Director, Information Security - Toronto, Ontario
Tilray is a global leader in cannabis research, cultivation, processing and distribution. We aspire to lead, legitimize and define the future of our industry by building the world’s most trusted cannabis company. We are committed to setting the gold standard of care and excellence in our industry We believe that commitment starts with a great work environment and benefits for our associates.
Looking to develop your career at the forefront of a rapidly expanding industry?
Ready to apply your talents to make a positive difference in the lives of patients across the country?
Tilray’s values guide each employee’s work every day. Those values are:
Act with Integrity – we rely on honest, transparent and trustworthy behavior and communication
Be Steadfast – we have an unwavering obligation to our patients, consumers, providers, colleagues and community to be sincere, accountable and responsive.
Care – to achieve abundance in our crops and our lives, we must act with passion, focus and dedication
Collaborate – we believe that none of us is as smart as all of us and together we succeed
Pursue Excellence – we believe in our ability to spark innovation, achieve greatness, and overcome any risk, challenge or failure met along the way.
The Director, Information Security will drive the vision, strategy and compliance of information security for the company globally.
The Director, Information Security is responsible for managing all aspects of governance, risk and compliance related to information security. He/she oversees the development, communication and review of Tilray’s information security policy framework as well as the identification, assessment and mitigation of cybersecurity risks, and coordinates internal and external audits related to cyber and information security. All compliance requirements, which translate into cyber and information security controls, are also under his or her responsibility.
The incumbent is also responsible for developing, implementing, and managing the Information and InfoSec Awareness Program. He/she will implement a program to ensure all employees, consultants and suppliers understand and follow the organization’s information and cybersecurity policies and requirements, and conduct themselves in a secure manner through training, awareness, education and professional development.
Roles and responsibilities
- In collaboration with the CIO, develop a comprehensive cybersecurity roadmap of the organization’s information security program for IT InfoSec team to implement, ensuring status and completion
- Design and implement a corporate risk management framework with supporting policies, procedures, and standards.
- Identify and lead efforts to implement effective mechanisms to drive business and efficiency through security. Lead the implementation of compliance, administrative, and detective solutions to enhance the security of the organization.
- Responsible for implementing an incident identification and response program to identify cybersecurity threats to the organization.
- Promote information security awareness and training throughout the organization, and instill a culture of security throughout.
- Represent the company’s data security and privacy posture and assurances to customer, prospects, and external stakeholders.
- Collaborate with internal leaders to ensure the business continuity and recovery function for the business.
- Establish, communicate and review Tilray’s information security policy framework, including policies, directives, processes, standards, methodologies and related documentation
- Identify, assess and coordinate mitigation of cybersecurity risks with IT InfoSec team
- Investigate and analyze root causes, patterns, or trends, and help identify and implement corrective action where appropriate
- Identify potential areas of non-compliance risk, develop and implement corrective action plans and provide guidance on how to avoid similar situations in the future
- Preparing and presenting quarterly updates to the General Counsel, CEO, CIO, and/or Board of Directors
- Partnering and collaborating with business stakeholders across the company to raise awareness of risk management and cybersecurity concerns
- Identifying and owning resolution of related issues and non-compliant conditions
- Conducting a continuous assessment of current IT’s InfoSec security practices and systems
- Running internal security audits and risk assessments that may be required by regulators, including compliance reviews for privacy controls, GDPR, and role-based access
- Collaboration with Internal Audit team to ensure cybersecurity compliance with applicable regulations and frameworks such as SOX, SOC and NIST
- Overseeing the investigation of reported security breaches
- Support the continuous improvement of processes to promote efficiency
- Contribute positively to the culture of the team and the company as a whole
- Due to the dynamic nature of the industry, the scope of your job may evolve and change by business demands
- Bachelor’s degree in Information Technology, Business Administration, or information-related field, and professional cybersecurity management certification (CISSP, CISA, CRISC, etc.)
- At least ten years of experience in Information Security, Operational Risk, Internal Audit, or other relevant department, with specific knowledge of data integrity and cybersecurity, including related policies and processes
- Experience leading compliance efforts through various standards and certifications (e.g. ISO 27001, NIST Cyber Security Framework, SSAE16).
- Experience in a leadership role in areas of governance, audit and control management
- Exceptional English, written and verbal communication skills, including for the development and delivery of presentations
- Ability to lead change, often in the absence of direct authority
- Strong planning, coordinating, organizing, training and implementation skills
- Demonstrable competence and experience in explaining complex information and cybersecurity concepts and technologies to both technical and non-technical audiences, management and executives
- Thrives on change, showing an impressive ability to drive the information security strategy forward
- Demonstrable knowledge of the policies and behaviors for information handling and protection
- Responsive, agile approach to manage changing priorities
- Effective negotiation and communication skills with different levels of the organization
- Innovative thinking and leadership with an ability to lead and motivate cross-functional, interdisciplinary teams
- Specific experience in ITIL, COSO, GMP, or other best practice frameworks are assets
Who you are
- Exceptional communicator with proven ability to facilitate discussions and issue resolution among key business leaders
- Strong quantitative and qualitative analytic skills
- Strong business acumen
- Excited to work in a fast paced and intellectually challenging environment
- Excellent analytical and organizational skills
- Ability to work independently with minimal supervision
- Ability to manage multiple projects at once, to synthesize information from multiple sources, and to follow through and meet deadlines
- Have exceptional judgment with the ability to cope with competing priorities
- You are resourceful and creative in your approach to problem solving
- Exceptional written and oral communication skills, including ability to brief and communicate complex issues in a succinct manner
- Focused on pragmatic business advice and solutions
- Professional and collaborative with the ability to build and maintain trusted relationships with stakeholders
- Positive “can-do” attitude