Virtual Chief Information Security Officer

Overview

Remote
$125
Accepts corp to corp applications
Contract - Independent
Contract - W2
Contract - 3 Year(s)

Skills

CISO

Job Details

Position: Virtual Chief Information Security Officer (vCISO)

C2C Hourly rate: $125/hr

Client: Howard Community College (HCC)

Location: 10901 Little Patuxent Parkway, Columbia Maryland 21044 (100% remote)

Duration: Three years (part time, up to 20 hours a week)

DK Consulting Overview: Founded in May 2003, DK Consulting, LLC, a woman-owned small business, was formed to provide management and technology solutions based on industry best practices. DK Consulting, LLC works with multiple State, Federal, and Commercial customers, and our services range from providing customers with that one critical resource to assuming responsibility for an entire IT project. We offer excellent benefits and provide exceptional employee management.

The vCISO shall provide expert virtual cybersecurity services up to twenty (20) hours a week during normal business hours which may be exceeded in the event of a security incident or breach. HCC seeks a fresh perspective on its security measures and protocols to not only improve its posture, but also to identify new risks and opportunities. The vCISO will also be responsible for leading HCC s efforts to address the nine (9) elements of the Gramm-Leach-Bliley Act (GLBA) for compliance purposes.

Duties and Responsibilities:

  1. Perform a detailed cyber risk assessment that includes the following, but not limited to:
    1. Analyze and iterate upon previous risk assessment conducted in 2024.
    2. Identify, estimate, and prioritize potential information cyber security risks at college.
    3. Examine HCC's current technology, security controls, policies, and procedures to assess potential threats or attacks.
    4. Evaluate HCC's threat landscape, vulnerabilities, and cyber gaps that pose a risk to its assets.
  2. Be prepared to act as HCC s Qualified Individual (QI) to present quarterly reports to HCC.
  3. Board of Trustees and leadership as required and specified by GLBA.
  4. Enhance HCC s information security program using a framework such as, Center of Internet Security (CIS) Critical Security Controls, or CIS Implementation Group 1 (IG1) that protects HCC in accordance with GLBA security requirements:
    1. Use industry standard benchmarks to track adherence to selected frameworks.
    2. If needed, develop a step-by-step process for server hardening.
  5. Perform third-party and partner evaluations Higher Education Community Vendor Assessment Toolkit (HECVAT). Review and update as needed, third-party vendor management policy.
  6. Provide information security leadership, communication, investigation, mitigation, containment, and post-incident analysis in the event of a cyber incident.
  7. Update and enhance existing cybersecurity policies and procedures as required by GLBA. The policies include but are not limited to:
    1. Incident Response Plan
    2. Information Security Plan
    3. Third-Party Vendor Management
    4. Vulnerability management
    5. Data management
    6. Software management
    7. Hardware asset management
  8. Provide guidance when analyzing real-time threat analysis identified by HCC s security operations center.
  9. Develop and implement the strategy to conduct regular security audits and assessments to identify vulnerabilities and ensure compliance with security policies.
  10. Write a clear and concise incident response plan that meets industry standards.
  11. Develop business continuity and disaster recovery plans and conduct annual tabletop exercises.
  12. Review and provide guidance on existing Security Awareness & Training materials and activities.
  13. Participate in meetings as needed. (i.e., weekly, monthly, quarterly, ad hoc, etc.). Under normal circumstances, in-person meetings are not required. In the event of an incident or breach, an in-person meeting may be required. Additional in-person meetings will be scheduled as needed with advanced notice.
  • Security Metrics & Reporting - Define and track Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) for cybersecurity. Provide monthly dashboards or scorecards to leadership.
  • Zero Trust Architecture (ZTA) Guidance - Assess HCC s readiness for Zero Trust. Develop a roadmap for implementing ZTA principles.
  • Cloud Security Posture Management - Review and advise on the security configuration of cloud services (e.g., Microsoft 365, AWS, Azure). Ensure alignment with CIS Benchmarks and shared responsibility models.
  • Security Architecture Review - Review and advise on network segmentation, identity and access management (IAM), and endpoint detection and response (EDR) strategies.
  • Data Privacy & Protection - Support compliance with FERPA, HIPAA, and Maryland state privacy laws. Recommend data classification and data loss prevention (DLP) strategies.
  • Cybersecurity Awareness Program Expansion - Develop or identify role-based training for faculty, staff, and students.
  • Tabletop Exercises & Incident Simulations - Including ransomware and insider threat scenarios in exercises.
  • Emerging Threat Intelligence - Provide quarterly threat briefings tailored to higher education. Integrate threat intelligence feeds into HCC s security operations.
  • Security Budget & Resource Planning - Make recommendations for a multi-year cybersecurity budget. Perform gap analysis to recommend staffing or managed services.
  • Cyber Insurance Readiness - Review current cyber insurance policies. Ensure controls meet insurer requirements and reduce premiums.

Minimum Qualifications:

  • Must possess years of experience providing virtual or remote CISO-level services, including ability to translate complex security concepts for executive and non-technical audiences. Includes leadership experience in advising executive teams or governing bodies on cybersecurity strategies.
  • Must possess at least 7-10 years of experience in IT security-related roles such as security analyst, network administrator, or similar positions.
  • Possession of industry-recognized certifications such as CISSP, CISM, or CISA
    • Certified Information Systems Security Professional (CISSP)
    • Certified Information Security Manager (CISM)
    • Certified Information Systems Auditor (CISA)
  • Demonstrates strong knowledge of regulatory requirements (e.g., FERPA, GLBA, HIPAA, PCI-DSS) and sound risk management practices tailored for higher education institutions.
  • Knowledge of Security Frameworks Demonstrates understanding and application of recognized cybersecurity frameworks, including NIST 800-53, CIS Critical Security Controls, and CIS Implementation Group 1 (IG1).
  • Cybersecurity Technologies Demonstrates familiarity with current security technologies, including those commonly deployed in higher education settings (e.g., firewalls, endpoint protection, SIEM, IAM).
  • Threat Intelligence and Incident Response Demonstrates experience in proactive threat detection, vulnerability assessments, risk mitigation, and effective incident response practices.

 

Educational Requirement: Possession of a bachelor s degree or higher in cybersecurity, information technology, computer science, or a related field from an accredited U.S. institution. A master s degree is preferred.

*No Visa Restrictions*

Employers have access to artificial intelligence language tools (“AI”) that help generate and enhance job descriptions and AI may have been used to create this description. The position description has been reviewed for accuracy and Dice believes it to correctly reflect the job opportunity.