Chief Information Security Officer

About The Position

Requirements

• Bachelor's Degree in Information Security, Computer Science, Information Management Systems, or related field.
• 10-year track record in Information Security and/or Information Technology Risk Management leadership.
• Minimum 5 years significant leadership experience with l large healthcare system.
• Five plus years of experience in a large (over 2,000 end users) Healthcare IT Enterprise preferred.
• Experience working within an information security function using NIST CSF, or NIST 800-53, HIPAA, or HITRUST Common Security Framework.
• Experience supporting SSAE 16 or SOC 2
• Experience with ARCHER

Nice To Haves

• An advanced degree is strongly preferred.
• Preferred 7 years of experience in a combination of governance, risk management, information security and technology jobs, including a minimum of five years in a leadership role.
• Professional certifications such as Certified Information Systems Security Professional (CISSP) and/or Certified Information Security Manager (CISM), Certified Information Security Auditor (CISA), or Certified Risk & Information Security Controls (CRISC) preferred or willing to obtain within the first year of employment.

Responsibilities

• Develops an information security vision that is aligned to organizational priorities and enables and facilitates the organizations' business objectives and ensures senior stakeholder agreements and support.
• Develops, implements and monitors a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy and recovery of information assets owned, controlled and/or processed by the organization.
• Establish policies, procedures, standards, and guidelines that enable PHS's security strategy and aligns with the business objectives.
• Provides input for the Information Technology (IT) section of the organizations' code of conduct.
• Manages the budget for the information security program.
• Provides regular reporting on the current status of the information security program to enterprise committees, senior leaders and board of directors.
• Create a risk-based process for the assessment and mitigation of any information security risk in the ecosystem consisting of supply chain partners, vendors, consumers and any other third parties.
• Work with compliance, legal, internal audit and other key leaders to ensure all information owned, collected or controlled by or on behalf of PHS is processed and stored in accordance with applicable laws and other regulatory requirements.
• Develop and facilitate information security risk assessments/analysis/audits/ for contractual, legal, and regulatory compliance including reporting and oversight of risk remediation activities.
• Ensures the development and implementation of a vendor security management program to oversee third parties and manage risk associated with the vendor relationship including compliance monitoring.
• Collaborate with Privacy Officer and data protection leaders to support data privacy requirements and implemented into technology where applicable.
• Build an industry leading detection and containment capability that will identify and mitigate sophisticated cyber-attacks against PHS.
• Oversee the evaluation selection and implementation of information security tools.
• Establish relationship with Project Management Office to integrate information security into the project delivery process.
• Responsible for leading a security team of including Security Architects, Security Operations, Governance, Risk and Compliance, and Identify and Access Management professionals.
• Facilitate appropriate resource allocation which supports information security program maturity and risk reduction.
• Chairs the Cybersecurity Steering Committee and manages the cybersecurity program portfolio.
• Work directly with the business units and IT Operations to ensure the right security capabilities are built into offerings, enterprise processes and tools through reusable technology.
• Partner with legal on vendor contracting process to build security requirements and standards into agreements and manage risk introduced by vendors.
• Participates in the development of information security remediation plans identified through risk assessments and audits.
• Provide oversight for vulnerability management program and daily security operations enforcing security controls.
• Manage and oversee the information security incident response program, including the development of Business Continuity Program and Disaster Recovery Program.
• Maintain information security program framework for continuously improving the organizations security program and reducing risk.
• Establish defined roles and responsibilities with regard to information ownership, classification, accountability and protection of information assets.
• Monitor external threat environment for emerging threats and advise relevant stakeholders on appropriate courses of action.
• Routinely provide metrics and reporting framework which measures the efficiency and effectiveness of the information security program.
• Build and nurture external networks consisting of industry peers, ecosystem partners, vendors and other relevant parties to address common trends, findings, incidents and cybersecurity risks.
• Familiarity with current Cybersecurity management frameworks.
• Establish relationships with external agencies, such as law enforcement and other advisory bodies, as necessary, to ensure the organization maintains a strong security posture and is kept well-abreast of the relevant threats identified by these agencies.
• Understanding and experience with information security regulations, including at a minimum National Institute of Standards and Technology (NIST), Health Insurance Portability Accountability Act (HIPAA), Payment Card Industry (PCI), ISO 27001 and ISO 27018, Sarbanes-Oxley (SOX), Cloud Security Alliance (CSA) and various other laws and regulations including Executive Orders.
• Models high standards of integrity, performance, confidentiality, and demonstrates sound judgement.
• Incorporates Presbyterian Health Services values into ITGRC compliance and audit program.
• The CISO will be a seasoned, organizational leader with a strong technical/ operational background and experience partnering, leading and influencing across business units with all levels of leadership.
• It is critical for this individual to be able to develop forward-thinking, industry leading vision and strategy to ensure PHS is a strong leader in IT security.
• The CISO will be comfortable working in a fast-paced, collaborative, highly matrixed environment, developing a strategy for PHS and the organization and a roadmap to achieve strategic goals.
• The person in this role must be comfortable working with ambiguity, have a proven track record of hiring, developing and growing technical talent, strong executive presence and demonstrate outstanding communication skills specifically, have the ability to translate technical vision, roadmaps and decisions into a clear, inspiring story that enables the organization to quickly align and drive results.
• The ability to lead from the front, be a strong leader-teacher and collaborate at all levels at PHS with credibility are all critical to this role.
• The CISO will lead the technical security team as they guide the organization in areas that are very dynamic, increasingly complex, and involve partnering with suppliers, outside organizations, and leaders across PHS.
• This leader will model strong business partnering skills, leadership presence and organizational maturity.

Benefits

• Competitive salaries
• Full medical, dental and vision insurance
• Flexible spending accounts (FSAs)
• Free wellness programs
• Paid time off (PTO)
• Retirement plans, including matching employer contributions
• Continuing education and career development opportunities
• Life insurance and short/long term disability programs