What you'll do...

KEY RESPONSIBILITIES
The Chief Information Security Officer (CISO) is responsible for developing and maintaining a world-class, enterprise-wide information security and risk management program to ensure that information assets are adequately protected. This executive is responsible for identifying, evaluating, protecting and reporting on information security risks in a manner that meets compliance and regulatory requirements, and aligns with and supports the risk posture of the enterprise.

The CISO position requires a visionary leader with sound knowledge of business management and a working knowledge of information security technologies. The CISO will proactively work with other business functions to implement practices that meet defined policies and standards for information security. This role also oversees a variety of IT-related risk management activities and provide guidance for Business Continuity and Disaster Recovery Plans.

The CISO serves as the process owner of all activities related to the availability, integrity and confidentiality of customer, business partner, employee and business information in compliance with H&R Block’s information security policies.

At the executive leadership level, the CISO is a key member of the IT Leadership team who contributes to business and technology strategy as they identify opportunities for innovation to grow H&R Block’s market leadership position. The CISO helps define the security policies, processes, and the associated technical capabilities that helps the company achieve its goals while protecting its data.

A key element of the CISO's role is working with H&R Block’s executive management to determine acceptable levels of risk for the organization. The CISO must be highly knowledgeable about the business environment and ensure that information systems are maintained in a fully functional, secure mode. The ideal candidate is a thought leader, a consensus builder, and an integrator of people and processes.

Specific responsibilities include:

Vision/Strategy

• Reporting to the Global CIO, the CISO will collaborate with appropriate parties to develop the vision and strategy for H&R Block’s enterprise information security program. This includes global responsibilities for H&R Block tax and financial business operations in the U.S., Canada, Australia, India, and Ireland in addition to Wave Financial.
• Assess, manage and govern the current Information Security Program including policies, procedures, and organization to drive Block’s Information Security Program to higher levels of maturity.
• Develop and oversee the outcomes of a multi-year roadmap, evolving and reprioritizing as necessary to ensure effectiveness.
• Significantly enhance security automation capabilities to deliver greater speed, efficiency, quality, and secure outcomes.
• Operate as a trusted information security advisor to the Leadership Team, CEO and the Board of Directors.
• Represent management to the Board/committees and present H&R Block’s security profile, industry position, risks, issues, strategies, execution, etc.
• Provide information security leadership to the IT operations and Applications/Data areas and oversee the information security management system and information security technical and operational standards.
• Facilitate healthy dialogue amongst stakeholders across the organization that bridges security and business needs, and results in a holistic viewpoint.

• Establish, monitor and reinforce policies related to data and asset usage and security. Do so with an understanding and appreciation of impact to the business.
• Oversee the construction and maintenance of technology standards and processes to ensure they meet policy.
• Ensure that InfoSec processes and operations are designed to be in compliance with the organization’s information security policies and compliant with regulations and laws.
• Coordinate and track all information technology and security related audits including scope of audits, business units involved, timelines, auditing agencies and outcomes, including potential overlaps with external audits conducted in the businesses. Within a framework of auditor independence, work with auditors as appropriate to keep audit focus in scope, maintain excellent relationships with audit entities and provide a consistent perspective that continually puts the organization in its best light. Provide guidance, evaluation and advocacy on audit responses.
• Lead a comprehensive enterprise-wide awareness program that makes security part of everyone’s job, including communications, training and reinforcement around associates’ roles in protecting client and company information.
• Partner with Legal/Compliance to develop a strategy for dealing with of audits, compliance checks and external assessment processes for internal/external auditors, PCI, HIPAA, and state laws.
• Partner with Risk, Legal/Compliance and Internal Audit functions relative to approach to difficult privacy and security issues. Act as a source of technical expertise to help automate controls as required.

• Support positioning information security as a business issue through greater level of business integration into security and risk priorities and decisions.
• Strengthen management of information security risks through a robust identification and prioritization processes that mitigate business risk and ensure information security governance through the implementation of an enterprise program.
• Assess potential and emerging information security threats, vulnerabilities, and control techniques across relevant business sectors and communicate this information to leaders and associates, as appropriate, throughout the organization on a timely basis.
• Advise leadership concerning risk issues that are related to information security and recommend actions in support of the company’s enterprise risk management program.

• Specify, prioritize, and oversee the development of information security solutions.
• The CISO serves as an Independent Monitor of InfoSec Operations (monitoring, controlling, reporting, and responding).

• Ensure that a visible and effective incident response policy, plan, and procedures is in effect for timely response, enforcement, tracking and reporting, including an escalation corridor for the CISO.

• Stay abreast of security, technology and industry trends. Maintain knowledge of security-related regulatory requirements and laws (e.g., HIPAA, PCI), standards (NIST, COBIT, ISO , HITECH, etc.) affecting privacy and security assurance, and partner with Law/Compliance to communicate throughout the enterprise to increase awareness and ensure that compliance is achieved where required.
• Liaise with external agencies, such as law enforcement and other advisory bodies as necessary, to ensure that the organization maintains a strong, proactive security posture.
• Utilize external parties, as appropriate to deliver on the security governance framework (i.e., awareness/ communications, training, forensics, etc.). Manage vendor relationships in a manner which controls costs, drives service excellence and mitigates risks.

What you'll bring to the team...

The ideal candidate will be a seasoned security & technology leader with demonstrated experience developing and leading a world-class, enterprise-wide information security & risk management program within a highly-regulated, technology-driven company operating in a multi-national environment.

Specific desired qualifications & experience include:

• 15+ years of progressively responsible and directly related work experience that includes building teams and leading an information security program, ideally within a financial or similarly highly-regulated entity.
• Minimum of 10 years’ experience designing and implementing enterprise information technology security; demonstrates industry leading security innovation skills and an eye towards understanding the threat environment from a preventative posture.
• Excellent executive presence and communications skills with experience presenting to boards, executives, and leadership teams with the ability to communicate security and risk-related concepts to technical and non-technical audiences.
• Very strong business acumen, analytical skills, problem solving techniques, and fact-based decision making. Keen understanding of business needs including operational and financial impacts of InfoSec policies, processes and operations.
• A self-starter with a “can-do‟ attitude; a driver and implementer who possesses the poise and ability to act calmly and competently in high-pressure, high-stress situations. High emotional intelligence.
• Strong resilience, ability to lead through ambiguity, and persistence to move ahead regardless of barriers.
• Proven ability to build positive, collaborative relationships at all levels of the enterprise and across a diverse set of functions. Able to develop strong relationships and influence multiple stakeholders in order to gain alignment on key issues will be critical for success.
• High level of knowledge in the area of risk management, network and system security, and security implementation in harmony with the ability to lead organizational change.
• Experience working with the HIPAA Security Regulations, SOC2, NIST Cybersecurity Framework, and relevant information privacy and security laws.
• Skilled in project management as well as work plan development and implementation; astute in strategic planning, budgeting, and allocation.
• A team builder with a track record of attracting, developing, and retaining high-performing talent.

Pay Range Information

The pay range for this position is listed below. Local minimum wage laws apply. This information is posted pursuant to local requirements to provide applicants with information about what they might be eligible to receive. Individual pay decisions will depend on job-related factors such as experience, education, skill, performance, and geographic location where work will be performed.

Successful candidates may be able to participate in one or more incentive compensation or short-term incentive plans, which could generate additional earnings in accordance with the terms of each plan.

Qualifying associates can enroll themselves and/or their eligible dependents in medical and prescription drug coverage; can participate in the H&R Block Retirement Savings Plan (401(k) Plan), the Employee Assistance Program, (virtual) fitness center programs, and the associate discount program; are automatically enrolled in Business Travel Accident Insurance; and receive Associate Tax Prep benefit.

Pay Range Minimum

244000

Pay Range Maximum

366000

About H&R Block...

H&R Block’s purpose is simple: To provide help and inspire confidence in our clients and communities everywhere. We’ve been true to that purpose since brothers Henry and Richard Bloch founded our company in 1955. Since then, we’ve grown to have approximately 12,000 offices throughout the United States and around the world.

We are a people company first and a tax company second. People who join H&R Block say it feels like being part of something bigger. A place with an amazing and storied history, but with a strong and urgent focus on the future. Maybe it’s how determined, forward thinking and innovative we are, or how accessible our leadership is. We believe it’s all those things, and much more.

H&R Block is committed to diversity and inclusion and is proud to be an equal opportunity employer. We consider qualified applicants regardless of race, color, religion, creed, gender, national origin, age, disability, veteran status, marital status, sex, gender expression or identity, sexual orientation, citizenship, or any other legally protected class. All qualified applicants are welcomed and encouraged to apply.

Job Family

Info Security

Employee Type

Regular

Sponsored Job

#LI-KB1 #LI-Remote

WOTC Eligibility Check

Yes

For best consideration, please submit your application materials by:

01/31/2025