Chief Information Security Officer Full-time

Location: Europe (preferably Amsterdam), Remote role within time zones UTC + 0 to UTC +4

Application Deadline: Sunday, March 20th 2022, 11:59 pm CET

The Organized Crime and Corruption Reporting Project (OCCRP) is a growing, global nonprofit media organization that is reinventing investigative journalism for the public good. By developing and equipping a global network of investigative journalists and publishing their stories, we expose crime and corruption so the public can hold power to account. We see a future where organized crime and corruption are drastically reduced and democracy is strengthened. Our global team includes editors, researchers, data engineers, security specialists, administrators, technologists, and strategists, each with areas of in-depth expertise.
Position Overview
We are looking for an experienced Chief Information Security Officer (CISO) to join OCCRP. This is a demanding position. As CISO, you will be responsible for managing OCCRP’s information security globally. We work across six continents on cross-border investigations and support a network of journalists, some in hostile environments.

This role includes developing, rolling out and overseeing all procedures and policies designed to protect communications, systems and assets from internal and external threats. You will be responsible for ensuring staff have the communication tools they need to do their jobs securely, and that they are continuously trained and kept abreast of best practice. You will also support OCCRP’s network of journalists with some of their information security needs.

This role is responsible for managing our in-house team of Security Analysts. This is a full-time remote position within European time zones. Compensation will be based on the qualifications and experience.

Team: Information Security Team

Job description

OCCRP’s security environment is challenging. Our journalists face physical threats and detention. Some of our journalists’ homes have been bugged or their offices raided. We experience cyber-attacks from nation states and APT actors, as well as one-off attacks related to specific investigations.
As CISO, you will perform risk assessments and manage security tests, including internal and external penetration testing. You will identify and manage threats to and vulnerabilities in OCCRP’s information assets. You will oversee the security team’s response to breaches and emergency incidents, as well as the day-to-day handling of individual concerns and queries.

You will take the lead on improving and rolling out information security policies and procedures, and develop a training program for staff and member centers to ensure they understand and follow best practices around cyber security.

You will take the lead on purchasing security products and undertake security assessments of vendors and products that the organization is interested in purchasing.

You will work closely with the Head of Infrastructure to ensure secure management of the organization’s information in transit and at rest and to assure and test the organization’s disaster recovery and business continuity plans.

You will work closely with the physical security editor to design and implement broader operational security measures. You will work with leadership on security planning, providing a current knowledge and future vision of security and risk management.

Must be available for intermittent travel (temporarily limited due to covid).

Person Description
Essential Skills:
You should be proficient with, and understand best practices in the following areas:
● Excellent stakeholder management skills, high emotional intelligence, strong interpersonal skills, and ability to develop strong relationships with colleagues.
● Collaborative and persuasive communicator driving engagement across disparate stakeholders, geographies and cultures
● Excellent analytical skills, ability to understand complex information, consider trade-offs and make recommendations.
● Strong working knowledge of diverse IT systems, information security practices
● Knowledge of common information security frameworks and standards such as GDPR, ISO27001, SOC2.
● Fluent English.
● Ability to communicate security and risk concepts to non-technical audiences and non-native English speakers.
● Ability to think long-term strategically and operationally; can anticipate future trends and needs, while managing the current environment.
● Working knowledge of networking concepts, vulnerability, and industry security technologies, such as endpoint protection and network/device monitoring.
● Ability to work under pressure, juggle multiple activities and competing priorities.


Desirable Skills:
In addition, experience in the following is desirable:
● Knowledge of a second language, such as Spanish or Russian
● Experience running threat modeling exercises.
● Experience managing forensic analysis on compromised devices or systems.

Experience:
Essential:
● 6+ years focused on managing information security in a complex environment and, over 10+ years of work experience
● Proven management experience in a senior IT security leadership role involving risk management, information security, or IT.
● University degree in security/technology related field or equivalent work/education related experience
● Knowledge of and experience in developing and documenting an information assurance strategy and security architecture ensuring security considerations and controls are represented at strategic, tactical and operational levels and are embedded in all projects and contracts.
● Track record of improving enterprise cyber hygiene and rolling out organization-wide solutions, such as end-point security.
● Experience working with journalists, media organizations or civil society organizations.
● Experience working with both commercial and open-source digital security tools.
● Demonstrated experience in investigating security incidents and responding to audits.
● Experience training people with low technical literacy in digital security concepts and practices.


To apply, please email a cover letter and resume to jobs(at)occrp.org.

All applications must be submitted in English. Incomplete applications will not be considered. Whilst we have internal goals to reply to unsuccessful candidates, we regret that the high number of applicants greatly exceeds our capacity to respond to each person. We apologize that we will not be able to reply to all unsuccessful applicants.

As an equal opportunity employer, OCCRP values having a diverse workforce and continuously strives to maintain an inclusive and equitable workplace. We offer competitive compensation and benefits and encourage people with a diverse range of backgrounds to apply. We do not discriminate against any person based upon race, religion, color, national origin, sex, medical conditions, family status, sexual orientation, gender identity, gender expression, age, disability, genetic information, or any other legally protected characteristics. If you are a qualified applicant requiring assistance or an accommodation to complete any step of the application process, please contact hr(at)occrp.org.