Chief Information Security Officer

Location
Gaithersburg, MD
Posted
Sep 21, 2018
Closes
Oct 31, 2018
Industry
Security
Hours
Full Time
Support Center

If you are a current Adventist HealthCare employee, please click this link to apply through your Workday account. Reporting to the Chief Technology Officer, the Chief Information Security Officer (CISO) is responsible for the overall organizational security strategy, security program oversight and security architecture development for the organization. The scope of this role covers all utilized security technologies and services, including protection services, perimeter defenses, physical and logical access control, and user profile management of all employees, contractors and visitors. As the organization's senior security officer, this person also has enterprise-level responsibility for all data/information security policies, standards, evaluations, roles, and organizational awareness. The CISO will work closely with the designated Privacy officer and Legal to ensure that technological and physical access controls effectuate the organization's data privacy policies. The incumbent will work with business, risk management, and technical stakeholders in the development and implementation of a security strategy designed to provide a high level of security over physical facilities and data processing while preserving and enhancing facility and system usability. The incumbent must be able to develop and implement flexible security solutions, dictated by the needs of a hybrid and rapidly evolving business environment.
Work Schedule:


Position Responsibilities:


IT Security Program


  • Develop, implement and monitor a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy and recovery of information assets
  • Proactive and innovative approaches are investigated and implemented appropriately ensuring security program adequately safeguards the organization against advanced threats
  • Provide leadership through strong working relationships and collaboration to develop strategic goals for information security compliance and risk mediation.
  • Liaise with external agencies as necessary to ensure the organization maintains a strong security posture against relevant threats and advancing threat landscape.
  • Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and to continuously increase the maturity of information security program
  • Lead and/or participate in Committees as appropriate



Policies, Procedures, Standards, and Guidelines



  • Lead and coordinate the development and maintenance of information systems security policies, procedures, standards, and guidelines, ensuring compliance with federal and state laws and regulations.
  • Analyze new federal and state statutory requirements, and other security initiatives to determine changes necessary for adoption/compliance and makes appropriate recommendations.
  • Establish security framework and ensure policies, procedures, standards, processes and controls adhere to framework requirements
  • Establish monitoring and assessment processes to ensure compliance and adherence to established security policies, procedures, and standards



Incident Management


  • Maintains the Incident Management Plan and escalates possible incidents as necessary.
  • Ensure monitoring of security-related information sources for security alerts and assess security breaches/ events, oversee appropriate corrective actions, inform the campus community, and identify needed changes based on new security technologies or threats.
  • Serve as the liaison with external agencies and organizations, including law enforcement, as needed for incident response and planning.

Threat and Risk Management


  • Ensures threat and vulnerability resources and technology are proactively monitoring potential threats and vulnerabilities and protection controls are implemented timely and appropriately to safeguard and maintain business operations
  • Identifies and assesses risks in implementing business innovations. Provides assessment of those risks to business stakeholders.
  • Design and execute penetration tests and security audits.
  • Support continuous monitoring activities, vulnerability scans, policy and procedure updates, configuration/incident management, and training.
  • Coordinate response to security audit requests from participant organizations and institutions and ensures any identified remediation activities are implemented within committed timeframes
  • Creates a risk-based process for the assessment and mitigation of any information security risk associated but not limited to supply chain partners, vendors, customers, and other third parties
  • Monitors compliance with the organization's information security policies and procedures among employees, contractors, alliances, and other third parties.
  • Facilitate and support the development of asset inventories, including information assets in cloud services and other parties included as part of the organization's technology environment

Leadership


  • Develop, motivate and provide leadership and direction to all staff.
  • Interview and select qualified candidates for job opening in compliance with applicable employment laws.
  • Monitor employee performance and provide on-going formal and informal feedback. Draft and administer staff performance evaluations in a timely manner.
  • Conduct weekly staff meetings to ensure all staff are informed of any company and/or departmental changes and updates.
  • Reward employees using formal and informal methods. Approve staff leave requests and timesheets and resolve employee attendance and performance concerns.
  • Oversight of project teams dealing with IT security issues, optimizing the contribution of people involved.



Communications, Training, and Outreach


  • Oversee the development and implementation of training programs and communications to make systems, network, and data users aware of and understand security policies and procedures.
  • Facilitate monthly Information Security Briefs.
  • Work with legal, risk and compliance staff to ensure all information owned, collected, and controlled by or on behalf of the company is processed and stored in accordance with applicable laws and other regulatory requirements
  • Collaborate and liaise with privacy officer to ensure that data privacy requirements are included in the security program

Research and Analysis


  • Lead or conduct special projects or studies related to information systems security.
  • Stay well-informed of best practices in the IT security field, coordinate and/or evaluates new and emerging security practices and technologies, and recommends and promotes adoption as appropriate.
  • Provides expert advice related to information and systems security to CTO/CIO and other executives and serves as an internal consulting resource on information security issues.

Other Duties


  • Serve as a member of the CIO's Executive Leadership Team
  • Represent the organization with federal, state, local, and professional organizations in the area of IT security.

Requirements


Minimum Requirements:



Bachelor's degree in Computer Science or a related field, and 10-15 years of progressive IT Security experience, including cybersecurity and risk management, within a large corporate environment with at least 5 years in a management
Must possess professional security management certification such as a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), or other similar credentials
Must demonstrate knowledge of common information security management frameworks such as ISO/IEC 27001 and or HITRUST, ITIL, COBIT and NIST, and an understanding of relevant legal and regulatory requirements such as Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry/Data Security
Demonstrated experience of leading an advanced security program including sophisticated technologies in a defense-in-depth architected environment

Knowledge of network related protocols and security event log management and reporting tools.

Must be a critical thinker, with strong problem-solving skills
Excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives
Project management skill: financial management, scheduling and resource management
Ability to lead and motivate the information security team to achieve tactical and strategic goals
High level of personal integrity, as well as the ability to professionally handle confidential matters and show an appropriate level of judgment and maturity
High degree of initiative, dependability, and ability to work with little supervision while being resilient to change
Experience with:
Maintaining operational computer and network security, firewall administration, virus protection, intrusion detection and prevention, automated security patching, and vulnerability scanning systems
Experience with data breach management and managing an actual data breach.
Proven project management skills and excellent presentation skills, with the demonstrated ability to effectively communicate with all levels of management

Preferred Experience


  • Advanced Degree in Cyber Security
  • Experience with Hybrid Cloud-based information protection
  • Demonstrated use of analysis, design, development, and implementation of technical solutions

Demonstrated experience with leading a SOC utilizing advanced threat and intelligence technology
An excellent team player with collaboration skills and a drive for results approach
Ability to foster a cooperative work environment. Outstanding interpersonal skills to effectively work with all levels of staff including management, senior staff, junior colleagues, and various IT-related committees.



Work Site Location



Gaithersburg, MD and Montgomery County travel expected



Tobacco Statement


Tobacco use is a well-recognized preventable cause of death in the United States and an important public health issue. In order to promote and maintain a healthy work environment, Adventist HealthCare will not hire applicants for employment who either state that they are nicotine users or who test positive for nicotine use.


Adventist HealthCare will withdraw offers of employment to applicants who test positive for Cotinine (nicotine). Those testing positive for cotinine are given the opportunity to re-apply in 90 days, if they can truthfully attest that they have not used any nicotine products in the past ninety (90) days and successfully pass follow-up testing.



Equal Employment Opportunity


Adventist HealthCare is an Equal Opportunity/Affirmative Action Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, disability, or protected veteran status.


Similar jobs