Sr. Manager, IT Security

PURPOSE STATEMENT

The Sr. Manager, IT Security is responsible for leading and operating a comprehensive, riskbased cybersecurity and information protection program for a regulated utility environment. This role will provide enterprise leadership for security strategy, governance, risk management, security operations, incident response, identity and access management, vulnerability management, and security architecture. This position requires deep technical breadth, strong management skills, and executivelevel judgment. The Sr. Manager, IT Security serves as a key advisor to IT and business leadership, translates cyber risk into business impact, and contributes to enterprise technology decisionmaking.

ESSENTIAL FUNCTIONS/RESPONSIBILITIES

Leadership & People Management

Manages a team to oversee security operations, including monitoring, detection, investigation, and response activities.
• Leads succession planning, talent development, workforce planning, and organizational capability building for the IT Security function.
• Develops and manages the cybersecurity budget, including strategic planning for staffing, technology investments, consulting services, and managed security providers.

Cybersecurity Strategy & Governance

• Leads the design, implementation, and continuous improvement of the enterprise information security program.
• Develops and executes the organization's long-term cybersecurity vision, strategy, and roadmap in alignment with business objectives and technology initiatives.
• Develops and maintains security strategy, policies, standards, procedures, and multi-year roadmaps aligned with business objectives and regulatory requirements.
• Serves as the primary cybersecurity advisor to executive leadership, providing recommendations regarding enterprise risk, security investments, and emerging threats.
• Leads enterprise-wide cybersecurity governance, ensuring security policies, standards, and controls are consistently implemented across all business units and technology environments.
• Sponsors and drives cybersecurity program maturity initiatives through the adoption of industry frameworks, best practices, and continuous improvement efforts.

Security Operations & Incident Response

• Leads cybersecurity incident investigations, coordinates containment and recovery activities, and engages external resources as required.
• Develops, maintains, and regularly tests incident response plans and playbooks, including tabletop exercises with IT and business stakeholders.
• Manages security technologies and platforms, including but not limited to email security, endpoint detection and response (EDR), vulnerability management, identity protection, and logging/SIEM solutions.
• Stays current on emerging cybersecurity threats, vulnerabilities, and industry-specific risk trends affecting utility operations.

Risk Management, Compliance & Audit

• Establishes and maintains a cybersecurity risk management framework, including risk identification, assessment, prioritization, mitigation, and reporting to executive leadership.
• Maintains an enterprise security risk register, including risk assessments, remediation plans, and formal risk acceptance documentation.
• Oversees cybersecurity compliance efforts related to applicable regulatory, legal, contractual, and industry requirements.
• Leads enterprise cybersecurity audits, assessments, and third-party reviews, ensuring timely remediation of identified findings and recommendations.
• Directs third-party cybersecurity risk management activities, including security due diligence, vendor assessments, and ongoing monitoring of critical suppliers and service providers.

Vulnerability & Security Engineering Management

• Leads vulnerability scanning, prioritization, remediation tracking, and reporting across infrastructure, applications, and cloud environments.
• Partners with Infrastructure, Applications, OT, and Operations teams to manage patching cadence, exceptions, and remediation SLAs.
• Directs security architecture and security-by-design initiatives to ensure cybersecurity requirements are integrated into infrastructure, applications, cloud environments, and operational technology (OT) systems.
• Oversees cybersecurity considerations for mergers, acquisitions, major technology implementations, and other strategic business initiatives, as applicable.

Security Awareness & Culture

• Creates programs designed to increase cybersecurity awareness within the company, such as phishing campaigns and annual cybersecurity training programs.

Metrics, Reporting & Executive Communication

• Establishes security metrics and dashboards to measure effectiveness and report risk posture to IT leadership and executives.
• Establishes key performance indicators (KPIs), key risk indicators (KRIs), and cybersecurity program metrics to measure effectiveness and support strategic decision-making.
• Provides executive-level reporting and presentations regarding cybersecurity posture, program maturity, key risks, incidents, trends, and strategic initiatives.

OTHER FUNCTIONS/RESPONSIBILITIES:

• Ensure compliance with IT controls, including preparing and approving audit reports.
• Manage operational budget and expenses related to both new purchases and existing cybersecurity services.
• Effectively manage strategic and highly visible projects related to cybersecurity and other IT initiatives.
• Complies with all safety rules and cooperates in the fullest in the promotion of safety and safe work habits, to include the reporting of any unsafe conditions or acts. Maintains all EH&S training on a current basis.
• Complies with all applicable corporate and Hawaii Gas policies and procedures.
• Maintains assigned work area and equipment in a clean, orderly and safe manner; performs housekeeping duties as required and/or instructed. Works in a safe and responsible manner.
• Performs all other related duties as instructed by supervisor/manager.

Required Education and/or Work Experience:

• Bachelor's degree in management information systems, information technology, computer science, or related field.
• Minimum ten (10) years of progressively responsible experience in information technology and/or cybersecurity.
• Minimum five (5) years of experience managing a technical team.
• Experience in IT operations and management, including leading technical projects, analyzing business processes, and implementing systems and process improvements.
• Demonstrated experience developing, implementing, and managing enterprise cybersecurity programs, including security operations, incident response, vulnerability management, risk management, and security governance.
• Demonstrated experience leading and managing systems and vendor relationships with SOC and SIEM services.
• Demonstrated experience in managing large technical projects with budgets > $100K.
• Proficient in Microsoft 365 tools, especially Word, Excel, Project, Visio, and PowerPoint.

Preferred Education and/or Work Experience:

• Master's degree in management information systems, information technology, computer science, or related field.
• Two (2) or more years of experience in software development.
• Two (2) or more years of experience in using scripting languages (e.g., Python, PowerShell).
• Graduate degree in Information Science, Engineering, or a similar discipline preferred.
• Hands-on experience with cloud-based SaaS, IaaS, and PaaS solutions.
• Experience in the energy and utilities industry.
• Experience in development of AI strategy in risk management and productivity applications.
• Knowledgeable in business processes such as sales, accounting, and IT service management.
• Familiarity with SOX audit requirements.

Required Licensure, Certification, Registration, or Designation:

• CISSP or equivalent cybersecurity certifications.
• Valid Hawaii Driver's License.

Preferred Licensure, Certification, Registration, or Designation:

• IT Information Library Version (ITIL) 3 or 4 certifications.
• Six Sigma Green Belt or higher.
• PMP (Project Management Professional).
• The Open Group Architectural Framework (TOGAF) 9.x or 10.x certification.