Portland Community College | Portland, Oregon

Chief Information Security Officer

•  Title:  Chief Information Security Officer
• Category:  Management
• FLSA:  Exempt
• Grade:  P

Job Summary

Under the direction of the Associate Vice President of Information Technology & Security (AVP/CIO), the Chief Information Security Officer (CISO) is responsible for the strategic leadership, implementation, and oversight of Portland Community College’s (PCC) enterprise-wide information security and risk management programs. The CISO ensures the confidentiality, integrity, and availability of the college’s information assets while proactively mitigating cyber threats and ensuring compliance with regulatory requirements. Responds to inquiries from College departments, educational institutions, the community, and/or external agencies and supervises administrative management, professionals, classified, technical/support, and student staff. Serves as a senior leader and collaborates across departments to align security strategies with PCC’s mission, business objectives, and technological transformation initiatives.

Distinguishing Characteristics

The CISO is a senior-level executive responsible for setting security strategy and governance across the college. Unlike the IT Security Manager, this position oversees the entire cybersecurity program, including risk management, compliance, security architecture, and incident response at an institutional level. The CISO must engage with executive leadership, the Board of Trustees, and external agencies while managing a team responsible for security operations, governance, risk, and compliance.

Typical Duties & Responsibilities

1. With the AVP of IT and InfoSec, develop and execute a comprehensive information security strategy aligned with PCC’s institutional goals, risk appetite, and regulatory compliance requirements.
2. Establish and maintain cybersecurity governance frameworks, including policies, procedures, and security controls, to protect institutional data and assets.
3. Lead PCC’s cybersecurity risk management initiatives, including threat analysis, risk assessments, penetration testing, and business continuity planning.
4. With the AVP of IT and InfoSec, serve as the primary advisor on cybersecurity matters to the Board of Trustees, executive leadership, and key stakeholders, ensuring transparency in security risks and mitigation strategies.
5. Collaborate with IT leadership to integrate security into enterprise IT architecture, Workday ERP transition, and digital transformation initiatives.
6. Oversee the Security Operations Center (SOC) and all aspects of threat detection, monitoring, and incident response.
7. Establish and maintain an Incident Response and Forensics Program, ensuring rapid response and mitigation of cybersecurity incidents, including phishing attacks, ransomware, and data breaches.
8. Lead annual cybersecurity drills and tabletop exercises with executive leadership to test incident response readiness.
9. Direct the vulnerability management program, ensuring regular security assessments, penetration testing, and system hardening to proactively address threats.
10. Ensure compliance with federal, state, and industry regulations (e.g., PCI DSS, GLBA, HIPAA, FERPA, NIST 800-171).
11. Conduct cyber risk assessments and audits to ensure PCC meets internal and external security compliance mandates.
12. Establish vendor risk management protocols, ensuring third-party security assessments are conducted for cloud-based services and external providers.
13. Lead cybersecurity awareness training programs for faculty, staff, and students, ensuring a culture of security mindfulness across PCC.
14. Collaborate with faculty and student IT programs to provide educational resources, internships, and cybersecurity workforce development initiatives.
15. Develop and implement phishing simulation and training programs to reduce human error vulnerabilities.
16. Oversee the Information Security budget, ensuring cost-effective investments in security technology and staffing.
17. Advocate for cybersecurity funding and resource allocation to executive leadership and the Board.
18. Ensure the strategic allocation of resources for new security tools, staff training, and emerging threat protection.
19. Directs and manages the Information Security team, including Security Operations, Governance, Risk, and Compliance (GRC), and Security Architecture functions.
20. Hires, evaluates, trains, and mentors security personnel.
21. Leads cross-functional teams on security projects and initiatives.

 Minimum Qualifications

• Bachelor’s degree in Information Security, Computer Science, Cybersecurity, or a related field
• Ten years of progressive IT security experience, including five years of senior leadership and supervisory experience.

 Preferred Qualifications

• Master’s degree Information Security, Computer Science, Cybersecurity, or a related field
• Industry certifications (e.g., CISSP, CISM, CISA, CCISO, CRISC).

Knowledge, Skills and Abilities

Knowledge of:

• Cybersecurity frameworks (NIST 800-171, CIS Controls, ISO 27001, Zero Trust Architecture).
• Network security, endpoint protection, cloud security (AWS, Azure), and identity management.
• Workday ERP security best practices and integrations.
• Security information and event management (SIEM) tools, intrusion detection/prevention, and data loss prevention (DLP).
• Penetration testing, threat intelligence, and vulnerability management programs.
• Leadership and managerial principles;
• Advanced theories and principles related to area of assignment;
• Strategy development principles and procedures;
• Applicable local, state and federal laws, codes, rules, and regulations;
• Public administration principles and practices;
• Policy and procedure development and administration principles and practices;
• Conflict mediation principles and practices;
• Public relations principles;
• Strategic management principles and practices;
• Program management and development principles;
• Higher education principles and practices.

Skill in:

• Crisis management skills, ensuring effective communication and leadership during cybersecurity incidents
• Budgeting and financial planning for managing security investments and cost effective risk mitigation

• Directing and providing leadership to subordinate staff;
• Providing strategic leadership;
• Planning, implementing, improving, and evaluating programs, policies, and procedures;
• Speaking in public;
• Managing multiple priorities simultaneously;
• Analyzing and developing policies and procedures;
• Managing change and sensitive topics;
• Planning, analyzing, and evaluating programs and services, operational needs, and fiscal constraints;
• Evaluating research to identify potential solutions, resolve problems, or provide information;

Ability to:

• Articulate cybersecurity strategy to non-technical stakeholders, including the Board of Trustees
• Build and maintain strategic partnerships with federal, state, and local law enforcement agencies, higher education cybersecurity consortia (e.g., REN-ISAC), and industry security groups

• Working with diverse academic, cultural and ethnic backgrounds of community college students and staff;

• Communicate effectively through oral and written mediums.

Work Environment and Physical Requirements

This job operates in a professional business office environment on a PCC campus. While performing the duties of this job, the employee is regularly required to maintain a stationary position for long periods of time (sitting or standing); communicate with employees, partners, and stakeholders; and operate a computer to develop work products, communicate, and carry out responsibilities. Occasionally the employee is required to move around the campus to attend meetings, access items, and utilize equipment, and, rarely, move or transport items up to 10 pounds. Ability to provide own transportation to and from campuses and/or offsite functions may be required.

REVISED: 10/2023, 6/2015, 2/2025