Chief Information Security Officer

Since 1869, we've connected people through food they love. We’re proud to be stewards of amazing brands that people trust. Our portfolio includes the iconic Campbell’s brand, as well as Cape Cod, Chunky, Goldfish, Kettle Brand, Lance, Late July, Pacific Foods, Pepperidge Farm, Prego, Pace, Rao’s Homemade, Snack Factory, Snyder’s of Hanover. Swanson, and V8.

Here, you will make a difference every day. You will be supported to build a rewarding career with opportunities to grow, innovate and inspire. Make history with us.

Why Campbell’s…

Chief Information Security Officer

How you will make history here…

The Chief Information Security Officer (CISO) reports to the Chief Digital & Technology Officer and is responsible for enhancing and maintaining the information security program to ensure that information assets and associated technology, applications, systems, infrastructure and processes are adequately protected in the digital ecosystem in which we operate. The CISO is responsible for identifying, evaluating and reporting on legal and regulatory, IT, and cybersecurity risk to information assets, while supporting and advancing business objectives.

The CISO position requires a visionary leader with sound knowledge of business management and a working knowledge of cybersecurity technologies covering the corporate network as well as the broader digital ecosystem. The CISO will proactively work with business segments, corporate functions and ecosystem partners to implement practices that meet agreed-on policies and standards for information security. He or she should deeply understand IT and must oversee a variety of cybersecurity and risk management activities related to IT to ensure the achievement of business outcomes where the business process is dependent on technology. The CISO will be responsible for implementing and running the enterprise information security program.

The CISO should understand and articulate the impact of cybersecurity on (digital) business, and be able to communicate this to the board of directors and other senior stakeholders. He or she serves as the process owner of the appropriate second-line assurance activities not only related to confidentiality, integrity and availability, but also to the safety, privacy and recovery of information owned or processed by the business in compliance with regulatory requirements. The CISO understands that securing information assets and associated technology, applications, systems and processes in the wider ecosystem in which the organization operates is as important as protecting information within the organization's perimeter. A key element of the CISO's role is working with executive management to determine acceptable levels of risk for the organization.

The CISO must be knowledgeable about both internal and external business environments, and ensure that information systems are maintained in a fully functional and secure mode and are compliant with legal, regulatory and contractual obligations. The ideal candidate is a thought leader, a builder of consensus and of bridges between business and technology. He or she is an integrator of people, process and technology. While the CISO is the leader of the information security program, he or she must also be able to coordinate disparate drivers, constraints and personalities, while maintaining objectivity and a strong understanding that cybersecurity is foundational for the organization to deliver on its business goals and objectives. Ultimately, the CISO is a business leader, and should have a track record of competency in the field of information security and/or risk management, with 15 years of relevant experience, including five years in a significant leadership role.

What you will do…

Responsibilities

• Facilitate an information security governance structure through the implementation of a hierarchical governance program, including the formation of an information security steering committee or advisory board.
• Provide regular reporting on the current status of the information security program to the CIO, enterprise risk teams, senior business leaders and the board of directors as part of a strategic enterprise risk management program, thus supporting business outcomes.
• Work with the vendor management office to ensure that information security requirements are included in contracts by liaising with vendor management and procurement organizations.
• Create and manage a targeted information security awareness training program for all employees, contractors and approved system users, and establish metrics to measure the effectiveness of this security training program for the different audiences.
• Understand and interact with related disciplines through committees to ensure the consistent application of policies and standards across all technology projects, systems and services, including privacy, risk management, compliance and business continuity management.
• Provide clear risk mitigating directives for projects with components in IT, including the mandatory application of controls.
• Lead the security champion program to mobilize employees in all locations.
• Lead the information security function across the company to ensure consistent and high-quality information security management in support of the business goals.
• Determine the information security approach and operating model in consultation with stakeholders and aligned with the risk management approach and compliance monitoring of nondigital risk areas.
• Manage the budget for the information security function, monitoring and reporting discrepancies.
• Manage the cost-efficient information security organization, consisting of direct reports and dotted line reports (such as individuals in business continuity and IT operations). This includes hiring, training, staff development, performance management and annual performance reviews.
• Develop an information security vision and strategy that is aligned to organizational priorities and enables and facilitates the organization's business objectives, and ensure senior stakeholder buy-in and mandate.
• Develop, implement and monitor a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy and recovery of information assets owned, controlled or/and processed by the organization.
• Assist with the identification of non-IT managed IT services in use ("shadow IT") and facilitate a corporate IT onboarding program to bring these services into the scope of the IT function, and apply standard controls and rigor to these services; where this is not possible, ensure that risk is reduced to the appropriate levels and ownership of this information security risk is clear.
• Work effectively with business units to facilitate information security risk assessment and risk management processes, and empower them to own and accept the level of risk they deem appropriate for their specific risk appetite.
• Develop and enhance an up-to-date information security management framework based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
• Create and manage a unified and flexible control framework to integrate and normalize the wide variety and ever-changing requirements resulting from global laws, standards and regulations.
• Develop and maintain a document framework of continuously up-to-date information security policies, standards and guidelines. Oversee the approval and publication of these information security policies and practices.
• Create a framework for roles and responsibilities with regard to information ownership, classification, accountability and protection of information assets.
• Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increase the maturity of the information security, and review it with stakeholders at the executive and board levels.
• Provide input for the IT section of the company's code of conduct.
• Create the necessary internal networks among the information security team and line-of-business executives, corporate compliance, audit, physical security, legal and HR management teams to ensure alignment as required.
• Build and nurture external networks consisting of industry peers, ecosystem partners, vendors and other relevant parties to address common trends, findings, incidents and cybersecurity risks.
• Liaise with external agencies, such as law enforcement and other advisory bodies, as necessary, to ensure that the organization maintains a strong security posture and is kept well-abreast of the relevant threats identified by these agencies.
• Liaise with the enterprise architecture team to build alignment between the security and enterprise (reference) architectures, thus ensuring that information security requirements are implicit in these architectures and security is built in by design.
• Create a risk-based process for the assessment and mitigation of any information security risk in your ecosystem consisting of supply chain partners, vendors, consumers and any other third parties.
• Work with the compliance staff to ensure that all information owned, collected or controlled by or on behalf of the company is processed and stored in accordance with applicable laws and other global regulatory requirements, such as data privacy.
• Collaborate and liaise with the data privacy officer to ensure that data privacy requirements are included where applicable.
• Define and facilitate the processes for information security risk and for legal and regulatory assessments, including the reporting and oversight of treatment efforts to address negative findings.
• Ensure that security is embedded in the project delivery process by providing the appropriate information security policies, practices and guidelines.
• Oversee technology dependencies outside of direct organizational control. This includes reviewing contracts and the creation of alternatives for managing risk.
• Manage and contain information security incidents and events to protect corporate IT assets, intellectual property, regulated data and the company's reputation.
• Monitor the external threat environment for emerging threats, and advise relevant stakeholders on the appropriate courses of action.
• Develop and oversee effective disaster recovery policies and standards to align with the enterprise business continuity management (BCM) program goals, with the realization that components supporting primary business processes may be outside the corporate perimeter.
• Coordinate the development of implementation of incident response plans and procedures to ensure that business-critical services are recovered in the event of a security event; provide direction, support and in-house consulting in these areas.
• Facilitate and support the development of asset inventories, including information assets in cloud services and in other parties in the organization's ecosystem.

Who you will work with…

What you bring to the table… (Must Have)

Skills and Knowledge

• Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT as well as applied experience on NIST, including 800-53 and Cybersecurity Framework
• Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate information security and risk-related concepts to technical and nontechnical audiences at various hierarchical levels, ranging from board members to technical specialists
• Strategic leader and builder of both vision and bridges, and able to energize the appropriate teams in the organization
• Sound knowledge of business management and a working knowledge of information security risk management and cybersecurity technologies
• Up-to-date knowledge of methodologies and trends in both business and IT
• Poise and ability to act calmly and competently in high-pressure, high-stress situations
• Must be a critical thinker, with strong problem-solving skills
• Excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives
• Project management skills: financial/budget management, scheduling and resource management
• Ability to lead and motivate the information security team to achieve tactical and strategic goals, even when only "dotted line" reporting lines exist
• A master of influencing entities and decisions in situations where no formal reporting structures exist, but achieving the desirable outcome is vital
• Experience with contract and vendor negotiations
• Excellent stakeholder management skills
• High level of personal integrity, as well as the ability to professionally handle confidential matters and show an appropriate level of judgment and maturity
• High degree of initiative, dependability and ability to work with little supervision while being resilient to change

Experience

• Degree in information technology-related field and a minimum of 15 years of experience in a combination of risk management, information security and IT or OT jobs (at least five must be in a senior leadership role)
• Proven track record and experience in developing information security policies and procedures, as well as successfully executing programs that meet the objectives of excellence in a dynamic business environment
• Professional security management certification is required, such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or other similar credentials

Compensation and Benefits:

The target base salary range for this full-time, salaried position is between

Individual base pay depends on work location and additional factors such as experience, job-related skills, and relevant education or training. Total pay may include other forms of compensation. In addition, we offer competitive health, dental, 401k and wellness benefits beginning on the first day of employment. Please ask your Talent Acquisition Partner for more information about our total rewards package.

The Company is committed to providing equal opportunity for employees and qualified applicants in all aspects of the employment relationship, including consideration for employment, without regard to race, color, sex, sexual orientation, gender identity, national origin, citizenship, marital status, protected veteran status, disability, age, religion, or any other classification protected by law.