Chief Information Security Officer

Chief Information Security Officer

Virginia's community colleges have a 50-year track record of educational excellence and innovation to serve the needs of our citizens and strengthen the Commonwealth's economy. When Virginia's General Assembly established the Virginia Community College System in 1966, the need for a comprehensive system was well known. Over the two decades after the end of World War II, leaders in government, business, professional sectors, and academia had called for a new approach to providing educational opportunity. A key concern was Virginia's ability to develop a skilled and knowledgeable workforce to expand the state's economy. Today our community colleges give every Virginian the opportunity to gain a quality education. With 23 colleges on 40 campuses located throughout the state, Virginia's Community Colleges are committed to serving Virginia families, helping them acquire the knowledge and skills to seize the opportunities of today and tomorrow. The Chief Information Security Officer (CISO) role at VCCS offers a unique opportunity to lead and inspire a single comprehensive cybersecurity strategy across 23 community colleges and 2 support organizations, ensuring the protection of vital educational and institutional assets while fostering a culture of security and resilience. The CISO collaborates with AVC for infrastructure security engineers, policy development, incident response, and regulatory compliance efforts across VCCS's enterprise-wide IT infrastructure. The role includes oversight of security risk assessments, audit response, security architecture, third-party risk management, and emerging cybersecurity threats. Additionally, the CISO collaborates with the AVC for Applications and Integration Technologies to ensure that software applications and integrated data across systems are seamless and that operations are secure throughout the VCCS network.

The CISO is responsible for aligning VCCS security practices with :

• NIST 800-53 and NIST Cybersecurity Framework (CSF)
• Center for Internet Security (CIS) Controls and Benchmarks
• Commonwealth of Virginia Information Technology Agency (VITA) security policies
• Higher education cybersecurity standards (e.g., EDUCAUSE, REN-ISAC)
• Federal regulations, including FERPA, HIPAA, PCI-DSS, and GLBA compliance

The CISO supports the strategic direction established by the CIO, VCCS executive leadership, and relevant VCCS governance bodies. The role leads a team of staff members supporting cybersecurity responsibilities. The role requires active collaboration with internal audit, college IT departments, faculty technology committees, and state cybersecurity leaders to strengthen security postures across the academic enterprise.

Minimum Qualifications :

Education and Experience

Faculty Equivalent position requires a Master's degree. (preferred Computer Science, Cybersecurity, Information Security, or a related field required and experience in cybersecurity leadership).

CISSP, CISM, or CISA certification required.

Other IT certifications preferred : Security+, ITIL.

Experience

10+ years of progressively responsible experience in cybersecurity leadership, security governance, enterprise risk management, IT security, IT infrastructure design and personnel management.

Proven experience leading enterprise cybersecurity programs in complex distributed organizations, including managing cybersecurity teams and supervising senior security professionals such as a Deputy CISO.

Higher education experience with understanding student data protection regulations and laws, academic IT security, research security concerns, and direct, hands-on experience managing and leading academic technology programs in higher education.

Experience managing large-scale cybersecurity programs in compliance with NIST, ISO 27001 (as we transition away from), and state IT security frameworks.

Hands-on experience with security engineering, SIEM solutions, IAM frameworks, and regulatory compliance.

Knowledge of Virginia IT Agency (VITA) governance structures and VITA security policies is preferred.

Knowledge

Cybersecurity Frameworks & Compliance : In-depth understanding of NIST 800-53, NIST Cybersecurity Framework (CSF), Center for Internet Security (CIS) Controls, ISO 27001 (as we transition away), PCI-DSS, FERPA, HIPAA, GLBA, and VITA security standards.

Center for Internet Security (CIS) Controls : Expertise in implementing CIS benchmarks and security controls to safeguard VCCS systems against cyber threats.

Enterprise Security Architecture : Knowledge of zero-trust security models, network segmentation, identity and access management (IAM), and cloud security best practices. Cybersecurity vendors, products, and services : Knowledge of leading cybersecurity products and their potential role in a holistic cybersecurity architecture strategy.

Higher Education IT Security : Familiarity with academic IT environments, research security, student data protection (FERPA compliance), and cybersecurity risks unique to educational institutions.

Threat Intelligence & Risk Management : Strong foundation in threat detection, risk assessment methodologies, vulnerability management, and incident response strategies.

IT Security Operations & Engineering : Experience with firewall management, SIEM platforms, endpoint protection, penetration testing, and data loss prevention (DLP) strategies.

Skills

Security Program Development : Ability to develop, implement, and maintain a system-wide cybersecurity strategy that aligns with VCCS IT governance, NIST guidelines, CIS controls, and state security mandates.

Regulatory Compliance & Audit Management : Strong experience in audit preparation, compliance tracking, and reporting to state (VITA, JLARC, SCHEV), federal, and accrediting bodies.

Technical Proficiency : Skilled in cloud security (AWS, Azure, Google Cloud), virtualization, endpoint security, and hybrid infrastructure security.

Incident Response & Forensics : Proficient in developing incident response plans, leading forensic investigations, and ensuring rapid containment and remediation of security breaches.

Leadership & Team Development : Supervise, mentor, and provide professional development opportunities for the Deputy CISO and cybersecurity staff to build a high-performing security team. Foster a culture of continuous learning, leadership development, and succession planning to ensure long-term cybersecurity leadership continuity within VCCS.

Project & Vendor Management : Ability to assess, negotiate, and oversee security vendors, contracts, and technology procurements in compliance with state procurement policies.

Abilities

Strategic Thinking & Planning : Ability to align cybersecurity initiatives with VCCS's strategic IT objectives and statewide technology priorities.

Communication & Stakeholder Engagement : Capable of translating complex security concepts for executives, faculty, IT staff, and policymakers.

Cross-functional leadership : Proven ability to collaborate with college CIOs, faculty technology committees, and state agencies (VITA, SCHEV) to advance cybersecurity programs.

Crisis Management & Problem-Solving : Ability to make critical decisions in high-pressure situations and lead incident response efforts across multiple colleges.

Training & Awareness : Ability to design and deliver cybersecurity awareness programs, phishing simulations, and faculty / staff training.

Competencies

Communication : The ability to articulate thoughts and deliver information effectively using oral, written, visual, and non-verbal communication skills, as well as listening skills to gain understanding.

Coaching : The ability to facilitate skill development and improved performance by providing clear, specific feedback to others, understanding their goals, and working with them to achieve those goals.

Change Management : The ability to implement strategies for effecting change, delivering the message of change, and helping people adapt to change.

Managing Conflict : The ability to understand all sides of an issue, help others calmly move through emotional or tense situations, and achieve the best solution for everyone involved.

Performance Management : The ability to set realistic performance expectations, demonstrate awareness of others' work performance, provide regular feedback, and track performance progress.

Facilitating : The ability to impartially guide a group with an overall goal of reaching consensus, solving problems, or accomplishing tasks.

Diversity, Equity, and Inclusion : The ability to effectively manage and communicate across differences, identify and address barriers, and foster an inclusive, equitable work environment.

Critical Thinking : The ability to carefully consider multiple pieces of information, from a variety of sources and perspectives, to integrate into a rational and beneficial solution.

Interpersonal Skills : The ability to interact with others in a mutually respectful, genuine, direct, and supportive manner.

Strategic Management : The ability to formulate objectives and priorities and implement initiatives to bring value to the organization's long-term objectives.

Project Management : The ability to see the objective, the steps and resources needed to get there, ensure the timeline is followed, and provide the leadership necessary to impart the vision.

Additional Considerations :

Ability to work at a computer workstation for extended periods up to eight hours per day.

Ability to speak on the telephone and / or communicate via video conference technology.

Ability to sit for extended periods without breaks. Ability to perform repetitive movements, such as typing, and the use of commonly used office machines and supplies.