Director, Cybersecurity Risk Management

JOB INFORMATION
Requisition ID: 9151
Number of Vacancies: 1
Department: Information Technology Services (20000014) - Information Security Office (30000033)
Salary Information: $128,000.60 - $160,069.00
Pay Scale Group: 12SA
Employment Type: Regular
Weekly Hours: 35, Off Days: Shift:
Posted On: October 4, 2024
Last Day to Apply: October 18, 2024
Reports to: CISO

The Toronto Transit Commission (TTC), North America's third largest transit system and recognized as one of the top places to work in the GTA has introduced its new 2024-2028 TTC Corporate Plan - Moving Toronto, Connecting Communities which continues the TTC's legacy of delivering service to hundreds of millions of customers a year. The TTC's new vision and mission statements also help promote the many environmental, social equity and economic benefits that the TTC provides:

Vision: Moving Toronto towards a more equitable, sustainable, and prosperous future.

Mission: To serve the needs of transit riders by providing a safe, reliable, efficient, and accessible mass public transit service through a seamless integrated network to create access to opportunity for everyone.

The full Plan can be viewed on ttc.ca.

Career Opportunity

A great leadership opportunity within the Information Technology Services Department.

What you will do

You will lead the development and continuous enhancement of the TTC Cybersecurity Risk Management Program and is accountable for day-to-day cybersecurity governance, risk management, and compliance across the Organization as it relates to Information Technology (IT), Operational Technology (OT) / Internet of Things (IoT) industrial and critical infrastructure at TTC and ensure cybersecurity risks and mitigation practices at IT and OT are aligned. The role will be a focal point for Cybersecurity Risk Management and reports to the Chief Information Security Officer (CISO). You will work closely with the IT, engineering, and OT teams in risk decision-making roles to build a unified cybersecurity risk framework and mitigation strategies to address cybersecurity risks.

You will be responsible for leading the assessment, evaluation, and mitigation strategies as relates to cybersecurity risks across the organization (Information Technology and Operational Technology) and will oversee all cybersecurity initiatives related to risk management. You will lead and set required risk mitigation goals, drive the implementation of mitigation strategies, and will be responsible for monitoring, reporting and improving the effectiveness of the mitigating controls put into place. You will lead the creation and implementation of business continuity plans, contingency plans and recovery processes and procedures when information systems are severely compromised.

You will lead the enhancement of the company wide TTC training platforms to engage all employees in protecting their personal information, the company's technology and information assets, and will work with staff to train them in cybersecurity measures and policies outlined by the organization. You are responsible and will lead cybersecurity investigations and audits, and drives the collection of information and preparation of compliance reporting. You will actively interact with other cyber teams in the transportation industry as well as peers and partners to nurture a mutual sharing of information beneficial to the industry, in addition to, gathering cyber-threat intelligence for risk assessments and prioritizing defensive action.

You will oversee the associated cybersecurity risk as relates to projects, collaborate with other cyber teams to review risks associated with technical security architecture platforms as part of new projects and initiatives for IT and OT infrastructures solutions.

You will have a strong influence and driven personality to act as the final accountable role and authority for Cybersecurity Risk at TTC. He/she will collaborate with security operations team to provide and support the security risk mitigation strategies required for monitoring, responding and remediating to cyber risks and threats

In addition to the above, you will be responsible for treating passengers and/or employees with respect and dignity and ensuring the needs of passengers or employees with disabilities are accommodated and/or addressed (within their area of responsibility) in accordance with the Ontario Human Rights Code and Related Orders so that they can fully benefit from the TTC as a service-provider and an employer and perform other duties as assigned.

What Qualifications You Bring

• University degree in Computer Science, or the equivalent, combined with several years of directly related and progressively responsible experience working in the area of security within an IT environment.
• Extensive years of related experience in critical infrastructure industries with operational technology, ICS and/or SCADA.
• Considerable years of leadership and people management experience are required.
• Considerable years of experience with systems engineering of cyber security systems.
• Knowledge of cybersecurity policies and standards related to industrial/OT/Industrial Control System (ICS)/ Supervisory Control and Data Acquisition (SCADA), with the ability to apply knowledge best practices to implement new cyber defense and resiliency techniques for industrial environments.
• Understanding of attack vectors, vulnerabilities, and how they are leveraged by malicious actors.
• Knowledge of the cybersecurity concepts typical to the industrial/OT/ICS environments especially in two or more areas such as vulnerability management, security operations access management, network architecture & segmentation, asset management, defense in depth, etc.
• Experience in designing enterprise-wide Cybersecurity Risk Management organizational structures and processes.
• Experience with supporting and drafting security architectures for industrial/OT/ICS environment.
• Understanding of technologies (assets, communication protocols, technical architectures, segmentation requirements) utilized by industrial/OT/ICS systems (SCADA/DCS/PLC/RTU) and network infrastructure.
• Knowledge of the technical security concepts and solutions utilised within IoT/ICS systems and networks.
• Experience with configuring and monitoring of network infrastructure, firewalls, Intrusion Detection System / Intrusion Prevention Systems (IDS/IPS) and Security Information and Event Management (SIEM) tools.
• A detailed understanding of one or more industrial/OT/ICS security standards and frameworks such as: ISA/IEC 62443 and NIST 800-82.
• Experience successfully executing on multiple Cybersecurity Risk Management programs in complex technical and organizational environments with operation continuity trade-offs.
• Possess a strong understanding of industrial systems such as Power Grids, Camera Systems, Signaling systems, Revenue Faregates, Vehicle Electrification systems, etc.
• Experience with contract and vendor negotiations and management including managed services.
• Experience with financial and budget management, scheduling, resource, and people management.
• Experience communicating and presenting cross functionally to all levels within an organization including senior executives.
• A master of influencing entities and decisions in situations where no formal reporting structures exist but achieving the desirable outcome.
• Experience in communicating Cybersecurity Risk Management requirements and risks to non-technical staff, management, and other stakeholders.
• Experience in the design and implementation on mission critical solutions in multi-faceted environments.
• Capability to develop professional documents in the form reports, analysis, methodologies, policies, standards, and procedures.

What We Offer

• Commitment to creating a diverse, equitable and inclusive culture that promotes a sense of belonging and represents and reflects the needs of the communities we serve.
• A flexible, hybrid work approach that allows colleagues to find balance between their professional and personal lives and making the most of the benefits of working remotely and purpose-driven in-person collaboration opportunities.
• One of the great benefits of being a full-time TTC employee is becoming a member of TTC defined pension plan.
• A comprehensive package that covers health, dental, vision and more.
• Support for professional development opportunities for all colleagues through a broad range of learning programs that include in-person and online training, leadership development, and support for colleagues' well-being.

Commitment to EDI

The TTC is committed to upholding the values of equity, diversity, anti-racism and inclusion in the delivery of its services and in its workplaces. The TTC is committed to fostering a diverse workforce that is representative of the communities it serves at all levels of the organization, and supports an inclusive environment where diverse employee and community perspectives and experiences bring value to the organization. The TTC encourages applications from all applicants, including members of groups with historical and/or current barriers to equity, including but not limited to, Indigenous, Black and racialized groups, people with disabilities, women and people from the LGBTQIA+ community. The TTC values and supports an inclusive and barrier-free recruitment and selection process. Accommodations for applicants are available upon request throughout the recruitment and selection process, including for those who identify as having a disability. Please contact Talent Management at (416) 393-4570. Any information received related to an accommodation will be addressed confidentially.

The TTC's policy prohibits relatives of current TTC employees from being hired, assigned, transferred or promoted into positions, where there is a conflict of interest due to a relationship. Should you be selected for an interview, you will be required to disclose the name, relationship and position of any relative who is a current TTC employee.

We thank all applicants for their interest but advise only those selected for an interview will be contacted.