City of San José
Head of Cyber Risk and Compliance (Enterprise Technology Manager)
City of San José, San Jose, California, United States, 95199
Head of Cyber Risk and Compliance (Enterprise Technology Manager) – Job Description (Refined)
The City of San José’s Information Technology Department (ITD) is seeking an experienced and forward-thinking leader to serve as the Head of Cyber Risk and Compliance (Enterprise Technology Manager) with a focus on Governance, Risk, and Compliance (GRC), Identity and Access Management (IAM), and Risk Management. Reporting to the City Information Security Officer (CISO), this role provides senior-level leadership for cybersecurity governance, regulatory compliance, access control, and enterprise risk initiatives that safeguard City services, data, and critical infrastructure.
The Head of Cyber Risk and Compliance will play a critical leadership role in strengthening the City’s security governance structure, managing enterprise risks, and ensuring effective identity and access controls across the organization. This position requires a leader who can balance regulatory compliance, security best practices, and operational needs, while fostering a culture of accountability and resilience.
Key responsibilities
Representing the cybersecurity program in executive meetings, steering committees, and inter-agency collaborations.
Collaborate with external partners, including DHS CISA, FBI, and state agencies, on compliance, risk, and threat intelligence initiatives.
Promote Citywide cybersecurity awareness programs, with emphasis on governance, risk, and compliance accountability.
Lead the planning, execution, and delivery of complex cross-functional projects, ensuring alignment with organizational priorities and stakeholder expectations.
Lead enterprise risk assessments, threat modeling, and business impact analyses by establishing standardized frameworks to evaluate organizational risk posture and align findings with enterprise objectives.
Oversee cross-departmental collaboration to identify vulnerabilities, analyze threats, assess potential impacts, and translate results into actionable mitigation strategies that inform executive decision-making.
Oversee regulatory compliance initiatives, ensuring continuous audit readiness and timely fulfillment of reporting requirements to meet federal, state, and industry standards.
Provide governance and oversight to maintain adherence to applicable framework, regulatory and certification requirements.
Coordinate with internal and external auditors and deliver clear risk mitigation and compliance reporting to executive leadership and regulatory bodies.
Integrate risk management processes into City projects, procurement, and vendor engagements.
Collaborate with IT operations and emergency management teams on disaster recovery and business continuity planning.
Lead the City’s cybersecurity GRC program, ensuring alignment with frameworks such as NIST CSF, ISO 27001, CJIS, PCI DSS, and other applicable standards.
Develop, implement, and enforce Citywide cybersecurity policies, standards, and procedures.
Provide metrics and dashboards on risk posture, policy adoption, and compliance to executive leadership.
Direct the City’s IAM strategy, including identity lifecycle management, SSO, MFA, and PAM.
Ensure secure onboarding, offboarding, and RBAC across City departments.
Implement and govern Zero Trust principles to reduce insider and external access risks.
Partner with IT and business units to advance identity governance and automation.
Develop and maintain the enterprise Disaster Recovery Plan as well as information systems contingency plans for each system, with tabletop exercises as required.
Salary and schedule Hybrid telework schedule is possible, subject to change. The City is currently on a 32-hour onsite workweek.
Salary Information:
The final candidate’s qualifications and experience shall determine the actual salary. In addition to the starting salary, employees in the Enterprise Technology Manager (ETM) classification shall also receive an approximate five percent (5%) ongoing non-pensionable compensation pay.
Salary Range (including the 5% NPWI): $170,679.60 – $208,855.92
Minimum qualifications Education and Experience:
Bachelor’s degree from an accredited college or university with coursework in computer science, information systems, business administration, or closely related field AND seven (7) years of experience managing, maintaining and implementing significant technology programs, computer system infrastructure and design, network operations, security design, application development and configurations and system/servicer administration, including a combination of five (5) years of supervisory and project personnel management experience, of which at least two (2) years should be supervisory experience over a technical team.
Required Licensing:
Possession of a valid State of California driver’s license. Passing the San Jose Police Department (SJPD) background check is also a condition of employment.
Other qualifications and competencies
Seven or more (7+) years of experience in information security and/or compliance (FISMA, SOX, PCI, HIPAA, etc.), risk management, including threat modeling, vulnerability assessment, and/or incident response.
Five or more (5+) years directly managing and leading cross-functional technical cybersecurity teams.
Strong knowledge of regulatory frameworks and standards applicable to government, including NIST CSF, NIST 800-53, CJIS, PCI DSS, and HIPAA.
Proven ability to ensure audit readiness, manage internal controls, develop and enforce policies, and oversee third-party risk management programs.
Ability to communicate security-related concepts to a broad range of technical and non-technical audiences.
Experience with cloud security, secure network architecture, IAM operations, and authentication protocols (SAML, SSO, LDAP, OAuth, OpenID).
Possess and maintain a current cybersecurity credential (e.g., CISSP, CISA, CISM, CGEIT, CRISC) or equivalent acceptable to the City.
Ability to obtain and maintain SECRET Security Clearance within a reasonable period.
Selection process and contact The selection process includes evaluation of the applicant’s training and experience, responses to job-specific questions, and may include interviews and a practical/writing exercise. For questions about duties or the hiring process, contact Tram Nguyen at Tramt.Nguyen@sanjoseca.gov.
Employment eligibility:
Federal law requires verification of eligibility to work in the United States. The City will not sponsor visa applications. Please answer all job-specific questions to be considered.
The City of San José is an equal opportunity employer. Applicants are considered without regard to age, race, color, religion, sex, national origin, sexual orientation, disability, veteran status or any other unlawful consideration. Reasonable accommodations are available for applicants with disabilities.
For more information on the City’s values and ITD culture, visit the ITD website.
Note: Some boilerplate and extraneous postings have been removed to focus on the Head of Cyber Risk and Compliance (Enterprise Technology Manager) role and related requirements.
#J-18808-Ljbffr
The Head of Cyber Risk and Compliance will play a critical leadership role in strengthening the City’s security governance structure, managing enterprise risks, and ensuring effective identity and access controls across the organization. This position requires a leader who can balance regulatory compliance, security best practices, and operational needs, while fostering a culture of accountability and resilience.
Key responsibilities
Representing the cybersecurity program in executive meetings, steering committees, and inter-agency collaborations.
Collaborate with external partners, including DHS CISA, FBI, and state agencies, on compliance, risk, and threat intelligence initiatives.
Promote Citywide cybersecurity awareness programs, with emphasis on governance, risk, and compliance accountability.
Lead the planning, execution, and delivery of complex cross-functional projects, ensuring alignment with organizational priorities and stakeholder expectations.
Lead enterprise risk assessments, threat modeling, and business impact analyses by establishing standardized frameworks to evaluate organizational risk posture and align findings with enterprise objectives.
Oversee cross-departmental collaboration to identify vulnerabilities, analyze threats, assess potential impacts, and translate results into actionable mitigation strategies that inform executive decision-making.
Oversee regulatory compliance initiatives, ensuring continuous audit readiness and timely fulfillment of reporting requirements to meet federal, state, and industry standards.
Provide governance and oversight to maintain adherence to applicable framework, regulatory and certification requirements.
Coordinate with internal and external auditors and deliver clear risk mitigation and compliance reporting to executive leadership and regulatory bodies.
Integrate risk management processes into City projects, procurement, and vendor engagements.
Collaborate with IT operations and emergency management teams on disaster recovery and business continuity planning.
Lead the City’s cybersecurity GRC program, ensuring alignment with frameworks such as NIST CSF, ISO 27001, CJIS, PCI DSS, and other applicable standards.
Develop, implement, and enforce Citywide cybersecurity policies, standards, and procedures.
Provide metrics and dashboards on risk posture, policy adoption, and compliance to executive leadership.
Direct the City’s IAM strategy, including identity lifecycle management, SSO, MFA, and PAM.
Ensure secure onboarding, offboarding, and RBAC across City departments.
Implement and govern Zero Trust principles to reduce insider and external access risks.
Partner with IT and business units to advance identity governance and automation.
Develop and maintain the enterprise Disaster Recovery Plan as well as information systems contingency plans for each system, with tabletop exercises as required.
Salary and schedule Hybrid telework schedule is possible, subject to change. The City is currently on a 32-hour onsite workweek.
Salary Information:
The final candidate’s qualifications and experience shall determine the actual salary. In addition to the starting salary, employees in the Enterprise Technology Manager (ETM) classification shall also receive an approximate five percent (5%) ongoing non-pensionable compensation pay.
Salary Range (including the 5% NPWI): $170,679.60 – $208,855.92
Minimum qualifications Education and Experience:
Bachelor’s degree from an accredited college or university with coursework in computer science, information systems, business administration, or closely related field AND seven (7) years of experience managing, maintaining and implementing significant technology programs, computer system infrastructure and design, network operations, security design, application development and configurations and system/servicer administration, including a combination of five (5) years of supervisory and project personnel management experience, of which at least two (2) years should be supervisory experience over a technical team.
Required Licensing:
Possession of a valid State of California driver’s license. Passing the San Jose Police Department (SJPD) background check is also a condition of employment.
Other qualifications and competencies
Seven or more (7+) years of experience in information security and/or compliance (FISMA, SOX, PCI, HIPAA, etc.), risk management, including threat modeling, vulnerability assessment, and/or incident response.
Five or more (5+) years directly managing and leading cross-functional technical cybersecurity teams.
Strong knowledge of regulatory frameworks and standards applicable to government, including NIST CSF, NIST 800-53, CJIS, PCI DSS, and HIPAA.
Proven ability to ensure audit readiness, manage internal controls, develop and enforce policies, and oversee third-party risk management programs.
Ability to communicate security-related concepts to a broad range of technical and non-technical audiences.
Experience with cloud security, secure network architecture, IAM operations, and authentication protocols (SAML, SSO, LDAP, OAuth, OpenID).
Possess and maintain a current cybersecurity credential (e.g., CISSP, CISA, CISM, CGEIT, CRISC) or equivalent acceptable to the City.
Ability to obtain and maintain SECRET Security Clearance within a reasonable period.
Selection process and contact The selection process includes evaluation of the applicant’s training and experience, responses to job-specific questions, and may include interviews and a practical/writing exercise. For questions about duties or the hiring process, contact Tram Nguyen at Tramt.Nguyen@sanjoseca.gov.
Employment eligibility:
Federal law requires verification of eligibility to work in the United States. The City will not sponsor visa applications. Please answer all job-specific questions to be considered.
The City of San José is an equal opportunity employer. Applicants are considered without regard to age, race, color, religion, sex, national origin, sexual orientation, disability, veteran status or any other unlawful consideration. Reasonable accommodations are available for applicants with disabilities.
For more information on the City’s values and ITD culture, visit the ITD website.
Note: Some boilerplate and extraneous postings have been removed to focus on the Head of Cyber Risk and Compliance (Enterprise Technology Manager) role and related requirements.
#J-18808-Ljbffr