Information Security Portfolio Manager (ISPM)

About The Position

Requirements

• Bachelor’s degree in information security, Information Technology, or related field, or equivalent experience on a year-for-year basis.
• Minimum of five (5) years of experience in cybersecurity governance, risk management, or compliance.
• Experience implementing RMF and security authorization processes.
• Experience working with enterprise GRC and IT service management tools.
• Working knowledge of security frameworks (TAC 202, NIST 800‑53 Rev 5, ISO 27001, CIS Controls, ARC-AMPE).
• Understanding of cloud security concepts (AWS, Azure, GCP).
• Understanding of AI Language Learning Models (LLM), Open Web Application Security Project (OWASP), threat analysis and system security posture for cloud, APIs, legacy, and microservice ecosystems
• Knowledge of enterprise risk management principles and NIST RMF implementation.
• Knowledge of security authorization and ATO governance processes.
• Strong Communication Skills – Exceptional written and verbal communication skills to effectively convey security policies, risks, and compliance requirements to both technical and non-technical stakeholders, including CMS auditors and regulatory bodies.
• Advanced Problem-Solving Abilities – Ability to quickly analyze complex security risks and develop effective mitigation strategies within healthcare IT environments while ensuring compliance with CMS security requirements.
• Risk Mitigation & Control Implementation – Ability to assess security risks, evaluate compensating controls, and implement risk mitigation strategies to protect regulated data for systems.
• Knowledge of security architecture, system design review principles, and enterprise security standards.
• Proficient in GRC tools for tracking and managing compliance, conducting risk assessments and reporting (Archer GRC, ServiceNow, Helix, or equivalent).
• Risk identification and risk-based decision support
• Ability to interpret regulatory and technical security requirements
• Documentation management and audit evidence preparation
• Process improvement and governance maturity development
• Ability to communicate technical risk in business terms
• Facilitation of governance forums and working sessions
• Stakeholder engagement across technical and executive levels
• Clear written and verbal communication
• Ability to maintain confidentiality of security and integrity of critical infrastructure systems by ensuring compliance with laws and regulations.

Nice To Haves

• Experience in public sector or healthcare security governance environments.
• Professional certifications such as CISM, CISSP, CISA, CRISC, or equivalent.
• ISO 27001 Lead Implementer or Lead Auditor certification.
• Project Management Professional (PMP) or equivalent.

Responsibilities

• Guides Information Owners and Information Custodians through RMF lifecycle activities including system security categorization, security planning, and risk assessments.
• Provides security guidance to Information Owners and Information Custodians to develop and maintain security documentation including System Security Plans (SSPs), risk assessments, Plans of Action & Milestones (POA&Ms), and risk exception requests.
• Monitors risk assessment completion in accordance with TAC 202 and HHSC Information Security Policy requirements.
• Evaluates major system or architectural changes for determination of additional security, privacy or regulatory requirements.
• Coordinates or guides security control assessments, secure architecture reviews, security consulting for vulnerability efforts.
• Provides oversight of the Authorization to Operate (ATO) process. May develop ATO packages for CISO and Authorizing Official review and approval. Provides executive briefing to portfolio leadership.
• Participates in executive committee meetings, provides risk posture and security gap analysis. Engaged in DIR risk letter responses, audit engagements, and regulatory inquiries. Ensure portfolio adherence to internal polices, as well as external regulations and legal mandates such as TAC 202 and NIST.
• Leading teams in handling both legacy and emerging technologies to manage business risk and enforce security controls that safeguard information systems.
• Requires broad technical knowledge, the ability to research legal and regulatory requirements, legislative awareness, and the skill to ensure data and privacy safeguards.
• Provides initial security technical reviews, consultancy, and assessment services for system architecture and technical intake submissions.
• Engages IT and cybersecurity technical SMEs across cloud, AI, CI/CD, SDLC, and legacy environments to drive secure and compliant architectural decisions.
• Researches and analyzes cybersecurity threat indicators or system weaknesses for the prevention and correction to recommend threat mitigation strategies to harden ecosystems.
• Serves as a cybersecurity liaison in executive management committees, data governance councils, metadata governance forums, and other enterprise decision-making bodies.
• Conducts recurring outreach with Information Custodians to monitor RMF compliance status, including missing or expired categorizations, risk assessments, POA&Ms, and risk-based decisions.
• Communicates security-related changes, impacts, and requirements to portfolio stakeholders.
• Performs or leads other duties as assigned.

Benefits

• 100% paid employee health insurance for full-time eligible employees
• A defined benefit pension plan
• Generous time off benefits
• Numerous opportunities for career advancement