Chief Information Security Officer - CISO

Title: Chief Information Security Officer (CISO), Workday Government

Location: USA.DC.Home Office Washington DC

Full Time

Job Description:

Your work days are brighter here.

 

At Workday, it all began with a conversation over breakfast. When our founders met at a sunny California diner, they came up with an idea to revolutionize the enterprise software market. And when we began to rise, one thing that really set us apart was our culture. A culture which was driven by our value of putting our people first. And ever since, the happiness, development, and contribution of every Workmate is central to who we are. Our Workmates believe a healthy employee-centric, collaborative culture is the essential mix of ingredients for success in business. That’s why we look after our people, communities and the planet while still being profitable. Feel encouraged to shine, however that manifests: you don’t need to hide who you are. You can feel the energy and the passion, it's what makes us unique. Inspired to make a brighter work day for all and transform with us to the next stage of our growth journey? Bring your brightest version of you and have a brighter work day here.

 

At Workday, we value our candidates’ privacy and data security.  Workday will never ask candidates to apply to jobs through websites that are not Workday Careers. 

 

Please be aware of sites that may ask for you to input your data in connection with a job posting that appears to be from Workday but is not.

 

In addition, Workday will never ask candidates to pay a recruiting fee, or pay for consulting or coaching services, in order to apply for a job at Workday.

 

 

 

About the Team

Workday has launched Workday Government, a new wholly owned subsidiary dedicated to serving the U.S. Government, to address its specific needs and accelerate modernization efforts.

 

About the Role

 

As the Chief Information Security Officer (CISO), Workday Government, you will be a pivotal executive leader, shaping and executing Workday's comprehensive cybersecurity strategy specifically tailored for the highly regulated and mission-critical needs of our federal government clients. This role serves as the ultimate authority and advocate for federal cybersecurity within Workday, ensuring our products, services, and operational environments not only meet but exceed the most stringent security, compliance, and resilience requirements.

 

You will bring profound expertise in federal government cybersecurity frameworks, regulations, and executive-level experience in building, maturing, and leading complex security programs within the federal space. Critical to this role is proven experience establishing and maintaining secure cloud and on-premise network environments, including air-gapped regions, and successfully navigating the accreditation processes for SaaS platforms within these sensitive environments. You will be instrumental in maintaining our federal accreditations and pursuing new ones as Workday's federal footprint expands.

 

This role requires a visionary leader with a hands-on approach, capable of not only defining strategy but also diving into the operational complexities of federal cybersecurity. A key responsibility will be building and scaling a dedicated federal cybersecurity team from the ground up, fostering a culture of excellence and operational rigor. Furthermore, you will be directly responsible for designing, establishing, and maturing a Security Operations Center (SOC) specifically tailored to meet federal compliance requirements for monitoring and responding to threats in highly sensitive environments.

 

Key Responsibilities

As the CISO, Workday Government, you will lead and direct all aspects of federal cybersecurity, including:

 

Strategic Vision & Leadership:

• Define and articulate the long-term federal cybersecurity vision and strategy, aligning with Workday's business objectives and federal agency requirements.

• Serve as the executive security liaison for federal agencies, building and nurturing high-trust relationships with key government security officials, auditors, and regulatory bodies.

• Advise the executive leadership team on critical federal cybersecurity risks, investments, and strategic initiatives.

• Champion a robust security culture across the organization, with a strong focus on federal compliance and best practices.

• Establish and chair a Security Governance Council across stakeholders to ensure alignment and effective decision-making.

• Act as the primary security point-of-contact for government customers, prime contractors, integrators, FedRAMP PMO, DISA, and agency sponsors, and actively participate in industry groups (e.g., ISACs, INSA, NIAC) and working groups for federal cybersecurity.

 

Team & Capability Building (Hands-On):

• Recruit, build, and lead a high-performing, dedicated federal cybersecurity team from its foundational stages. This includes defining roles, hiring top talent, and establishing effective team structures and processes.

• Architect, establish, and continuously mature a federal-compliant Security Operations Center (SOC). This involves selecting and implementing security tools, defining operational playbooks, establishing monitoring processes, and ensuring adherence to federal reporting requirements.

• Provide hands-on technical guidance and expertise to the team as needed, particularly during incident response, architectural reviews, and complex problem-solving.

• Mentor and develop cybersecurity professionals, fostering an environment of continuous learning and technical excellence tailored for federal security challenges.

 

Federal Compliance & Risk Management:

• Direct and oversee comprehensive compliance with all relevant federal cybersecurity frameworks and regulations, including FISMA, FedRAMP (all levels, including High and IL4/Secret/Top Secret), NIST 800-53/800-171, CMMC (all levels), ICD 503, ITAR, CJIS, DFARS, OMB A-130, and other intelligence community directives.

• Lead and manage the end-to-end FedRAMP authorization process for all relevant Workday offerings, from initial strategy and documentation to security control implementation, continuous monitoring, and re-authorization efforts.

• Establish and enforce enterprise-wide federal risk management frameworks, conducting regular, advanced risk assessments and implementing sophisticated mitigation strategies to protect highly sensitive government data and systems. Drive continuous risk assessment and mitigation strategy.

• Assist in obtaining and maintaining Authority to Operate (ATO) for Workday Government offerings.

• Lead and manage audits and assessments by third-party or government agencies (e.g., GAO, DoD IG, DHS).

• Ensure robust data loss prevention (DLP), access control mechanisms, secure disposal procedures, and advanced audit logging capabilities are implemented and continuously optimized for federal environments.

 

Cyber Defense & Incident Response (Federal Focus):

• Architect, implement, and continuously refine a sophisticated cyber defense strategy for all federal environments, including air-gapped and cross-domain solution (CDS) architectures.

• Oversee the development, implementation, and rigorous testing of federal-specific incident response and threat management plans, ensuring rapid, effective, and compliant resolution of security incidents within government sector operations, in line with FISMA/NIST SP 800-61.

• Coordinate with US-CERT, CISA, and government customers during major incidents.

• Maintain playbooks and conduct red team/blue team exercises.

• Direct comprehensive threat intelligence gathering and analysis pertinent to the federal landscape, proactively identifying and mitigating emerging threats, vulnerabilities, and nation-state actor activities.

• Ensure the SOC capabilities are optimized for federal compliance, including offline log analysis and secure data handling procedures.

• Participate in classified threat briefings, if cleared.

 

Secure Federal Architecture, Engineering & Product Support:

• Provide executive leadership and strategic guidance for the secure design, development, and deployment of Workday's SaaS solutions in federal environments, ensuring security-by-design principles are deeply embedded from conception.

• Design and maintain secure architectures (on-prem, cloud, hybrid).

• Approve and oversee System Security Plans (SSPs) and RMF lifecycle activities.

• Enforce Zero Trust Architecture (ZTA) principles.

• Oversee vulnerability scanning and security operations (SIEM, SOAR).

• Collaborate extensively with engineering, product development, and infrastructure teams to integrate cutting-edge security architectures that meet future-state federal requirements.

• Ensure secure coding practices and oversee STIG compliance and code scanning (SAST/DAST/IAST).

• Support CI/CD pipelines with built-in security gates and interface with government DevSecOps teams.

 

Insider Threat & Personnel Security:

• Collaborate closely with the Facility Security Officer (FSO) or Human Resources on personnel vetting and insider threat programs.

• Ensure proper handling of classified information, if applicable.

• Oversee background check compliance and clearance levels (public trust, secret, TS/SCI etc.).

 

Security Awareness, Training, and Policy Development:

• Direct and manage all security audits, assessments, and continuous monitoring activities for federal systems, including rigorous penetration testing, vulnerability management, and third-party security reviews.

• Develop and enforce robust security policies and procedures specifically tailored to federal regulations and industry best practices. Author security policies tailored to federal environments.

• Drive comprehensive security awareness programs for cleared and uncleared personnel.

• Conduct security training aligned with DoD/DHS requirements.

 

Contract & Supply Chain Risk Management:

• Ensure secure development lifecycle (SDLC) for software built under federal contracts.

• Conduct supply chain risk assessments (per EO 14028, OMB, and NIST 800-161).

• Ensure subcontractors and partners meet required controls (e.g., NIST 800-171 for CUI).

 

Metrics & Reporting:

• Report regularly on the federal cybersecurity posture to executive leadership and the Board (if applicable).

• Provide all required reports to federal agencies, including FISMA scorecards, Plan of Action and Milestones (POA&M) updates, and incident reports.

 

About You

 

Education:Bachelor's degree in Computer Science, Cybersecurity, or a related technical field is required. A Master's degree or higher in a relevant discipline is strongly preferred.

 

Experience:

• Minimum of 15+ years of progressive leadership experience in cybersecurity, with at least 7+ years in a senior leadership or executive role specifically focused on federal government cybersecurity programs.

• Demonstrated executive-level experience in building and scaling cybersecurity teams, including establishing a Security Operations Center (SOC) from the ground up, with a clear focus on federal compliance.

• Proven executive-level experience leading and successfully managing multiple FedRAMP authorization processes (Moderate, High, and/or DoD IL4/IL5/IL6/Secret/Top Secret) for SaaS or cloud service offerings.

• Extensive hands-on and strategic knowledge of federal cybersecurity frameworks and regulations, including NIST SP 800-53, FISMA, CMMC (all levels), ICD 503, and classified environment security principles.

• Proven track record of designing, implementing, and operating security programs within secure network environments, including air-gapped and cross-domain solution (CDS) architectures.

• Deep technical and operational understanding of cloud security principles and best practices for highly sensitive federal data.

• Experience obtaining and maintaining government security clearances at the TS/SCI - Counterintelligence Scope Polygraph level.

• Executive-level communication and interpersonal skills, with a proven ability to engage effectively with senior government officials, C-suite executives, and technical teams.

 

Certifications:

• CISSP, CISM, or similar executive-level security certifications are highly desirable.

• Relevant federal-specific certifications (e.g., FedRAMP 3PAO experience, DoD 8570/8140 compliance, CMMC Assessor) are highly desirable. DoD 8570/8140 certifications (e.g., CISSP, GSLC) may be required if classified work is involved.

Desired Attributes

• Strategic Visionary: Ability to define and execute a long-term federal cybersecurity strategy that aligns with rapidly evolving threats and regulatory landscapes.

• Executive Presence: Exceptional communication, presentation, and negotiation skills, capable of influencing senior stakeholders and government officials.

• Hands-On Leader: A leader who is not afraid to dive into technical details and actively contribute to problem-solving, while also guiding the team strategically.

• Results-Oriented Leader: A proven track record of delivering measurable security improvements and successful accreditation outcomes in complex federal environments.

• Problem Solver: Superior analytical and critical thinking skills to address intricate security challenges and make sound, timely decisions.

• Adaptable & Resilient: Thrives in a dynamic, high-stakes environment, demonstrating composure and leadership during crisis situations.

• Passion for Public Service: A genuine commitment to securing critical government missions and protecting national interests.

Workday Pay Transparency Statement

 

The annualized base salary ranges for the primary location and any additional locations are listed below.  Workday pay ranges vary based on work location. As a part of the total compensation package, this role may be eligible for the Workday Bonus Plan or a role-specific commission/bonus, as well as annual refresh stock grants. Recruiters can share more detail during the hiring process. Each candidate’s compensation offer will be based on multiple factors including, but not limited to, geography, experience, skills, job duties, and business need, among other things. 

 

Primary Location: USA.DC.Home Office Washington DC Metro
 

Primary Location Base Pay Range: $279,800 USD - $419,800 USD

 

Additional US Location(s) Base Pay Range: $279,800 USD - $419,800 USD

Our Approach to Flexible Work
 

With Flex Work, we’re combining the best of both worlds: in-person time and remote. Our approach enables our teams to deepen connections, maintain a strong community, and do their best work. We know that flexibility can take shape in many ways, so rather than a number of required days in-office each week, we simply spend at least half (50%) of our time each quarter in the office or in the field with our customers, prospects, and partners (depending on role). This means you'll have the freedom to create a flexible schedule that caters to your business, team, and personal needs, while being intentional to make the most of time spent together. Those in our remote "home office" roles also have the opportunity to come together in our offices for important moments that matter.

 

Pursuant to applicable Fair Chance law, Workday will consider for employment qualified applicants with arrest and conviction records.

 

Workday is an Equal Opportunity Employer including individuals with disabilities and protected veterans.

 

Are you being referred to one of our roles? If so, ask your connection at Workday about our Employee Referral process!