L&R Business Information Security Officer

New York NY
April 14 2018
Insurance, Securities
Functional Area:

IT - Information Technology

Estimated Travel Percentage (%): Up to 25%

Relocation Provided: No

American General Life Insurance Company

L&R - Business Information Security Officer (BISO)

Position Summary

The L&R Business Information Security Officer (BISO) focuses on the overall framework for information security and processes for The Life and Retirement line of businesses. This role will work directly with the L&R businesses (CEO, CIO and COO) including liaising, advising, advocating, and facilitating to identify and reduce business fraud and information security risks. Among other duties, the BISO interfaces with the CISO team which performs risk assessments on computer applications and business partners to evaluating the ability to meet control requirements. Additionally, the BISO leads and/or participate in projects and initiatives to design and implement information security controls for our various processes and systems. The successful candidate will demonstrate strong knowledge of and experience with our businesses as well as the general information security controls employed to protect organizations and computer applications.

Organizational Structure

The Business Information Security Officer reports directly to Life and Retirement CIO.

Performance Objectives

  • Proactively and collaboratively work with businesses and the L&R CIO/CTO teams to develop and implement procedures that meet defined policies and standards for information security management.
  • Augment our overall security posture by adding a business fraud focused lens to the process
  • “Think like a bad guy”: Develop a product and customer centric strategy around platform, application, and network access methods, as well as authentication mechanisms.
  • Define evergreen methods to identify, track, and protect key assets with respect to our various business lines.
  • Collaborate with the CISO organization on prioritizations and evaluations including:
    • Application vulnerability and remediation
    • Legal, regulatory and contractual security risks and their remediation requirements.
    • Compliance with applicable laws, regulations, contractual requirements, and policies (e.g., the Health Insurance Portability and Availability Act, the Payment Card Industry Data Security Standard and the Internal Revenue Service Tax Information Security Guidelines) to minimize or eliminate risk and address audit findings.
    • Risk assessments on potential vendors and business partners
    • Security audits and assessments to evaluate policy compliance and existing defenses and to identify vulnerabilities.
  • Develop business-relevant metrics to measure the efficiency and effectiveness of the company's information security management program, forecast appropriate resource allocation and increase the maturity of the program.
  • Advise management, partnering with CISO, on industry developments in business practice, technology, security issues and legislation that impact the company's security policy
  • Oversee incident response planning and management of security incidents and events to protect client and firm data, such duties to include assisting with the investigation of security breaches and disciplinary and legal matters associated with breaches, as necessary.
  • Manage projects and help implement initiatives surrounding data security and privacy
  • Develop, document and implement L&R specific information security procedures to enforce information security standards
  • Provide subject matter expertise, in partnership with CISO, to management on a broad range of information security standards and best practices (e.g. the ISO/IEC 27000 series, the NIST Computer Security Division Special Publications and Federal Information Processing Standards, the Payment Card Industry Data Security Standard) and offer strategic and tactical security guidance for all IT projects, including the evaluation and recommendation of technical and business process controls.
  • Work with the business teams to coordinate and manage public relations activities as they relate to the information security program and incident response.
  • Perform other security-related duties as requested


Knowledge/Experience Preferred

  • Knowledge of applicable US laws and regulations as they relate to the Information Risk and Information Technology Risk
  • Prior experience with Life and Retirement products
  • 12+ years of managerial experience in information security
  • ISO designation and associated certifications at a prior financial institution preferred
  • A university degree in Information Technology or Technology Management or equivalent work experience. Master's degree in either of these fields is preferred.

Skills Required
  • Ability to successfully partner with clients and vendors to align strategy with deliverables, identify business challenges and develop alternatives to mitigate
  • Enjoys working in a team-oriented, collaborative environment
  • Ability to apply change management principles to initiatives of variable sizes and degrees of complexities
  • Ability to assess the impact or potential impact of change management initiatives of various sizes and degrees of complexities on business financials and performance
  • Self-motivated and driven strategic thinker with strong problem management skills

It has been and will continue to be the policy of American International Group, Inc., its subsidiaries and affiliates to be an Equal Opportunity Employer. We provide equal opportunity to all qualified individuals regardless of race, color, religion, age, gender, gender expression, national origin, veteran status, disability or any other legally protected categories.

At AIG, we believe that diversity and inclusion are critical to our future and our mission - creating a foundation for a creative workplace that leads to innovation, growth, and profitability. Through a wide variety of programs and initiatives, we invest in each employee, seeking to ensure that our people are not only respected as individuals, but also truly valued for their unique perspectives.