VP, Cyber - Pickering, Canada - Ontario Power Generation

Description

Status: Full Time, Permanent

Education Level: Bachelor's degree in Computer Science, Engineering, Mathematics, Statistics or related field, or equivalent work experience.

Location(s): Pickering, On

Shifts(s): Days

Travel: Yes 25% - As required

Deadline to Apply: May 2, 2024

Electrify your career and help build a brighter tomorrow.

Every generation has a challenge that defines them. At OPG, we are calling on all innovators, disruptors, thought leaders and change-makers. Join us to electrify life in one generation and build a sustainable future powered by our electricity, our ideas, and our people. Join OPG and make history.

Whether you work in the skilled trades or are a business professional, a career at OPG is an opportunity to electrify your life on -- and off -- the job.

ACCOMMODATIONS

OPG is committed to fostering an inclusive, equitable, and accessible environment where all employees feel valued, respected, and supported. If you require accommodation during the application or interview process, please advise us as soon as possible so appropriate arrangements can be made.

If you require information in a format that is accessible to you, please contact

NEW CAMPUS: This position is moving to OPG Corporate Headquarters: In Summer 2025, OPG will officially welcome employees to our new Corporate Headquarters located at 1908 Colonel Sam Drive, Oshawa, Ontario. This new space will enable teamwork, collaboration and innovation that will help us to achieve our mission to electrify life in one generation.

BE THE GENERATION to help build a brighter tomorrow.

JOB OVERVIEW

Reporting to the Chief Information Officer (CIO), the Vice President of Cyber Security is accountable for providing strategic leadership in safeguarding OPG's information assets across its digital ecosystem. The VP of Cyber Security will oversee the establishment and maintenance of robust cyber security programs encompassing both Information Technology (IT) and Operational Technology (OT), ensuring alignment with business objectives while mitigating risks.

The VP position requires a visionary leader with sound knowledge of business management and a working knowledge of cybersecurity technologies covering the business (IT) and Real Time / Process control / Operational Technology (OT) systems areas. The VP will proactively work with the CIO, IT/OT organizations (Nuclear and Renewable Generation (RG)), and Line of Business representatives to implement practices that meet agreed-on policies and standards for information security, while ensuring that OPG maintains a corporate cyber security vision. Working with these teams, Information Management (IM), Enterprise Risk Management, Security & Emergency Services (SES), Legal, Regulatory Affairs and others, the VP will solicit their involvement in achieving higher levels of enterprise cyber security. The VP should understand IT and must oversee a variety of cybersecurity and risk management activities related to IT to ensure the achievement of business outcomes where the business process is dependent on technology.

KEY ACCOUNTABILITIES

• The VP of Cyber and IT Security should understand and articulate the impact of cybersecurity on the organization and be able to communicate this to the OPG Board of Directors and other senior stakeholders (including ELT, provincial and federal government agencies, key energy industry stakeholders, committees and vendors and partners). He or she serves as the process owner of the appropriate second-line assurance activities not only related to confidentiality, integrity, and availability, but also to the safety, privacy and recovery of information owned or processed by the business in compliance with regulatory requirements. The VP understands that securing information assets and associated technology, applications, systems, and processes in the wider ecosystem in which the organization operates is as important as protecting information within the organization's perimeter. A key element of the VP's role is working with Enterprise Risk Management and executive management to determine acceptable levels of risk for the organization.
• Strategy, Governance & Planning:
• Lead the information security division and act as the senior advisor to the organization to provide the overall corporate strategy with respect to cyber security for IT and OT.
• Develop an information security vision and strategy that is aligned to organizational priorities and enables and facilitates the organization's business objectives, and ensure senior stakeholder buy-in and mandate.
• Develop, implement, and monitor a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy, and recovery of information assets owned, controlled or/and processed by the organization. This strategy must appropriately manage the risks associated in cyber-IT/OT while balancing fiscal responsibility.
• Provide regular reporting on the status of the information security program to enterprise risk teams, senior business leaders and the board of directors as a key component of the strategic enterprise risk management program, thus supporting business outcomes.
• Ensure the consistent application of IT security policies and standards across all technology projects, systems, and services, including privacy, risk management, compliance, and business continuity.
• Create and manage a targeted information security awareness training program for all employees, contractors, and approved system users, and establish metrics to measure the effectiveness of this security training program for the different audiences.
• Create and maintain the enterprise's cyber security documents (policies, standards, baselines, guidelines, and procedures) that meet or exceed regulatory and compliance requirements.
• Create, maintain and assist in the execution of the enterprise's Business Continuity Plan and Disaster Recovery Plan, where appropriate.
• Create and maintain the IT Emergency Response Plan and Governance, where appropriate.
• Liaise with Supply Chain to ensure that information security requirements are included in vendor contracts.
• Operational Management & Regulatory Compliance:
• Keep abreast of developments in the areas of legal, regulatory, market, corporate requirements, technology developments and best practices in the IT/OT cyber security field. Ensure that OPG is compliant with regulation changes by analyzing and providing advice on cyber security related impacts of system changes.
• Provide organizational ownership of Nuclear cyber security governance and program execution activities for Nuclear Business and Real-Time Process Control systems, including CNSC regulatory compliance on CSA N290.7-X compliance.
• Provide organizational ownership of RG cyber security program execution activities, including reporting to Regulatory Affairs on NERC CIP compliance.
• Provide executive level reporting on RG and Nuclear cyber security performance.
• Ensure the confidentiality, integrity and availability of the data residing on or transmitted to/from/through enterprise workstations, servers, and other systems and in databases and other data repositories.
• Supervise all investigations into problematic activity and provide on-going communication with senior management.
• Supervise the design and execution of vulnerability assessments, penetration tests and security audits for IT and OT systems.
• Coordinate Cyber Security's involvement in all matters related to Cyber Security governance.
• Understand and communicate the impact of changes to Cyber Security postures, decisions, and strategies on the company's cyber security position to the company's executives and Board.
• Represent OPG's interest on various external committees as it applies to IT and OT security.
• Work with internal and external audit groups to ensure compliance of the business units with Cyber Security policy and standards.
• Act as the approval authority for all changes to the Cyber Security policies, standards and procedures.
• Provide specialized services to other business units in terms of forensic analysis of technology resources in support of investigations of alleged or potential breaches by staff and/or external groups or individuals.
• Develop and manage an up-to-date information security management framework such as but not limited to: International Organization for Standardization (ISO) 2700X, ITIL, ISA-62443, COBIT/Risk IT and National Institute of Standards and Technology (NIST) Cybersecurity Framework, NERC CIP, CSA N290.7-X to integrate and normalize the varied and shifting requirements resulting from global laws, standards, and regulations.
• Develop and maintain a document framework of continuously up-to-date OPG information security policies, standards and guidelines. Oversee the approval and publication of these information security policies and practices.
• In collaboration with Information Management and Data Governance teams, create a framework for roles and responsibilities with regard to information ownership, classification, accountability and protection of information assets.
• Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increase the maturity of the information security, and review it with stakeholders at the executive and Board levels.
• Build the Network and Communicate the Vision
• Provide input for the IT section of the company's Code of Business Conduct.
• Create the necessary internal networks among the information security team and line-of-business executives, regulatory affairs, audit, physical security, legal and HR management teams to ensure alignment as required.
• Build and nurture external networks consisting of industry peers, ecosystem partners, vendors and other relevant parties to address common trends, findings, incidents and cybersecurity risks.
• Liaise with external agencies, such as law enforcement and other advisory bodies, as necessary, to ensure that the organization maintains a strong security posture and is kept well-abreast of the relevant threats identified by these agencies.