The Head of Information Security is responsible creating and implementing an information security program that is designed to protect GATX’s data, systems, and assets globally from any potential threats. This position will partner across functions to drive major security initiatives and will be responsible for effectively communicating goals, risks, and tradeoffs to executive leadership and the board of directors in support of GATX’s business goals.
- Central point of contact within GATX for all aspects and communications regarding information security. Understand the fundamental business activities performed by GATX, work with the executive management team to determine acceptable levels of risk for GATX and recommend pragmatic information security solutions that protect these activities.
- Develop, maintain, and promote information security policies, standards and guidelines. Ensure that controls comply with contractual obligations, corporate policies, and legal and regulatory requirements.
- Define and own a multi-year cybersecurity roadmap and key performance indicators focused on reducing risk and in alignment with GATX’s business goals and objectives. Addressing management fiduciary and legal responsibilities and customer expectations for secure business practices.
- Provide regular reporting on the current status of the information security program to the enterprise risk management team, senior business leaders and the board of directors as part of a strategic enterprise risk management program.
- Manages the cost-efficient information security organization, consisting of direct reports and dotted line reports.
- Maintain an enterprise-wide information security awareness, education, and training program.
- Provide strategic risk guidance and consultation for corporate IT projects, including the evaluation and recommendation of technical standards and controls.
- Oversee the performance of periodic IT risk assessments to identify current and future security vulnerabilities, determine levels of acceptable risk, and identify solutions to attain acceptable risk levels.
- Have performed periodic quality measurement studies to determine whether the GATX Information Security function operates in an efficient and effective manner consistent with standard industry practices
- Build and nurture external networks consisting of industry peers, advisory bodies, vendors, law enforcement and other relevant parties to address common trends, findings, incidents and cybersecurity risks. Maintain working knowledge of latest developments in information security, including new products and services.
- Coordinate the preparation of information technology contingency plans to respond to information security breaches, violations, and incidents. Manage internal procedures and activities pertaining to the investigation, resolution, and prosecution of information security breaches and violations.
- Develop, maintain, and manage an effective information technology disaster recovery and business continuity practices and standards, including plans and procedures to ensure that critical business applications are recovered in the event of a declared disaster.
- Manage all Sarbanes-Oxley related efforts and act as liaison between Internal/External Audit and the IT Department. Manage relevant processes and procedures associated with Sarbanes-Oxley: enforce existing internal controls, and identify any necessary additional internal controls. Work with Corporate Audit to ensure that additional controls are documented, instituted, practiced, and monitored.
The Head of Information Security plans, organizes, coordinates, and directs information security activities globally for GATX. He or she acts as the focal point for all communications related to information security, including internal staff and third parties. The Head of Information Security works with a wide range of individuals from different internal organizational units, bringing them together to establish appropriate controls for safeguarding information assets from current information security threats and potential future information security risks.
Education and/or Experience Required:
- Minimum of 10+ years of experience in a significant leadership role in information security, including experience in adopting and implementing widely accepted management frameworks for IT governance and information security practice (e.g. NIST, ISO-27001, COBIT).
- Regulatory compliance experience with Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, European Privacy Directive, NIST, NSA etc.
- Knowledge of information security, control, and risk management techniques, trends, and developments.
- Strong analytical skills to analyze security requirements and relate them to appropriate security controls.
- Bachelor’s degree in Information Security, Computer Science, or related field required. Master’s degree or post-graduate work preferred.
- Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), or equivalent.
NOTE: The above statements are intended to describe the general nature and level of work being performed by people assigned to this job. They are not intended to be an exhaustive list of all responsibilities, duties and skills required of personnel so classified.
Consistent with our policy, all new hires are required to be fully vaccinated and boosted.
GATX embraces diversity, and we are proud to be an Equal Opportunity Employer. All qualified applicants receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, or protected veteran status. We are committed to building a team that represents a variety of backgrounds, perspectives, and skills.
We will ensure that individuals with disabilities are provided reasonable accommodation to participate in the job application or interview process, to perform essential job functions, and to receive other benefits and privileges of employment. Please contact us to request accommodation.