Vice President, Chief Information Security Officer

About The Position

Requirements

• Bachelor’s degree required.
• Minimum of 10 years of progressive leadership in information security or related technical disciplines, with experience in large, complex healthcare or regulated environments.
• Demonstrated expertise in cybersecurity strategy, risk management, governance, and regulatory compliance.
• Strong understanding of healthcare operations, data privacy, and digital transformation.

Nice To Haves

• Master’s degree is preferred.
• Recognized industry certifications (e.g., CHISSP, CISSP, CISM, HCISPP) preferred.

Responsibilities

• Define and execute a forward-looking, risk-based information security strategy aligned with Sanford Health's growth, innovation, and M&A roadmap.
• Establish and maintain a comprehensive governance framework, including policies, standards, and risk appetite statements.
• Serve as a strategic advisor to executive leadership and the Board on cyber risk, resilience, and emerging threats.
• Lead the development of scalable, repeatable processes to support rapid integration of new entities and technologies.
• Oversee enterprise-wide information security risk management, including continuous risk assessments, mitigation strategies, and transparency of accepted risks.
• Partner with Compliance, Privacy, Legal, and Enterprise Risk to ensure alignment on regulatory requirements, audit readiness, and incident response.
• Maintain and evolve frameworks aligned with NIST, HICP, HIPAA, and other relevant standards.
• Implement cyber risk quantification models to support investment decisions and board-level reporting.
• Participate in the development of AI and emerging technology governance frameworks, ensuring secure and risk-aware adoption of AI, cloud, and quantum-resilient technologies.
• Build internal capacity to assess and secure new technologies rapidly and responsibly.
• Serve as a thought leader in healthcare cybersecurity, influencing industry policy and vendor ecosystems.
• Sponsor a robust enterprise-wide tabletop exercise and incident response program.
• Ensure strong delegation and operational execution across SOC, infrastructure, and application teams.
• Partner with Infrastructure, Applications, and Operations to drive joint disaster/event recovery, redundancy, and clinical/business continuity planning.
• Lead development of operational downtime procedures and resilience strategies.
• Establish and execute a comprehensive identity and access management strategy.
• Advance data governance capabilities, including PHI inventory, data lineage, and privacy-by-design.
• Strengthen third-party and vendor risk management, including non-IT sourced technologies and medical device ecosystems.
• Foster a culture of security as an enabler of innovation and care delivery.
• Develop a future-focused talent strategy, addressing skill gaps, continuous education, emerging skill assessments, and succession planning.
• Lead a modern, engaging security awareness and education program for all levels and demographics of the organization.
• Communicate effectively with technical and non-technical audiences, including board-level storytelling and executive influence.
• Lead Sanford's cyber insurance planning, including policy negotiation, risk transfer modeling, and alignment with enterprise risk management.
• Serves as Sanford Health's designated Information Security Officer under HIPAA.
• Expected to represent Sanford Health in industry consortiums, regulatory forums, and public-private partnerships.