Deputy CISO

Position Summary

The Carlyle Group seeks an experienced, dynamic, and engaging Deputy CISO to be a senior leader within Carlyle's Global Technology & Solutions Department, and to lead its cyber governance capabilities by driving the strategic planning, development, and execution of enterprise-wide cybersecurity initiatives in a fast-paced, global and innovative business environment. The Deputy CISO possesses exceptional leadership skills, creating credible connections with internal and external stakeholders and cultivating a robust cyber ecosystem. The Deputy CISO reports to the CISO, assuming their role when necessary, and will play a crucial part in driving transformational improvements in cybersecurity processes and capabilities. In tandem with a broad understanding of cyber risk sources, reference frameworks, and mitigation strategies, this role requires the ability to think strategically, act decisively, and prioritize cyber investments to deliver risk outcomes that reduce the likelihood and impact of a cyber incident. Through education, influence, and data, the Deputy CISO embeds cyber risk management into business operations, supporting infrastructures and processes, new product launches, M&A activity, and portfolio cyber advisory.

• Understand the evolving threat landscape and adapt the security governance program to effectively understand, mitigate, and report upon cyber risk in a fluid environment.
• Support the overarching cybersecurity strategy and own the vision, strategy, and roadmap for security governance activities. Foster transparency by developing, maintaining, and reporting upon the governance program's key performance indicators/metrics.
• Maintain strong oversight of vendors, business partners, and other third parties to manage and report upon supply chain cyber risk.
• Liaise with internal and external auditors and other third parties to execute cyber-related audit and assessment activities. Analyze risk findings and document, recommend, and report upon the mitigation status of identified gaps to firm leadership.
• Mentor team members, enhance their influencing and negotiation skills, and promote professional growth.
• Demonstrate strong understanding of administrative, physical, and technical controls used to govern, identify, protect, detect, respond, and recover from cyber threats and attacks.
• Collaborate with and influence cross-functional stakeholders to adopt a security mindset, abide security policies and standards, identify security weaknesses, and proactively manage and report upon cyber risks. Promote a "secure by design" framework across product development lifecycles.
• Advocate for resources necessary for the cybersecurity team's success through compelling and data-driven business cases; administer cybersecurity program budget in partnership with CISO and domain leads.

Responsibilities

Cyber Governance (90% of time):

• Collaborate in the creation of the firm's overall cybersecurity strategy, roadmap, and standards, leading the areas within the cybersecurity governance domain. Ensure alignment with firm strategy, enterprise policies, and regulatory obligations.
• Establish, maintain, and report upon cyber key performance indicators that provide visibility into the operation of key elements of Carlyle's cyber security program and foster responsibility and accountability for overall cyber health across the Carlyle cyber ecosystem.
• Demonstrate excellent business judgment, engender trust, and educate Carlyle leaders on the "why" behind cyber investments.
• Build cyber resilience into strategic firm initiatives, such as new product deployments, M&A playbooks, novel technologies (e.g., AI and GenAI) and cloud adoption.
• Provide security advisory services that instill a security mindset across Carlyle, helping all users understand their role in the cyber ecosystem.
• Foster cyber-aware behaviors; inspire the adoption of reasonable security practices; and understand, manage, and report upon cyber risk.
• Leverage security tools, independent third parties, internal audit, and cyber staff to identify security weaknesses and take actions to reduce Carlyle's exposure to harm from external and internal threats, including insider risk.
• Engage with regulators and investors to understand Carlyle's cybersecurity program, assist deal teams with cyber diligence upon request.
• Ensure cyber risks identified in security assessments, audits, and security testing are centrally recorded, reported upon quarterly, and tracked through closure. Administer the cyber risk acceptance process.
• Influence the adoption of secure design patterns, embed security-related value streams into the firm's agile development lifecycle, and align new and existing technology deployments with evolving GTS-security standards.
• Deploy new security technologies and enhancements to existing security technologies and processes to strengthen firmwide cyber resilience.
• Listen to stakeholders; attract, develop, and retain cyber talent; and partner with cross-functional areas to protect the firm from brand, financial, legal & regulatory and operational harm resulting from a cyber breach.
• Demonstrate exemplary team building skills with a focus on recruitment, retention, career development, and succession planning. Inspire and motivate team members to identify and achieve bold cyber goals.

Administrative (10% of time):

• Administer GTS-Security budget and oversee quarterly budget planning and forecasting.
• Leverage agile principles to gain efficiency in cyber security program execution and to deliver on value streams within budget and consistent with rolling 12-month roadmap.
• Support the firm's disaster recovery and business continuity capabilities.

Qualifications

Education & Certificates

• Bachelor's degree, required
• Degree in Information Systems, Computer Science or related technical discipline, preferred
• Graduate level degree, preferred
• Security certifications: CISSP, CISA or CISM, required.

Professional Experience

• 15+ years of information systems, compliance, regulatory, financial services operation, or related experience, required.
• Prior CISO or Deputy CISO experience preferred.
• Prior experience working in federated, regulated, and financial services environments, preferred.
• Strong history of managing and developing high performing teams, and retaining and attracting top cyber talent, preferred.
• Possess excellent interpersonal, relationship building and influencing skills; has demonstrated success in influencing key corporate decision makers and business partners to build positive working relationships and in gaining support for the cybersecurity strategy and initiatives.
• Uses excellent written/verbal communication and presentation skills to bolster cyber acumen and advocacy across diverse stakeholders, including senior executives, end users, and board members (or equivalent).
• Successful track record as a change agent, setting priorities and delivering cyber outcomes across diverse and dynamic environments. Strong ability to assess the current and future value of a wide spectrum of cyber technologies and to make informed recommendations regarding the introduction of new business enabling technology solutions. Demonstrates prudent financial management in the delivery of key results.
• Deep understanding of cybersecurity program planning and sequencing, including governance, risk management, architecture, technology onboarding, vulnerability management, awareness and training, and cyber third-party risk management. Experience in the development, implementation, and monitoring of supporting processes.
• Strong technical foundation, including security architecture, vulnerability management, threat modeling, assessment and testing, and secure software development.
• Knowledge of common information security management frameworks, such as ISO/IEC 27001, and NIST. Experienced in general cybersecurity regulatory and compliance (e.g., SOX, SOC2, HITRUST, FedRamp, DFARS, CMMC, etc.).

Competencies & Attributes

• Strong communication, leadership, and interpersonal skills.
• Strategic problem solving and decision-making abilities; adept at working under pressure.
• Innovative thinking and leadership with a keen ability to influence and motivate cross-functional, interdisciplinary teams.
• Clear understanding of the evolution of the cybersecurity function and strong relationships with the vendor and security community.
• Ability to anticipate technological developments and develop or enhance existing capabilities, policies and procedures to protect the best interest of the organization.
• Extensive ability to analyze and interpret the threat landscape for business impact to the firm or its investments and to develop appropriate and pragmatic approaches to manage associated risk.
• Advanced knowledge of essential cyber practices, such as endpoint protection, vulnerability and patch management, access controls and incident response.
• Impeccable integrity and exceptional business judgment, relationship building acumen, and a keen ability to communicate the "why" behind cyber investments to diverse constituencies.

Benefits/Compensation

The compensation range for this role is specific to Washington, D.C. and takes into account a wide range of factors including but not limited to the skill sets required/preferred; prior experience and training; licenses and/or certifications.

The anticipated base salary range for this role is $240,000 to $250,000.

In addition to the base salary, the hired professional will enjoy a comprehensive benefits package spanning retirement benefits, health insurance, life insurance and disability, paid time off, paid holidays, family planning benefits and various wellness programs. Additionally, the hired professional may also be eligible to participate in an annual discretionary incentive program, the award of which will be dependent on various factors, including, without limitation, individual and organizational performance.