areas and oversee the information security management system and information security technical and operational standards.
• Facilitate healthy dialogue amongst stakeholders across the organization that bridges security and business needs, and results in a holistic viewpoint.

Policy/Governance

• Establish, monitor and reinforce policies related to data and asset usage and security. Do so with an understanding and appreciation of impact to the business.
• Oversee the construction and maintenance of technology standards and processes to ensure they meet policy.
• Ensure that InfoSec processes and operations are designed to comply with the organization’s information security policies and compliant with regulations and laws.
• Coordinate and track all information technology and security related audits including scope of audits, business units involved, timelines, auditing agencies and outcomes, including potential overlaps with external audits conducted in the businesses. Within a framework of auditor independence, work with auditors as appropriate to keep audit focus in scope, maintain excellent relationships with audit entities and provide a consistent perspective that continually puts the organization in its best light. Provide guidance, evaluation and advocacy on audit responses.
• Lead a comprehensive enterprise-wide awareness program that makes security part of everyone’s job, including communications, training and reinforcement around associates’ roles in protecting client and company information.
• Partner with Legal/Compliance to develop a strategy for dealing with of audits, compliance checks and external assessment processes for internal/external auditors, PCI, HIPAA, and state laws.
• Partner with Risk, Legal/Compliance and Internal Audit functions relative to approach to difficult privacy and security issues. Act as a source of technical expertise to help automate controls as required.

Risk Management

• Support positioning information security as a business issue through greater level of business integration into security and risk priorities and decisions.
• Strengthen management of information security risks through a robust identification and prioritization processes that mitigate business risk and ensure information security governance through the implementation of an enterprise program.
• Assess potential and emerging information security threats, vulnerabilities, and control techniques across relevant business sectors and communicate this information to leaders and associates, as appropriate, throughout the organization on a timely basis.
• Advise leadership concerning risk issues that are related to information security and recommend actions in support of the company’s enterprise risk management program.

InfoSec Operations

• Specify, prioritize, and oversee the development of information security solutions.
• The CISO is an Independent Monitor of InfoSec Operations (monitoring, controlling, reporting, and responding).
• Ensure that a visible and effective incident response policy, plan, and procedures is in effect for timely response, enforcement, tracking and reporting, including an escalation corridor for the CISO.

External Perspective & Relationships

• Stay abreast of security, technology and industry trends. Maintain knowledge of security-related regulatory requirements and laws (e.g., HIPAA, PCI), standards (NIST, COBIT, ISO, HITECH, etc.) affecting privacy and security assurance, and partner with Law/Compliance to communicate throughout the enterprise to increase awareness and ensure that compliance is achieved where required.
• Liaise with external agencies, such as law enforcement and other advisory bodies as necessary, to ensure that the organization maintains a strong, proactive security posture.
• Utilize external parties to deliver on the security governance framework (i.e., awareness/ communications, training, forensics, etc.). Manage vendor relationships in a manner that controls costs, drives service excellence and mitigates risks.

What You'll Bring To The Team...

• 15+ years of progressively responsible and directly related work experience, including building teams and leading an information security program, ideally within a financial or similarly highly-regulated entity.
• Minimum of 10 years’ experience designing and implementing enterprise information technology security; demonstrates industry-leading security innovation skills and an eye towards understanding the threat environment from a preventative posture.
• Excellent executive presence and communications skills with experience presenting to boards, executives, and leadership teams with the ability to communicate security and risk-related concepts to technical and non-technical audiences.
• Very strong business acumen, analytical skills, problem-solving techniques, and fact-based decision-making. Keen understanding of business needs including operational and financial impacts of InfoSec policies, processes and operations.
• A self-starter with a “can-do? attitude; a driver and implementer who possesses the poise and ability to act calmly and competently in high-pressure, high-stress situations. High emotional intelligence.
• Strong resilience, ability to lead through ambiguity, and persistence to move ahead regardless of barriers.
• Proven ability to build positive, collaborative relationships at all levels of the enterprise and across a diverse set of functions. Able to develop strong relationships and influence multiple stakeholders to gain alignment on key issues will be critical for success.
• High level of knowledge in the area of risk management, network and system security, and security implementation in harmony with the ability to lead organizational change.
• Experience working with the HIPAA Security Regulations, SOC2, NIST Cybersecurity Framework, and relevant information privacy and security laws.
• Skilled in project management as well as work plan development and implementation; astute in strategic planning, budgeting, and allocation.
• A team builder with a track record of attracting, developing, and retaining high-performing talent.

EDUCATION

An undergraduate degree from an accredited institution is strongly preferred.