Overview:
Reporting to Chief Information Security Officer (CISO), the Associate CISO is a cyber risk management leader responsible for executing Cybersecurity strategy, Cyber resiliency and risk management functions for Fairview Health Services. This leadership role has overall responsibility for cyber risk quantification, prioritized risk remediation, security policies, security standards, cyber governance, business continuity, disaster recovery, security awareness & training, vulnerability assessments & remediation, external attack surface management, security audits & reviews, third party risk management, IT supply chain risk management, regulatory compliance & management (HIPAA, PCI, HITRUST, SOC-2 etc.) within Cyber Security Risk Management (CSRM) group. Associate CISO will be accountable in promoting Security First culture across the organization and assist in delivering system wide resiliency programs enhancing cybersecurity posture while maturing frictionless security controls.
Responsibilities/Job Description:
Associate Chief Information Security Officer (Associate CISO) will assist the Chief Information Security Officer (CISO) to formulate system wide strategies relating to cyber resiliency, cyber risk quantification, cyber risk management, and promoting security first culture. Primary responsibilities include the following:
- Oversee the following groups of Cybersecurity within Fairview Security Policy & Governance, Security Risk & Regulatory Compliance Management, Cyber Resiliency, Business Continuity & Recovery teams.
- Will assist CISO with prioritization of strategic initiatives, assess & prioritize remediation of security risks in a cost-effective manner, in collaboration with Finance and other leadership teams
- Accountable for developing, enhancing and governance of comprehensive, implementable & frictionless security policies for Fairview Health Services. Collaborates with IT, Cyber, Emergency & Facilities Management and Operations to prescribe, validate and audit reasonable security controls, standards and procedures in accordance with established policies.
- Responsible for IT governance and validation to test security controls and policy compliance, including but not limited to appropriate user access, privileged access, data access and protection maintaining confidentiality, integrity and availability of enterprise systems and data. Maintain and govern Cyber policy exceptions and associated business and operational risks
- Responsible for strategy and execution around identifying critical business, security and IT assets, BCP/DR tiering/prioritization of Digital IT systems, and development of and testing of effective Business Continuity and Disaster Recovery controls
- Responsible for educating/training organization on Cybersecurity, risk management, data classification, data retention and security policies through mandatory/recommended training/orientation and performing periodic, targeted or general user phishing campaigns
- Accountable for developing and operationalizing strategy around Cybersecurity metrics, manage Cyber Risk Register, Key Risk Indicators (KRIs) and collaboration with teams to report security metrics, communicate policies/controls/initiatives & associated benefits
- Partner with IT and Cybersecurity peers to maintain integrity of core asset management and configuration management systems and assets including medical devices, IOT/OT and network assets
- Oversee Security Risk and Compliance assessments and associated processes for on-premise, Cloud, Mobile and IoT type applications and devices
- Oversee governance and compliance of Threat and Vulnerabilities being managed per policy by all stake holders
- Collaborate with Internal and External audit teams in assessing compliance of Fairview Health Services policy subject to regulatory, financial and security requirements. Will lead the organization through external compliance audits HIPAA, PCI, HITRUST, SOC-II and any other Healthcare mandates
- Manage third party vendor assessments, audit vendor access to IT systems, perform periodic re-assessments, and govern overall risks & exceptions of third-party vendors
- Assist CISO to represent Fairviews CSRM group and report identified, enumerated Cybersecurity risks to appropriate leadership, committees as appropriate and recommend remediation and/or compensating controls to mitigate risks
- Partner with Infrastructure, Applications and other Security leadership to report existing and/or new vulnerabilities, participate in governance meetings to effectively improve timely patching and remediation of security vulnerabilities
- Deliver enterprise programs, as allocated/assigned by CISO and collaborate with CSRM, IT and Operational peers
- Help hire, coach, mentor high performing diversified teams in Cyber Security and Risk Management (CSRM) group, facilitate informal/formal training of staff in partnerships with product vendors and industry peer groups to support execution needs of Cybersecurity
- Partner with IT Finance to actively manage the Operating Budget for the CSRM group including establishing annual operating budget plan and subsequent quarterly forecasts, headcount for CSRM group with close collaboration with CISO to manage planned/unplanned spend and favorability
Qualifications:
Education:
- Bachelors degree in areas of Information Technology, Cybersecurity or related fields or equivalent combination of experience and education.
Experience:
- Successful candidate will have a proven Cyber/Information security/IT leadership experience in one or more Cyber Security and Risk Management (CSRM) functional areas with a minimum of 15 years of IT experience. Leader would have experience in delivering strategic projects with large organizational distributed teams and complex IT environments.
- Successful candidate will have 5+ years of direct leadership/management of security teams. Leader will have proven people management and leadership skills.
- Proven experience leading one or more Information Security organizational functions, a broad and detailed understanding of cyber resiliency, IT resiliency, risk management, security risk management, cyber threats landscape, threat assessment and mitigation strategies
- Prior experience in leading IT and Security transformational initiatives in establishing and/or running three or more areas of the following - Cyber Risk Management, Third Party Risk Management, Security Operations, Identity & Access Management, Regulatory Compliance Management, BCP/DR
- In depth understanding and knowledge of regulatory compliance including but not limited to PCI, HIPAA, SOX, HITRUST, SOC-2 etc.
- Proven experience building and managing a highly effective organization and developing high-performance teams that are diversified and geographically dispersed
- Excellent oral, written, and interpersonal communication and presentation skills to various levels in the organization, including presenting to Board of Directors and/or Board Sub Committees
- Leader will have demonstrated implementing innovative ideas to improve delivery standards of services owned to internal and/or external customers
- Leader would have managed accountability for budget planning, forecasting, managing operating budgets and/or P&L for departments managed.