Chief Information Security Officer

Location: Toronto, Canada

Thales people architect solutions that support 85 million mainline and suburban passenger journeys, worldwide, every day. Our Rail Signalling and Communication systems are used on metro lines across major cities, and 72,000 kms of route, 52,000 trains per day in 16 countries are controlled by our Traffic Management Systems. Together We deployed the first-ever nationwide ticketing system which processes over 50 million ticketing transactions in 100 cities daily.

Thales provides world-leading Communications-Based Train Control (CBTC) and interlocking for mass rail transit applications globally. The Centre of Competence for Urban Rail Signalling is located right before you at mid-town Toronto. As the largest office in Canada, we house a department for every step of the Software Development Lifecycle (SDLC)! This includes Software, Hardware, Systems Design, Verification & Validation, Operations, etc. The supporting corporate shared services teams in Finance, Human Resources and IT is also located at the office. Our office space was designed to provide a sustainable, healthy workplace that expresses TRSS’s brand while increasing collaboration. Features include Greenguard furniture, EnergyStar appliances, low-emitting adhesives, sealants, and sliding glass doors on internal offices provide daylight and views to the outside. Come join the big Transport family, here in Toronto!

Ground Transportation System Inc. is seeking a Chief Information Security & Compliance Officer to provide vision and leadership for developing and supporting security initiatives. The CISO directs planning and implementation of enterprise IT systems, business operations, and facility defenses against security breaches and vulnerability issues. This individual is also responsible to identify, manage, and report on the company’s compliance regulatory, legislative, and contractual requirements. Responsibilities will include performing reviews, assessments and audits, conducting research, and facilitating communication to internal and external stakeholders where necessary. The position will monitor, coordinate, and implement policies, standards, procedures, controls, and guidelines to support security, compliance, and audit requirements.

Key Responsibilities:

Strategy & Planning

• Assist with the design and implementation of disaster recovery and business continuity plans, procedures, audits, and enhancements.
• Improve existing compliance programs and processes.
• Develop, review, and modify information security and privacy policies.
• Lead strategic security planning to achieve business goals by prioritizing defense initiatives and coordinating the evaluation, deployment, and management of current and future security technologies using a risk-based assessment methodology.
• Design and execute audit procedures to assess and measure company compliance with its security policies and procedures.
• Monitor advancements in information privacy laws to ensure organizational adaptation and compliance.
• Develop and communicate security strategies and plans to executive team, staff, partners, customers, and stakeholders.
• Determine whether a security incident violates a privacy principle or legal standard requiring legal action.

Operational Management

• Ensure that facilities, premises, and equipment adhere to all applicable laws and regulations.
• Promote and oversee strategic security relationships between internal resources and external entities, including government, vendors, and partner organizations.
• Creatively and independently provide resolution to security problems in a cost-effective manner.
• Assess and communicate any and all security risks associated with any and all purchases or practices performed by the company.
• Work closely with the IT department on corporate technology development to fully secure information, computer, network, and processing systems.
• Manage the administration of the facility’s security systems and their corresponding equipment or software, including fire alarms, locks, intruder detection systems, sprinkler systems, and anti-theft measures.
• Where necessary, supervise recruitment, development, retention, and organization of security staff in accordance with corporate budgetary objectives and personnel policies.
• Collaborate with IT leader, privacy officer, and HR to establish and maintain a system for ensuring that security and privacy policies are met.
• Act as advocate and primary liaison for the company’s security vision via regular written and in-person communications with the company’s executives, department heads, and end users.
• Manage the administration of all computer security systems and their corresponding or associated software, including firewalls, intrusion detection systems, cryptography systems, and anti-virus software.
• Remain informed on trends and issues in the security industry, including current and emerging technologies and prices. Advise, counsel, and educate executive and management teams on their relative importance and financial impact.
• Recommend and implement changes in security policies and practices in accordance with changes in local or federal law.
• Develop, track, and control the security services annual operating and capital budgets for purchasing, staffing, and operations.

Compliance and Audit Assessments

• Establishes IT security audit procedures relevant to GDPR, ISO 2700-1 and PIPEDA.
• Manages compliance testing and monitoring of current and future regulatory obligations, and other regulatory matters as required.
• Coordinates third-party audits.
• Conducts internal security risk assessments and security compliance audits.

Communication

• Work with business leaders to ensure information security risk findings are reviewed and solutions are implemented.
• Lead the escalation and resolution of risk and compliance issues with appropriate stakeholders including corporate functions, engineering, legal, IT, and customers].
• Document, investigate, and report cybersecurity compliance issues and incidents, where necessary.
• Understand, develop, and deliver meaningful reports on the program state and adherence to frameworks and standards.
• Develop materials and tools to effectively communicate compliance and corporate requirements.
• Develop policy, plans, and strategy in compliance with laws, regulations, policies, and standards in support of organizational cyber activities.
• Liaise with relevant parties to commission activities relating to contingency planning, business continuity management, and IT disaster recovery.
• Collect, analyze, and prepare reports required for senior management, regulators, and other relevant stakeholders.

Key Requirements:

• Excellent knowledge of technology environments, including information security, building security, and business continuity planning
• Substantial exposure to data processing, hardware platforms, enterprise software applications, and outsourced systems, including IaaS and SaaS.
• Knowledge of computer networking concepts and protocols and network security methodologies.
• Knowledge of risk management processes (e.g. methods for assessing and mitigating risk).
• 10 year experience managing and/or directing an IT and/or security operation.
• Excellent understanding of project management principles.
• Proven experience in planning, organizing, and developing IT security and facility security system technologies.
• Significant knowledge of and experience with legal and regulatory compliance standards ISO 27001, GDPR, and PIPEDA.
• Demonstrated ability to apply IT in solving security problems.
• Knowledge of risk management processes.
• University degree in Computer Science or Information Security.
• Experience with IT governance, risk, and compliance management.
• Knowledge of cyber threats and vulnerabilities.
• Knowledge of specific operational impacts of cybersecurity lapses.
• Knowledge of cyber threats and vulnerabilities.
• In-depth knowledge of applicable laws and regulations as they relate to security.

Preferred Qualifications:

• Master’s or PhD degree in one these fields or Information Security preferred.
• Certifications in CISSP, CISA, CISM, or other relevant security-related designation(s) an asset.

Thales is required to follow mandatory customer policies as well as Federal and Provincial legislation, now and in the future. This includes, but is not limited to, vaccination mandates and travel requirements. This role requires you to work on a customer site and/or travel. Therefore, you must follow all mandatory customer policies, Federal, and Provincial legislation as a condition of employment.

Thales is an equal opportunity employer which values diversity and inclusivity in the workplace. Thales is committed to providing accommodations in all parts of the interview process. Applicants selected for an interview who require accommodation are asked to advise accordingly upon the invitation for an interview. We will work with you to meet your needs. All accommodation information provided will be treated as confidential and used only for the purpose of providing an accessible candidate experience.