Information Security Manager

About The Position

Requirements

• Bachelor’s degree in computer science, information systems or cybersecurity or related field and a minimum of 2 years’ experience in people leadership within security, including serving as the final decision-maker for hiring, development, and performance management, or equivalent combination of education and experience.
• Experience in healthcare technology, health systems, or digital health, with working knowledge of HIPAA, PHI governance, and clinical system dependencies.
• Experience owning or co-owning HITRUST CSF certification (or equivalent compliance framework such as SOC 2, ISO 27001).
• HITRUST Certified Common Security Framework Practitioner (CCSFP) or equivalent HITRUST training
• One or more professional security certifications: CISSP, CISM, or CISA.
• AWS Security Specialty or equivalent cloud security certification
• CRISC (Certified in Risk and Information Systems Control)
• AI governance or responsible AI certifications (e.g., ISACA AI Audit certificate, Certified AI Governance Professional)
• Travel is required for up to 15%, team meetings, clinic visits, audit support

Nice To Haves

• Demonstrated ability to translate technical infrastructure and security concepts into business risk and value narratives for executive and board audiences
• Experiencing driving vulnerability management across organizations.
• Experience in value-based care, employer-sponsored healthcare, or population health management organizations
• Proven track record operating in multi-site, distributed environments; ideally 500+ locations; with complex endpoint and network management needs.
• Hands-on experience deploying or governing AI tools in a healthcare or clinical environment, including PHI risk controls for AI systems
• Experience with AIOps platforms or AI-augmented IT operations tooling
• Familiarity with AWS (or comparable cloud) architecture, including security posture management in cloud-native environments

Responsibilities

• Driving cybersecurity maturity with continuous improvement of controls
• Continuously evaluating and managing the cyber and technology risk posture of the organization
• Lead Marathon Health’s internal and outsourced security teams to execute on the roadmap defined by our CISO
• Lead the security team response to security incidents and breaches.
• Lead security awareness and training programs across the organization, with tailored content for clinical staff handling PHI
• Manage the prospect, client and 3rd party security assessment fulfillment process.
• Identify and manage vulnerabilities
• Developing and implementing comprehensive risk treatment plans to protect Marathon’s assets
• Monitoring compliance with the information security policies
• Keeping up to date with IT security standards and emerging threats
• Maintain up-to-date knowledge of emerging technologies and services that will help Marathon maintain its technical edge and evolution
• Architect, prioritize, coordinate, and communicate the choice of security technologies necessary to ensure a highly secure yet frictionless computing environment
• Assists in the evaluation of overall risk for IT systems and the data they contain and process, accounting for the people, processes, and technologies that provide security controls
• Maintain and continuously improve SOC2/HITRUST CSF certification; ensure security control ownership, evidence collection, and audit readiness are operationalized across all responsible domains
• Manage and enforce a comprehensive information security program covering identity and access management, vulnerability management, endpoint protection, network security, incident response, and third-party risk
• Work with cross-functional teams including Technology, Legal, Privacy, Finance, Internal and External Auditors to achieve corporate objectives relating to information and data security
• Partner with legal and compliance teams to create and support a security culture through education and awareness programs designed to reduce the risks to the enterprise while also engaging key business leaders to ensure business unit involvement
• Monitor compliance with HIPAA, SOC 2, state-level data privacy regulations, and contractual security requirements across all employer and health plan clients
• Provide technical leadership, guidance and mentoring to Security Analysts.
• Conduct regular performance reviews, training, and career development planning.
• Promote knowledge sharing and best practices across the team.

Benefits

• FREE Marathon Health services for you and your family, which provides unlimited, free primary care, routine labs, select prescriptions, vaccinations, and virtual mental health care for you and your family
• Choice of 2 medical plans, 2 dental plans, and vision coverage
• Unlimited free mental health benefits and EAP resources
• Rewards for challenges and healthy lifestyle activities
• Family-building and reproductive health benefits
• Paid parental leave
• Generous PTO or FTO
• Paid Holidays + A Day for What Matters
• Company paid Basic Life and Disability insurance
• Supplemental Life
• Spending Accounts
• 401(k) with employer match and graded vesting
• Continuing Medical Education (CME) for maintaining and strengthening the knowledge, skills, and expertise of our health center teammates, as applicable