Business Information Security Officer

About The Position

Requirements

• Develop a deep business acumen to understand business operations, financial impacts, and how security investments drive revenue or efficiency with the ability to identify security risks and apply applicable controls.
• Ability to lead without direct authority and negotiate between competing security and business priorities.
• Proficient in security frameworks such as NIST, ISO 27001, CIS and the ability to clearly and concisely explain requirements to the business.
• Broad technical knowledge of network, cloud, and application security.
• Experience using automation tools within the work environment.
• Flexibility as business priorities shift and new technologies rapidly change the threat landscape.
• Ability to analyze complex issues, provide advanced issue resolution, and implement effective solutions.
• Actively listen and understand the unique pressures and goals of a business unit before recommending security controls.
• Appropriately manage conflict between security requirements and operational efficiency to maintain positive team dynamics.
• Ability and willingness to consistently participate in internal and external educational opportunities to enhance knowledge of current insurance topics or relevant system improvements.
• Ability and willingness to pursue relevant designations and/or continuing education, as appropriate.
• Ability to apply common sense understanding to carry out instructions furnished in written, oral or diagram form.
• Ability to deal with problems involving several concrete variables in standardized situations.
• Ability to exert up to 10 pounds of force occasionally, and/or negligible amount of force frequently or constantly to lift, carry, push, or pull objects.
• Must be knowledgeable of and comply with HMA's Client Privacy Policy, HIPAA regulations and E&O procedures and policies.
• Bachelor’s degree in technology, information systems, or related area or an equivalent combination of education, training, and experience.
• 7-10 years of relevant experience in Information Security, risk management, compliance, governance, or other security-related fields.
• Required certification such as CISSP, CISM, CRISC.
• Trust: Build trust through honest and caring actions and consistently do the right thing.
• Communication: Seek understanding to convey messages and information to others in a caring and constructive manner.
• Client Focus: Establish meaningful relationships with clients (internal and external) by supporting their unique potential and delivering an impactful experience.
• Teamwork: Contributes to the success of the organization by effectively influencing others and uplifting their experiences and unique strengths.
• Business & Technology Knowledge: Invests in the development of technical knowledge, understands business needs to make informed decisions and deliver technology solutions, including effective related processes and procedures.
• Problem Solving: Ability to efficiently identify problem(s), leverage resources to determine root cause(s) and propose and implement solutions or make improvements.

Responsibilities

• Translate high-level enterprise security strategies into actionable, tactical plans tailored for a specific business unit.
• Identifies and assesses cybersecurity risks unique to the business unit’s operations and advises business leaders on risk mitigation or acceptance based on risk tolerance.
• Ability to translate complex technical jargon into business-friendly language for stakeholders and executives.
• Serves as the primary point of contact for security-related issues, bridging the gap between technical security teams and non-technical business leaders.
• Monitors adherence to regulatory requirements (e.g. HIPAA, GLBA, NYDFS) and internal security and privacy policies.
• Fosters a security-first culture by delivering targeted awareness programs and educating business units on relevant threats.
• Conduct and summarize risk assessments for the business; ensuring they have the appropriate information to make risk based decisions, risk owners are assigned, and risk responses are monitored.
• Develop materials and present business relevant projects, risks, and make recommendations to Information Security Council as appropriate.
• Participates in cybersecurity strategy setting and other Enterprise initiatives as a security expert.
• Performs special projects and other duties as requested.

Benefits

• Paid Parental Leave and supportive New Parent Benefits
• Company paid continuing Education & Tuition Reimbursement
• 401k Profit Sharing
• Generous time off practices in addition to paid holidays
• Supportive of community efforts with paid Volunteer time off and employee matching gifts to charities that are important to you
• DE&I programs
• Consistent merit increase and promotion opportunities
• Discretionary bonus opportunity