Chief Information Security Officer

The Chief Information Security Officer (CISO) holds a pivotal role in establishing and executing the enterprise vision, strategy, architecture, and multi-year roadmap to ensure the highest level of protection for the company's invaluable information assets. Reporting directly to the Chief Information Officer (CIO), the CISO is responsible for driving transformational initiatives and fostering a culture of security awareness across the organization. By providing strategic guidance to executive leadership, the Audit and Compliance Board, and the Board of Directors, the CISO ensures that security considerations are integrated into every aspect of the business.

ESSENTIAL DUTIES AND RESPONSIBILITIES

• Develop and communicate the enterprise vision, strategy, architecture, and multi-year roadmap for information security, emphasizing best-in-class protection of the company's information assets.

• Elevate the Board's understanding of security beyond a mere 'compliance-only' perspective, fostering a holistic approach to risk management and mitigation.

• Ensure compliance of the security management program with relevant laws, regulations, and contractual requirements, providing subject matter expertise on security standards and best practices such as HIPAA, PCI, and Data Protection.

• Identify, evaluate, and report on information security risks, practices, and projects to the Executive Committee and the Board of Directors, advocating for proactive measures to address emerging threats.

• Lead the development and testing of robust disaster recovery and business continuity plans, striking a balance between business criticality and cost efficiency.

• Spearhead the creation, approval, dissemination, and maintenance of up-to-date information security policies, procedures, standards, and guidelines, fostering a security-aware culture across the organization.

• Champion the enterprise information security program, promoting innovation and the adoption of IT security and compliance best practices throughout the business.

• Oversee the evaluation, selection, and implementation of innovative and cost-effective information security solutions, ensuring alignment with business objectives and minimal disruption to operations.

• Collaborate closely with the IT team to ensure that technologies are developed and maintained in accordance with security policies and guidelines, fostering a culture of shared responsibility for cybersecurity.

• Manage regular intrusion detection and vulnerability reporting, internal and external IT audit reviews, and the coordination of necessary remediation actions.

• Develop business metrics to measure the effectiveness of the security management program and drive continuous improvement in its maturity over time.

• Monitor the industry and external environment for emerging threats, advising relevant stakeholders on appropriate courses of action to mitigate risk.

• Lead incident response planning and investigations of security breaches, providing guidance on disciplinary, public relations, and legal matters as needed.

• Oversee the creation, communication, and implementation of a robust process for managing vendor risk and third-party risk, ensuring alignment with organizational security objectives.

• Lead due diligence and post-integration activities related to information security for all M&A activities, safeguarding the integrity and security of acquired assets.

• Collaborate with senior leaders across the business to assess and communicate a balanced view of acceptable levels of risk relative to return on investment (ROI).

• Mentor and manage a high-performing team of information security and compliance professionals, fostering their professional development and growth within the organization.

EDUCATION AND/OR EXPERIENCE / QUALIFICATIONS

• Bachelor's Degree in computer science, engineering, or related field (graduate degree preferred).

• Minimum of 10 years of IT and/or compliance leadership experience, with at least 5 years of direct experience in information security/cybersecurity.

• Extensive experience in information security within a multi-unit/multi-state services organization, preferably in the healthcare industry.

• Proven track record in developing information security policies and procedures, with successful execution and enforcement.

• Strong knowledge of business risk, risk assessment methodologies, and risk-based decision-making processes.

• Excellent communication skills, with the ability to articulate security and risk-related concepts to technical and non-technical audiences, including board-level stakeholders.

• Demonstrated ability to build and lead high-performing teams, with a passion for fostering collaboration and innovation.

• Familiarity with security, risk, and control frameworks and standards such as ITIL and NIST 800.53.

• Professional certifications such as CISSP, CISM, or CISA are required or preferred, demonstrating expertise and credibility in the field of information security.

LICENSES AND CREDENTIALS

• Professional certifications such as a CISSP, CISM, CISA Preferred

NOTE: Job descriptions are intended to be accurate reflections of those principal job elements essential for making fair pay decisions about jobs. Nothing in this job description restricts management right to assign or reassign duties and responsibilities to this job at any time.