Skip to Content

Chief Information Security Officer

Buffalo, NY, United States

Apply Now!

Distinguishing Features of the Class

The Chief Information Security Officer (CISO) is responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure the City’s information assets and technologies are adequately protected. This executive-level position reports to the Chief Information Officer (CIO) and is responsible for identifying, developing, implementing, and maintaining policies and procedures across the City’s IT infrastructure to reduce information security risks, respond to incidents, and ensure compliance with applicable regulations.

The CISO works closely with department heads, law enforcement, vendors, and external agencies to manage risk and safeguard the City’s digital assets.

Typical Work Activities

  • Oversee security operations, including incident response, threat intelligence, and vulnerability management.

  • Coordinate incident response activities, including investigations, documentation, reporting, and lessons learned.

  • Lead the development and enforcement of cybersecurity policies, procedures, and standards.

  • Develop, implement, and maintain a citywide information security strategy and governance framework.

  • Ensure compliance with federal, state, and local regulations related to information security (e.g., NIST, NYS ITS policies, CJIS, HIPAA, FOIL).

  • Collaborate with the CIO and MIS leadership to integrate security into all aspects of system architecture and service delivery.

  • Conduct and review security risk assessments and audits; report findings and remediation plans to leadership.

  • Manage vendor and third-party risk through contract reviews and assessments.

  • Develop and deliver cybersecurity awareness training for City employees.

  • Lead or contribute to business continuity and disaster recovery planning and exercises.

  • Advise on capital and operational budgeting needs for cybersecurity initiatives.

  • Evaluate new security threats and countermeasures affecting City information systems; recommend improvements to mitigate risks.

  • Administer or verify regular internal intrusion testing; evaluate results and update policies and training programs.

  • Serve as the City’s information security expert; provide advice to agency executives, officials, and the CIO.

  • Develop or review contract language, service level agreements, and memoranda of understanding to align with information security requirements and City policies.

  • Represent the City at internal and external information security meetings and conferences; evaluate and implement the latest security techniques and tools.

  • Collaborate with peers to develop a multilayered and adaptive approach to a dynamic threat environment.

  • In consultation with Corporation Counsel, research relevant laws and regulations affecting security controls and information asset classification; approve adjustments as necessary.

  • Perform other related duties as required.

Full Performance Knowledge, Skills, Abilities, and Personal Characteristics

Knowledge:

  • NIST Cybersecurity Framework, NIST SP 800-series, CIS Critical Controls

  • New York State ITS security and data privacy requirements

  • HIPAA, FERPA, FOIL, CJIS, and other applicable regulatory standards

  • Network and endpoint security principles

  • Cloud computing and cloud security best practices

  • Identity and Access Management (IAM) systems

  • Security Information and Event Management (SIEM) technologies

  • Encryption methods and key management practices

  • Municipal IT systems architecture and operations

  • Cyber threat landscape and trends affecting public sector organizations

Skills:

  • Policy and procedure development and implementation

  • Security risk assessment and mitigation planning

  • Incident detection, response, and post-incident analysis

  • Security awareness training design and delivery

  • Security architecture review and design consultation

  • Project and budget management

  • Communicating security risks to non-technical audiences

  • Overseeing compliance audits and remediation efforts

  • Building and leading multidisciplinary teams

  • Collaborating across departments, agencies, and vendors

Abilities:

  • Analyze, assess, and mitigate complex security risks

  • Interpret and apply information security laws and policies

  • Lead under pressure and manage crisis communications

  • Prioritize competing demands while maintaining policy compliance

  • Identify vulnerabilities and recommend practical, cost-effective solutions

  • Maintain strong internal controls while supporting operational flexibility

  • Prepare and present detailed reports to executive and elected officials

  • Maintain confidentiality and safeguard sensitive information

  • Stay current with evolving threats and technologies

  • Foster a security-conscious organizational culture

Minimum Qualifications

  • Education: Bachelor’s Degree from an accredited college or university in Cybersecurity, Computer Science, Information Technology, or a closely related field.

  • Experience: Seven (7) years of progressively responsible experience in information technology, including at least one year in an information security leadership role or two years in an executive-level IT leadership role. Experience in a public sector, regulated, or multi-stakeholder environment is highly desirable.

Note: Verifiable part-time experience will be pro-rated to meet full-time experience requirements. Proof of education must be presented at the time of appointment.

SALARY:

$ 136,990  

Apply Now!