You are an experienced information security manager looking for a challenge. You bring valuable experience to the table in enterprise information security, including managing a team, and you are looking for a position that will stretch you and continue to develop your expertise. At Webroot, in Broomfield, CO, we are seeking to empower an information security manager to work with our CISO to maintain a top notch, secure enterprise environment. We are a malware/security company. We have a lab environment studying malware every single day. It is in this environment, that your skills will be challenged to grow and develop. You will work within Webroot’s information security team and will be responsible for developing, maintaining and continuously improving the company’s security incident response program.  In that capacity, you will be responsible for defining the workflow of incidents to remediation, as well as weekly reporting for the security team. You will stay up-to-date in your knowledge of regulations, standards and best practices in security management, information security, 3rd party scanning and security vendor management.  Your mission is to help ensure Webroot is appropriately identifying, monitoring and mitigating vulnerabilities and risks to the company. If this chance to manage information security at a security company sounds like the challenge you seek, apply today!

In this job you will:

• Manage audits designed to ensure ongoing compliance with Webroot’s security policies
• Ensure that all security controls and policies are well defined, periodically updated and align with corresponding measurements for ISO 27002 controls
• Lead the design, implementation, documentation and maintenance of security incident management program
• Actively participate with legal and other groups on analysis of the organization's incident management and regulatory compliance posture, and the development and implementation of security recommendations
• Develop and maintain a framework to continuously monitor the company’s external and internal network and system risk, and production of metrics reflecting status of work in areas of potential vulnerability risk
• Alert management to potential and/or real breaches related to data privacy, data leakage, fraud, resiliency, etc.
• Support the development and maintenance of documentation related to security monitoring for certifications and regulatory compliance (e.g., PCI, ISO 27001, Sarbanes-Oxley.
• Support company training programs related to security awareness

You bring to the table:

• 5+ years of experience performing IT Audits, Technology Risk Assessments and/or IT internal control risk evaluations
• 2+ years of experience with managing security team members
• Bachelor’s Degree in Information Systems or similar discipline preferred or equivalent experience
• CISSP is preferred.
  • If you do not have a CISSP, ideally you would have at least one of the following certifications or acceptable equivalent is preferred: CISM, CIPP/CIPM/CIPT, CRM, PMI-RMP, CBCP, CISA or CRISC
• 2+ years’ experience working with 3rd party vendors and managed security services
• Strong working knowledge of relevant assessment frameworks and/or standards (e.g., ISO/27000 Series, ISO/31000 Series, SOC-2, NIST 800 Series, PCI-DSS 3.x)
• Experience in the design and development of policies, procedures and best practices for information security programs, including incident management
• Experience with the security software and hardware (i.e., RSA, Qualys, Cisco, Palo Alto)
• Strong project management and process improvement orientation; specific experience leading projects preferred
• Ability to understand dependencies between business requirements and processes, technical systems, regulatory requirements and compliance regimes
• Experience working with cross-functional teams and leading through influence
• Ability to work independently and interact effectively with all levels, from staff and senior management
• Ability to communicate cross-functionally between technical and business partners
• Experience managing change effectively while maintaining a focus on standard or business-as-usual activities