The CISO role had been held for the past three and a half years by Ralph Johnson, who left that role this month to take the position of CISO for NantMedia Holdings, owner of the Los Angeles Times.
The Los Angeles County CIO position is also open, since Bill Kehoe announced in June that he was leaving that role and returning to Washington, where he now serves as state CIO. Peter Loo, chief deputy CIO under Kehoe, is serving as acting CIO. Several other key IT roles are also in recruitment, including the deputy CIO role held until recently by Jagjit Dhaliwal, who is now vice president for industry practice for UiPath, a provider of robotic process automation products and services.
The CISO will report to the county’s chief information officer and “must possess the ability to develop and maintain effective interpersonal relationships with internal and external managers, IT technical staff, legal and privacy staff and related industry experts,” the county job posting says. “The CISO represents the county’s interests before state and federal agencies and regulatory bodies and serves as the official Health Insurance Portability and Accountability (HIPAA) information security officer for the county."
Although most of the county’s main administrative entities manage and operate their own internal IT environments, the county CISO works with those departments to ensure security governance and regulatory compliance, policy development and management, and security training and awareness development.
“The CISO directs countywide security initiatives and team to manage and mitigate information security threats,” the job posting says. Specifically, key responsibilities of the role include:
- Develop and maintain the county’s Information Security Program including policies, standards and procedures; cybersecurity control evaluation, selection and implementation; and architectures, products and services, pursuant to County Chief Information Office architectures, standards and guidelines, and board polices and applicable laws.
- Oversee the development and implementation of countywide IT security policies and procedures to prevent internal and external IT threats and vulnerabilities.
- Direct the preparation of short- and long-term strategies for optimizing the county’s information security plans.
- Direct and participate in the identification of security risks, development and implementation of security management practices, and the measurement and monitoring of security protection measures.
- Direct the handling of IT security breaches and related incidents, including overseeing the activation of the County Cyber Incident Response Committee (CCIRC) or other incident response teams.
Desirable qualifications include:
- A current Certified Information Systems Security Professional (CISSP) certification issued by the International Information Systems Security Consortium; Certified Information Security Manager issued by the Information Systems Audit and Control Association; or other comparable security accreditation/certification.
- Demonstrated knowledge and experience in IT planning, auditing and risk management, as well as contract and vendor negotiation in the IT field.
- Demonstrated working knowledge of government regulations and laws related to information security.
- Demonstrated ability to serve as an effective member of the leadership team and communicate information security-related concepts to a broad range of technical and nontechnical employees.
The job posting also spells out the prerequisites for the position: Applicants must have a bachelor’s degree from an accredited college or university in computer science, information systems, public or business administration, or a related field; and one of the two following criteria:
- A minimum of two years of experience at the level of Los Angeles County classes of Departmental Information Security Officer II or Information Technology Specialist, responsible for developing, implementing or monitoring a large and complex information system security program for a multiservice public organization; or
- Five years of management experience in the IT industry, three years of which must have been concentrated in information security. This must include managing a security program for a large public- or private-sector organization.
The position has an annual salary range of $145,815 to $226,772, and the recruitment will remain open until the position is filled.
