For more than 90 years, Caterpillar Inc. has been making sustainable progress possible and driving positive change on every continent. Customers turn to Caterpillar to help them develop infrastructure, energy and natural resource assets.
With 104,000 employees and 2018 sales and revenues of $54.722 billion, we are the world’s leading manufacturer of construction and mining equipment, diesel and natural gas engines, industrial gas turbines and diesel-electric locomotives. Our company principally operates through its three primary segments - Construction Industries, Resource Industries and Energy & Transportation - and also provides financing and related services through its Financial Products segment.
We are a Fortune 100 corporation with 110 production facilities of which 60 are located outside the US, and we have 160 dealers serving customers in 193 countries. In 2018 we were named to the Dow Jones Sustainability Indices (DJSI). For more information, visit www.cat.com and www.caterpillar.com.
As a trusted partner, Global Information Services enables profitable growth by understanding our business partners’ needs and delivering responsive IT solutions with operational excellence. Focusing on our end-users first, we equip the enterprise with the tools and resources that drive collaboration, innovation and solutions that help our customers build a better world.
Supporting the business operations of more than 500 facilities worldwide in more than 180 countries, we connect every aspect of our business from order management systems that keep our production lines running to e-commerce solutions for customers ordering parts online to collaboration tools that keep us connected as well as securing and protecting our connected assets around the globe.
The position of Chief Information Security Officer (CISO) is the most senior executive security position in the organization with direct line responsibility. This business critical role underscores the presumption that secure access to information, data, networks and operations is critical to achieving enterprise business objectives. The CISO has global accountability for establishing, executing and directing the global cybersecurity program to protect Caterpillar's people, proprietary information, plants, products, reputation and brand. The CISO is responsible for developing and implementing strategic and operational processes that enable business success while mitigating risk. The program ensures that information assets and associated technology, applications, systems, infrastructure and processes are adequately protected throughout the digital ecosystem, even though the CISO may not be responsible for the underlying technology. This includes assessing third-party service providers, partners, joint ventures and acquisitions.
The CISO position owns Caterpillar’s relationship with the information security industry and profession. The CISO role chairs an Information Security Working Group (ISWG) which rolls up to the Audit Committee of the Board through the Enterprise Compliance Council.
Job Duties/Responsibilities may include but are not limited to:
The CISO will lead a team of 5-7 managers with approximately 100 management and 100 external consultants. Direct reports may include IT Managers, Security Managers, Senior IT Supervisors and Strategic Planning Consultants, and external consultants.
The role also provides executive level decision support and governance through both informal and formal means, including but not limited to executive level metrics, dashboards, risk analysis and mitigation, acceptance and reporting.
Enterprise-wide information security strategy and architecture:
- Providing vision and leadership in the development and execution of an enterprise information security strategy and roadmap, including aligning with enterprise business strategy, gaining executive approval and support, and overseeing successful execution.
- Developing and maintaining practical and actionable information security policies and standards that reflect the needs of the business while keeping pace with changes in the business environment, technology and threats in order to effectively mitigate and manage risk to the business.
- Developing and implementing policies, procedures and systems required for maintaining and enhancing overall security goals.
- Providing overall information security services and information security technology infrastructure to support critical business and process requirements.
- Collaborating with senior leaders in the creation and maintenance of a security architecture for the enterprise and participating in the solution selection and process development.
- Ensuring governance and supportive programming for the enterprise in the arena of information classification and categorization as related to information security.
- Developing information security requirements for information technology infrastructure initiatives and enterprise applications and, as appropriate, reviewing and approving security design of initiatives.
- Developing and chairing an Information Security Working Group (ISWG) which rolls up to the Audit Committee of the Board through the Enterprise Compliance Council.
- Building and maintaining executive relationships necessary for the successful execution of the information security program. This includes developing and maintaining external and internal relationships to influence information security policy, standards and programs and enhancing secure interoperability with extended entities.
- Measuring compliance with policy as part of assessing the overall information security risk posture of the enterprise and initiating programs to achieve and maintain an adequate information security posture.
- Providing an annual report to executive leadership on the information security risk posture of the enterprise.
Information security risk management:
- Consulting in the development of IT strategies for business units as the key advisor on information security risks.
- Identifying areas of potential information security risk within the IT infrastructure and driving mitigation strategies to reduce these risks to acceptable levels.
- Developing and employing an ongoing information security communications, training and awareness program tailored to the evolving needs of the business and specific requirements of various user groups through change management.
- Developing a global information security program to ensure consistent messaging when necessary by the regions and Business Units underpinned by respective Enterprise Procedures.
- Developing close relationships with senior management of operating groups globally to help evaluate key risks.
- Leveraging information security investments to enhance business, administration and compliance processes.
Information security incident response:
- Leading the development of analysis and response programming with the prioritization response models for security incidents on a global scale in the areas of data loss prevention, encryption technologies, and advanced persistent threat. Accountable to detect, protect via a layered approach, and analyze risk proactively. This role is a key contributor to ensure a holistic program in the areas of enterprise security.
- Consulting on internal control design and risk response opportunities.
- Developing and maintaining a responsive and effective Computer Security Incident Response Team (CSIRT), Electronically Stored Information (ESI) collection and management capability that will identify, contain and resolve information security incidents, meet compliance and reporting obligations, and uphold chain of custody and rules of civil procedure requirements.
- Aligning with the Chief Privacy Officer to ensure information security services integrate into respective enterprise and subsidiary breach response plans.
- Bachelor’s degree in computer science, information systems, engineering,
business administration or a related field is required.
- Master’s degree in computer science, information systems,
engineering, business administration or a related field is required.
- At least one of the following active certifications: CISA, CISM,
CRISC, CISSP or CFE.
- A minimum of 10 years executive leadership in information security
policy, standards, architecture, technology and programs.
- Strong understanding of information security and the relationship
between threat, vulnerability and information value in the context of risk
- A proven track record of developing and implementing a
comprehensive strategy and plan for managing information security
internationally is required.
- An understanding and application of information security in
different cultures, working across different countries, and experience in an
international environment is required.
- Experience in a leadership role, high level analytical skills,
exceptional relationship management competencies, and relevant project management
work experience with a demonstrated record to lead and execute information
security compliance and risk mitigation programs.
- Capable of passing a National Security Background Investigation to
enable the issuance of a security clearance under the United States National
Top Candidates Will Also Have:
- Other related certifications such as ITIL, PMP, SANS/GSEC, CIPP,
CGEIT, CPA/CA are preferred, but not required.
- Extensive knowledge of company products and policies, organizational
units, and strategic direction with demonstrated diversity in thought and
This position can be located remotely and will require 80% travel.