Chief Information Security Officer (CISO)

Who We Are

Join a team that puts its People First! Since 1889, First American (NYSE: FAF) has held an unwavering belief in its people. They are passionate about what they do, and we are equally passionate about fostering an environment where all feel welcome, supported, and empowered to be innovative and reach their full potential. Our inclusive, people-first culture has earned our company numerous accolades, including being named to the Fortune 100 Best Companies to Work For® list for ten consecutive years. We have also earned awards as a best place to work for women, diversity and LGBTQ+ employees, and have been included on more than 50 regional best places to work lists. First American will always strive to be a great place to work, for all. For more information, please visit www.careers.firstam.com.

What We Do

The Chief Information Security Officer (CISO) is responsible for establishing and maintaining an enterprise-wide information security program to assure information assets are adequately protected. The CISO must be knowledgeable of Information Security best practices and regulatory and compliance requirements that impact security for the enterprise. This includes, but is not limited to HIPAA, PCI, and FISMA. The CISO sets policies and standards that direct security functions relative to information technology systems, networks, applications, voice and data communications and computing services within the enterprise. The CISO assures security programs and technical controls are
in compliance with policies, applicable laws and regulations, and effectively protect information and information systems. The CISO also works in partnership with business management to assure business practices meet defined policies and standards for information security. The CISO will lead a 5 person team and direct the activities of a 10 person Security Operations Group, Application/PMO security best practices

What You'll Do

• Understand corporate strategic plans and fundamental business activities at First American.
• Maintain current knowledge of applicable regulatory and compliance issues related to Information Security. Based on this knowledge, develop, maintain and oversee an enterprise- wide Information Security Program consistent with applicable regulatory and compliance requirements.
• Develop and oversee a network of business unit based security directors and vendors who safeguard the company’s assets, intellectual property and computer systems, as well as the physical safety of employees and visitors.
• Define, identify and classify critical information assets, assess threats and vulnerabilities regarding those assets and implement safeguard recommendations.
• Manage the development and implementation of global security policy. Including policies, standards and guidelines related to personnel, facilities, data security, disaster recovery and business continuity.
• Oversee the investigation of security breaches and assist with disciplinary and legal matters associated with such breaches as necessary. Serve as enterprise focal point for computer security incident response planning, execution and awareness.
• Develop a process to review new facilities, applications and/or technology environments during the development or acquisitions process to ensure compliance with corporate security policies and directions. Facilitate process via business unit based personnel.
• Periodically test and evaluate Information Security controls and techniques to assure compliance with policies. Coordinate the use of external resources involved in the performance of security testing (i.e. penetration tests and vulnerability scans).
• Develop business- relevant metrics to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation and increase the maturity of the security program.
• Report to executive management on the effectiveness of the Information Security Program, including policy violations, security risks, progress of all security-related remedial actions and metrics.
• Provide subject matter expertise to executive management on a broad range of information security standards and best practices, such as NIST and PCI.
• Provide strategic and tactical security guidance for all IT projects, including the evaluation of the enterprise architecture, hardware, software and technical controls.
• Oversee the development and implementation of a company-wide Information Security training program to assure the organization’s workforce is knowledgeable of Information
• Security policies, practices and relevant guidance appropriate to their role in the organization.
• Provide the foundation for the security culture and awareness of the enterprise. Oversee the development and implementation of activities to foster Information Security awareness within the Company and related entities.
• Work with the Chief Compliance Officer relative to difficult privacy and security issues.

• Work with the Chief Compliance Officer and Chief Information Officer relative to presentations and briefing of the Board of Directors.
• Serve as Manager of the Information Security Governance Department. As such, perform ongoing analysis of the Information Security Governance Program and provide recommendations for change or improvement.
• Serve as chairperson of the organization’s Security Steering Committee.
• Serve in leadership role for security initiatives and activities and as a leader for teams investigating and addressing various security and privacy issues.
• Maintain relationships with local, state and federal law enforcement and other related government agencies.
• Required to perform duties outside of normal work hours based on business needs.

What You'll Bring

• Must possess a solid understanding of Information Technology, Information Security, and Risk Management.
• Ability to interface with senior management, as well as a diverse culture of corporate, operations and IT personnel.
• Knowledge of security and control frameworks, such as ISO 17799, COBIT, ITIL.
• Demonstrated competency in creating and executing on strategic plans
• Proven track record of leading large, complex projects with multiple stakeholders and driving organizational change
• Demonstrated success with meeting the needs of a wide range of employees while driving team performance, monitoring results and appropriately allocating resources
• Possesses and applies comprehensive knowledge of principles, practices, and procedures of particular field of specialization to the successful execution of multiple complex projects
• Strong experience and knowledge of functional tools and infrastructure
• Progressive experience in leading employees in multiple locations, and significant experience developing and implementing solutions
• Possesses strong problem solving, collaboration, critical thinking, team building, and presentation skills
• Results oriented with strong time management and project management skills, and must be highly organized and driven to succeed
• Strong leadership skills, leading by example, driving employee commitment through actions, and empowering employees to reach their full potential

Typical Education

• Computer Science BS or Management Information Systems BS.
• Computer Science MS or Management Information Systems MS; Preferred.

Typical Range of Experience

• 12+ years progressive information security management and/or risk management experience in the Financial Services or Healthcare sector is required (Financial Services experience highly preferred).

License or Certification

• Information Security certifications such as the Certified Information Systems Security
• Professional Certification (CISSP) or Certified Information Security Manager Certification (CISM) is required, (CISSP is highly preferred).

Pay Range: $284,000.00 - $378,600.00 Annually

 

This hiring range is a reasonable estimate of the base pay range for this position at the time of posting. Pay is based on a number of factors which may include job-related knowledge, skills, experience, business requirements and geographic location.

 

First American will consider for employment all qualified applicants, including those with arrest or conviction records, in a manner consistent with the requirements of applicable state and local laws (e.g., the Los Angeles County Fair Chance Ordinance for Employers and the California Fair Chance Act).

First American intends to conduct a review of an applicant’s criminal history in connection with a conditional offer. First American reasonably believes that a criminal history may have a direct, adverse and negative relationship with the following material job duties for this position potentially resulting in the withdrawal of the conditional offer of employment: handling of confidential, proprietary or trade secret information belonging to First American or its customers, administrating or facilitating financial transactions, and the ability to meet customer-imposed criminal history requirements.

What We Offer

By choice, we don’t simply accept individuality – we embrace it, we support it, and we thrive on it! Our People First Culture celebrates diversity, equity and inclusion not simply because it’s the right thing to do, but also because it’s the key to our success. We are proud to foster an authentic and inclusive workplace For All. You are free and encouraged to bring your entire, unique self to work. First American is an equal opportunity employer in every sense of the term.

Based on eligibility, First American offers a comprehensive benefits package including medical, dental, vision, 401k, PTO/paid sick leave and other great benefits like an employee stock purchase plan.