Department: Information Services
Appointment Type and Duration: Regular, Ongoing
Salary: $70,000 - $90,000 per year
Compensation Band: OS-OA08-Fiscal Year 2023-2024
FTE: 1.0
Application Review Begins
July 22, 2024; position open until filled
Special Instructions to Applicants
To be considered for this position, please submit a complete application. Complete applications must include a cover letter and resume that address how you meet the minimum and preferred qualifications, as well as professional competencies.
We are interested in finding the best candidate for the position. We encourage you to apply, even if you don’t think you meet every one of our preferred qualifications--use your cover letter to let us know what is meaningful to you about the role and what transferable skills or other qualities you would bring.
Department Summary
Information Services (IS) is the central information technology organization at the University of Oregon, delivering a broad range of technology and services to the university. IS consists of four major functional areas, each led by a direct report to the VP-CIO: Customer Experience, which serves as the key contact point for interactions with campus clients and customers; Enterprise Solutions, which manages and supports applications, integration services, identity management and data management; Information Security, which helps protect virtual or physical information; and Technology Infrastructure, which provides engineering and support for research IT services and high-performance computing, networking, compute, storage, voice, data centers, audio-visual and classroom technologies, and UO staff supporting Link Oregon, Oregon’s state-wide research and education network.
IS has developed its IT governance practices to sustain alignment between university priorities and its values, resources, and measures of success. The IT Steering Committee, the highest governance entity, helps IS leadership continue to position the organization for optimal impact.
UO Information Security Office (ISO) -
ISO comprises four teams, each focusing on a set of principles and practices established by the NIST Cybersecurity Framework (v.1.1) that Information Services has established as the operational framework for the University’s approach to information security:
Information Security Services & Operations (ISSO) -
ISSO focuses on the identify, protect, and detect functions of the NIST cybersecurity framework. The ISSO deploys technologies to protect the university’s resources and communication channels. This team oversees the identification of institutional assets, updates their risk representation, and provides services to protect them. Programs managed by this function include vulnerability management, email security and phishing protection, threat defense tools like intrusion defense (IDS) and intrusion protection (IPS) systems, security incident event management (SIEM). The ISSO team works with the community to advise regarding the buildout and operation of secure infrastructure to support the university academic, research, and administrative missions.
Cyber Security Operations Center (CSOC) -
CSOC focuses on the detect, respond, and recover functions of the NIST framework. The CSOC manages the university threat-intelligence feeds for indications of compromise, threat hunting, starting incident-response functions, and guiding the recovery after an incident. The group is staffed using university students who rotate through three roles: a) CSOC Analyst, b) Incident Response Analyst and c) Compliance Analyst, during the time they are part of the group.
Information Security Risk & Compliance (ISRC) -
ISRC focuses on supporting all five functions of the NIST cybersecurity framework from the point of view of compliance and controls development. The ISRC works on the creation of policies, standards, controls, guidelines, and procedures that support the information security program. The group works with the university contracts management teams in performing risk and compliance capabilities assessments related to information security for third-party vendors and research contracts. In addition, the team manages UO’s cybersecurity awareness and training program and collaborates with compliance management for GLBA, HIPAA, FERPA, PCI, Red Flag, NIST, and other regulatory requirements relevant to the University.
Information Technology Disaster Recovery (ITDR) Program -
ITDR is a new function of the ISO created in 2022 as the result of one of the objectives identified during an internal information security program review. The ITDR function defines the set of procedures and supporting documentation that enables the university to restore core IT services as part of its overall business continuity plan. The program identifies critical applications and dependencies, defines an appropriate (and desired) recovery timeline based on a business impact analysis, and creates step-by-step incident-response plan for those critical applications. The program manager assigned to this function works with all IT solutions and services providers to build IS’ ITDR plan and make it actionable.
The Information Security Office works closely with other areas within Information Systems. Chief among these are Enterprise Solutions, which is responsible for identity and access management; Customer Experience, which includes endpoint management; and Technology Infrastructure, which has operational responsibility for network security. The CISO works closely with the peers who lead these areas on strategy and on shared commitments to implementation.
ISO’s annual expense budget, including payroll, is $3M. Its professional staff sustain hybrid working arrangements and are supported by ~15 students who work largely in the cybersecurity operations center. The University has invested significantly in ISO resources over the last several years in terms of both staff and systems as well as student support.
A subcommittee of the IT Steering Committee, the Information Security and Privacy Governance subcommittee, enables the Chief Information Security Officer to understand, shape, and align with overall governance and university priorities and initiatives.
Position Summary
The Cybersecurity Awareness Training and Outreach Program Manager reports to the Chief Information Security Officer and works under the direction of Information Security Office leadership to manage and execute cybersecurity awareness programs for the University of Oregon and drive a security-minded culture across employees, faculty, students, contractors and third parties. The program manager works with internal stakeholders and external cybersecurity awareness vendors to ensure the program is aligned with leadership’s expectations. Also, the program manager will emphasize employee behavioral change by providing successful training and education content focused on mitigating institutional risk.
This individual oversees all components of the cybersecurity awareness program including the development, review, implementation, and maintenance of the organization’s information security awareness program, as well as identification of top human risk to the university and behaviors that need to change to mitigate those risks and identify any roles which would require additional or more specialized training and ensure those roles receive it. They will create a positive program that engages staff, faculty, students, and contractors, to include focusing on changing behaviors both at home and at work. Ultimately, we want our community to demonstrate the same secure behaviors regardless of where they are or the devices they are using.
The program manager will oversee outreach campaigns aimed at communicating information security program practices, policies, and standards to members of the university community. They will also provide information about success metrics and key performance indicators as well as manage the delivery of the Oregon Cyber Resilience Summit.
Successful candidates combine business acumen, effective communication, and technical aptitude to provide cybersecurity content serving all levels of proficiency, from beginners to experts. The program manager measures the efficacy of the cybersecurity awareness program, communicates metrics to information security office leadership and makes recommendations to improve the university’s resiliency. In addition, the program manager is adept at developing trust and earning respect so that regardless of employee ability, all feel welcome to ask questions, share feedback, and support the mission. As a liaison between the Information Security Office and the business units, the program manager is people-centric, a security champion, and an example for others to follow.
The position will participate in strategic planning, including goals and objectives for the Information Security Office that support the university’s goals for student success, administrative process improvement, and research and teaching.
This position will work with the Chief Information Security Officer to identify and prioritize expenditures as well as look for new cost-effective services/strategies for the delivery of cybersecurity awareness and outreach to the campus community. It is expected that this position will ensure compliance with federal, state, and university policies and regulation, while maintaining appropriate internal control safeguards.
Essential Personnel
This position may provide essential services during times of emergencies and inclement weather. This position may be required to fulfill essential services and functions during these times.
Minimum Requirements
• BA or MA in Information Assurance, Education, Communications, Marketing, Psychology, or a related field (or 5+ years relevant experience in these areas).
• 3+ years of relevant work experience, preferably in either Information Assurance, Education, Communications, Marketing, or related fields.
• Demonstrable experience in technical training or adult education.
Professional Competencies
• Strong interest in Information Security or Enterprise Risk Management (ERM).
• Ability to take initiative, reach out to and coordinate with different people in different departments.
• Collaboration with others, to include people in other countries, is a key factor to success.
• Understand the concepts of culture and how culture impacts how people both behave and learn.
• Excellent communicator and storyteller, adept at collaborating with various groups of people.
• Perform duties in a way that advances and supports the mission of the department and university.
• Work effectively in a diverse team environment and create effective relationships for problem solving and positive interactions.
• Take initiative, looking for what needs to be done and doing it.
• Pay close attention to detail.
• Maintain a safe and safety-conscious workplace.
• Maintain a respectful workplace and model a positive and proactive attitude.
• Model the highest ethical standards.
• Provide superior customer service.
Preferred Qualifications
• Three to five years of cybersecurity and training and education practitioner experience.
• Project management experience, the ability to plan, manage and maintain a complex, organization-wide program over the longer term.
• Understanding of the concepts of information risks and the different elements that make up risk. In addition, have at a minimum a basic understanding of the different concepts of information security.
• Understand the concepts of culture and how culture impacts how people both behave and learn.
• Display practical knowledge of different communication techniques to ensure people understand and continually apply the required behavioral change necessary to reduce the ‘human factors’ risk.
• Ability to communicate complex messages in a simple, clear and concise manner within our organization. In addition, have experience with different types of communications methods, to include social media, blogging, webcasts, printed materials, hosted events and other methods. A key part of effective engagement is leveraging multiple methods of communications.
• Preferable, but not required: PMP, GSEC, GISP, CRISC, CISSP.
FLSA Exempt: Yes
All offers of employment are contingent upon successful completion of a background inquiry.
The University of Oregon is proud to offer a robust benefits package to eligible employees, including health insurance, retirement plans and paid time off. For more information about benefits, visit http://hr.uoregon.edu/careers/about-benefits.
The University of Oregon is an equal opportunity, affirmative action institution committed to cultural diversity and compliance with the ADA. The University encourages all qualified individuals to apply, and does not discriminate on the basis of any protected status, including veteran and disability status. The University is committed to providing reasonable accommodations to applicants and employees with disabilities. To request an accommodation in connection with the application process, please contact us at uocareers@uoregon.edu or 541-346-5112.
UO prohibits discrimination on the basis of race, color, sex, national or ethnic origin, age, religion, marital status, disability, veteran status, sexual orientation, gender identity, and gender expression in all programs, activities and employment practices as required by Title IX, other applicable laws, and policies. Retaliation is prohibited by UO policy. Questions may be referred to the Title IX Coordinator, Office of Civil Rights Compliance, or to the Office for Civil Rights. Contact information, related policies, and complaint procedures are listed on the statement of non-discrimination.
In compliance with federal law, the University of Oregon prepares an annual report on campus security and fire safety programs and services. The Annual Campus Security and Fire Safety Report is available online at https://clery.uoregon.edu/annual-campus-security-and-fire-safety-report.
