Manager , Information Security

AtAmerican Equity Investment Life Holding Company, we think of ourselves asThe Financial Dignity Company. Our policyholders work with independent agents, banks and broker-dealers through our wholly-owned operating subsidiaries, to choose one of our leading annuity products best suited for their personal needs to create financial dignity in retirement. We remain steadfast in our commitment to quality products, excellent customer service, integrity, safety and delivering on our promises to our policyholders. Our success comes from hiring people who embody the beliefs that drive our unique, energetic, fast-paced and caring culture of collaboration, ownership and innovation.

We currently fund over half a million retirements nationwide, and have been headquartered in West Des Moines, Iowa, for over twenty-five years, withsatellite offices slated to open in 2022 in Charlotte, NC, and New York, NY. We are a NYSE-listed company and maintain an "excellent" rating from AM Best. Our companyhas over $57 billion in assets, 26,000 active agents and over 650 employees.

GENERAL PURPOSE OF THE JOB:

The Information Security Manager is responsible for the management and operation of a mature and comprehensive corporate information security program that ensures the effective implementation of a strategic and comprehensive security control set. With both vision and expertise, strategically leads, manages and implements best practices relative to the corporate Information Security Controls Framework.

As the functional team manager, the incumbent provides oversight and operational ownership of required processes intended to minimize information security and business continuity risks to American Equity Investment Life Insurance Company (AEILIC), in a manner that balances the operational functionality and business growth of a thriving company with the need for an effective information security control environment. Provides direct staff management responsibilities for a team of employees engaged exclusively in the information security discipline.

ESSENTIAL DUTIES AND RESPONSIBILITIES:

• Develops, implements and monitors a strategic, comprehensive enterprise information security and IT risk management program to ensure that the integrity, confidentiality and availability of information is owned and controlled.
• Creates and manages a unified and flexible control framework to integrate and normalize the wide variety and ever-changing requirements resulting from global cybersecurity threats as well as applicable laws, standards and regulations.
• Leads a diverse team of employees with responsibility for managing the employee life cycle and experience, including tasks such as the selection and retention of talent, continuous feedback and performance management, reward and recognition, corrective action and employee development. Coaches, mentors, and leads departmental staff toward appropriate business objective completion as well as career track progression.
• Develops, maintains and publishes up-to-date information security policies, standards and guidelines. Oversees the approval, training and dissemination of applicable policies and practices.
• Facilitates a metrics and reporting framework to measure the efficiency and effectiveness of the team and its corresponding resource allocation.
• Ensures that departmental programs comply with relevant laws, regulations and policies to minimize or eliminate risk and audit findings (both internal and external).
• Works directly with business and technical units to facilitate IT risk assessment and risk management processes and works with stakeholders throughout the enterprise in identifying acceptable levels of residual risk.
• Provides regular reporting on the current status of the information security program to enterprise risk teams and senior business leaders (potentially executive leadership and Board of Directors) as part of a corporate Enterprise Risk Management program.
• Manages security incidents and events to protect corporate IT assets, including intellectual property, regulated data and the company's reputation.
• Develops and oversees effective disaster recovery policies, standards and planning documents to align with enterprise business continuity management program goals.
• Performs related duties and fulfills responsibilities as required, and other duties as assigned.

SUPERVISORY RESPONSIBILITIES:

Direct Reports: Up to eight including Information Security Analyst and Specialists

General Description of Indirect Reports (2 and 3-downs): 0

EDUCATION AND/OR EXPERIENCE:

• Bachelor's degree (B.A./B.S.) in a technology-related field, or equivalent combination of education and business/technical experience.
• Minimum of seven (7) years of combined experience in the information security field.
• Some experience in a management role is preferred, although not required. Employment history should demonstrate increasing levels of responsibility.
• Experience working with cybersecurity legal and regulatory requirements, such as Sarbanes-Oxley Act (SOX), New York DFS (23 NYCRR 500) cybersecurity regulation, and the National Association of Insurance Commissioner's model regulation.
• Experience and/or working knowledge of common information security management frameworks, such as ISO/ IEC 27001, ITIL, COBIT, and NIST.
• Working knowledge of relevant technology service delivery methodologies such as IT Infrastructure Language (ITIL), IT Service Management (ITSM), and DevOps.
• Experience in the development of policies and procedures is helpful, as well as successfully executing programs that meet the objective of excellence in a dynamic environment.

CERTIFICATES, LICENSES, PROFESSIONAL DESIGNATIONS:

A combination of applicable professional certifications is desired. Relevant designations include Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), or other similar credentials.

KNOWLEDGE, SKILLS AND ABILITIES:

• Expertise of industry best practices and strategies relative to information security controls, technology service delivery processes and technology, and procurement.
• Solid written, verbal, and interpersonal communication skills and the ability to communicate technical risks and concepts to technical and nontechnical audiences.
• Ability to respond effectively to the most sensitive inquiries or complaints.
• Poise and the ability to act calmly and competently in high-pressure, high-stress situations.
• Must be a critical thinker, with strong problem-solving skills.
• Exhibit excellent analytical skills with the ability to read, analyze, and interpret technically complex documents.
• Ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment to meet overall objectives.
• Project management skills, including resource and schedule management.
• High level of personal integrity, as well as the ability to professionally handle confidential matters, and show an appropriate level of judgment and emotional intelligence.
• High degree of initiative, dependability and ability to work with little supervision.
• Ability to work cooperatively and successfully with co-employees, customers, and other outside third parties.