Job Description

The Chief Information Security Officer (CISO) is an executive level position reporting to the Chief Information Officer (CIO) for the SFPUC. The CISO is directly responsible for understanding the business needs with the primary lens of Cybersecurity to ensure adequate Cybersecurity safeguards are in place for 3 Enterprise Divisions (Water, Power, Wastewater) and 17 Bureaus that make up the SFPUC. The CISO will proactively work to ensure the SFPUC effectively manages cybersecurity risks though the use of a standard industry cybersecurity frameworks and in alignment with both Committee on Information Technology (COIT) and Citywide Office of Cybersecurity (DT); while ensuring compliance to all regulatory requirements. A key element of the CISO’s role is working with management across the SFPUC to determine acceptable levels of risk for the organization. The CISO serves as the owner of all cybersecurity/information security, cybersecurity risk management, cybersecurity compliance and privacy activities agency wide. They will direct the development and implementation of timely agency wide cybersecurity goals, policies, standards, and strategic plans; manages the allocation of resources and service levels to meet business needs.

ESSENTIAL DUTIES:

• Directs the development and implementation of timely agency wide cybersecurity goals, policies, standards, and strategic plans; manages the allocation of resources and service levels to meet business needs
• Oversees the operation of agency wide cybersecurity functions (listed below), activities and programs; sets objectives and monitors the performance of subordinate staff engaged in defined activities
  • Identity, Access & Directory Services
  • Cybersecurity Governance, Risk & Compliance (GRC)
  • Cybersecurity Awareness & Training
  • Cybersecurity Architecture & Engineering
  • Cybersecurity Operations
  • Facilitate Litigation Support & Technical
  • Requests/Inquiries/Investigations
  • Disaster Recovery & Resilience
• Monitors the cybersecurity organizational structure, staff assignments, service levels and administrative systems required to accomplish the agency's mission and objectives in an effective and efficient manner; directs the identification and analysis of opportunities for service enhancements.
• Consults with the COIT and the Citywide Office of Cybersecurity regarding the activities of the functional area assigned and coordinates within the Agency to address service needs; may represent the Agency before or provide information to commissions, boards, committees and representatives from federal, state and local agencies, organizations, Information Sharing Analysis Centers (ISACs) and the media.

Qualifications

• Bachelor of Science Degree in Computer Science or related field; AND
• Four (4) years of verifiable IT Cybersecurity management experience for a utility organization, all of which must include supervisory

Substitution: Additional experience as described above may be substituted for the required degree on a year-for-year basis. One (1) year is equivalent to thirty (30) semester or forty-five (45) quarter units.

Desirables:

• Cybersecurity experience with Supervisory Control and Data Acquisition (SCADA)
• Experience with WECC/NERC regulation and compliance 
• IT project management experience, including developing, maintaining, and monitoring operational performance budgets and business strategies

Applicants must meet the minimum qualification requirement by the final filing date unless otherwise noted.  Applicants may be required to submit verification of qualifying education and experience at any point during the recruitment process. For education verification information, including verifying foreign education equivalency, click HERE.  All work experience, education, training and other information substantiating how you meet the minimum qualifications must be included on your application by the filing deadline. Information submitted after the filing deadline will not be considered in determining whether you meet the minimum qualifications. Resumes will not be accepted in lieu of a completed City and County of San Francisco application. Note: Falsifying one’s education, training, or work experience or attempted deception on the application may result in disqualification for this and future job opportunities with the City and County of San Francisco.

Additional Information

COMPENSATION AND BENEFITS: The normal annual salary range is $175,864 - $224,484.  Appointment above the maximum of the normal range may be considered based on documented and substantiated recruitment and retention issues or exceptional skills. A special approval process is necessary for appointment above the normal salary range.

In addition, the City and County of San Francisco (City) offers comprehensive benefit programs which include:

• Medical, Vision, Dental, and Life insurance
• Long-term disability plan; Flexible Spending Accounts
• Pension Plan; Retiree Healthcare; Deferred Compensation Program
• Paid Management Training Program; Wellness Program
• Paid Vacation, Holidays, Sick Leave; Management Leave

Learn more about the City’s Management Benefits.

HOW TO APPLY Applications for City and County of San Francisco jobs are only accepted through an online process. Select the “I’m Interested” button and follow instructions on the screen.

Applicants may be contacted by email about this recruitment and, therefore, it is their responsibility to ensure that their registered email address is accurate and kept up-to-date. Also, applicants must ensure that email from CCSF is not blocked on their computer by a spam filter. To prevent blocking, applicants should set up their email to accept CCSF mail from the following addresses (@sfgov.org, @sfdpw.org, @sfport.com, @flysfo.com, @sfwater.org, @sfdph.org, @asianart.org, @sfmta.com, @sfpl.org, @dcyf.org, @first5sf.org, @famsf.org, @ccsf.edu, @smartalerts.info, and @smartrecruiters.com).

Having Trouble? If you are having trouble with the application, please visit Smart Recruiter's FAQs or email supportfeedback@smartr.me.  It is suggested you use Google Chrome or Microsoft Edge web browser to submit the application. 

Applicants will receive a confirmation email that their online application has been received in response to every announcement for which they file. Applicants should retain this confirmation email for their records. Failure to receive this email means that the online application was not submitted or received.

EXAM INFORMATION Exam Type: Combined Promotive Entrance (CPE) Certification : Rule of the List Eligible List Duration: Twelve (12) months The duration of the eligible list may be extended with the approval of the Human Resources Director.

SELECTION PROCEDURES After application submission, candidates deemed qualified must complete all subsequent steps to advance in this selection process, which includes the following:

• Minimum Qualification Supplemental Questionnaire (MQSQ) completed online (Qualifying)
• Online Supplemental Essay Exam (100%)

Minimum Qualification Supplemental Questionnaire (MQSQ) Once the application is closed, qualified candidates will be sent a Minimum Qualification Supplemental Questionnaire (MQSQ) to complete. 

Supplemental Questionnaire Essay Exam (100%) The purpose of the Supplemental Questionnaire (SQ) is to evaluate the experience, knowledge, skills and abilities that candidates possess in job-related areas, which have been identified as critical for this position and include, but are not limited to: Knowledge of cybersecurity frameworks, utility regulatory compliance (NERC-CIP), technical skills, risk management, decision making, communication, and supervision skills.  

Qualified candidates will be sent email notices to complete the MQSQ and SQ exam. Failure to complete these steps by the established deadlines will result in disqualification.

A passing score must be achieved on the exam to be placed on the eligible list and continue in the selection process.  Additional selection processes, like interviews, may be conducted by the hiring department prior to making final hiring decisions.

SCORE REPORT/ELIGIBLE LIST A confidential eligible list of applicant names that have passed the civil service examination process will be created, and used for certification purposes only. An examination score report will be established, so applicants can view the ranks, final scores and number of eligible candidates. Applicant information, including names of applicants on the eligible list, shall not be made public unless required by law. However, an eligible list shall be made available for public inspection, upon request, once the eligible list is exhausted or expired and referrals resolved. The eligible list/score report resulting from this civil service examination process is subject to change after adoption (e.g., as a result of appeals), as directed by the Human Resources Director or the Civil Service Commission. To find Departments which use this classification, please see https://sfdhr.org/sites/default/files/documents/Forms-Documents/Position-Counts-by-Job-Codes-and-Department-FY-2021-22.pdf.”

ADDITIONAL INFORMATION REGARDING EMPLOYMENT WITH THE CITY AND COUNTY OF SAN FRANCISCO:

• Information About The Hiring Process
• Conviction History
• Employee Benefits Overview  
• Equal Employment Opportunity 
• Disaster Service Worker
• ADA Accommodation
• Veterans Preference
• Seniority Credit in Promotional Exams
• Right to Work
• Copies of Application Documents
• Diversity Statement

Applicants must be guided solely by the provisions of this announcement, including requirements, time periods and other particulars, except when superseded by federal, state or local laws, rules or regulations. Clerical errors may be corrected by the posting the correction on the Department of Human Resources website at https://careers.smartrecruiters.com/CityAndCountyOfSanFrancisco1/

The terms of this announcement may be appealed under Civil Service Rule 111A.35.1. The standard for the review of such appeals is ‘abuse of discretion’ or ‘no rational basis’ for establishing the position description, the minimum qualifications and/or the certification rule. Appeals must include a written statement of the item(s) being contested and the specific reason(s) why the cited item(s) constitute(s) abuse of discretion by the Human Resources Director. Appeals must be submitted directly to the Executive Officer of the Civil Service Commission within five business days of the announcement issuance date.

All your information will be kept confidential according to EEO guidelines.

If you have any questions regarding this recruitment or application process, please contact the exam analyst, Michelle Chee by email at mchee@sfwater.org. MC/PBT-0941-01040932

CONDITION OF EMPLOYMENT:  All City and County of San Francisco employees are required to be fully vaccinated against COVID-19 as a condition of employment. Someone is fully vaccinated when 14 days have passed since they received the final dose of a two-shot vaccine or a dose of a one-shot vaccine. Any new hire must present proof of full vaccination status to be appointed. Any new hire who will be routinely assigned or occasionally enter High-Risk Settings, must provide proof of having received a COVID-19 booster vaccine by March 1, 2022, or once eligible.

The City and County of San Francisco encourages women, minorities and persons with disabilities to apply. Applicants will be considered regardless of their sex, race, age, religion, color, national origin, ancestry, physical disability, mental disability, medical condition (associated with cancer, a history of cancer, or genetic characteristics), HIV/AIDS status, genetic information, marital status, sexual orientation, gender, gender identity, gender expression, military and veteran status, or other protected category under the law.