Chief Information Security Officer

GENERAL STATEMENT OF DUTIES                                                                  

The Chief Information Security Officer (CISO) is the executive leader responsible for all cybersecurity and data protection needs across HOPCo. This leader is tasked with proactively ensuring all systems, networks, methods of storing and moving data, are secured in a manner that is robust and protects member personal health information and all other sensitive or business confidential information and assets. The CISO will protect HOPCo from “bad actors” seeking to undermine the HOPCo business or access protected data. This leader will stay aware of all new threats, to proactively monitor, detect, and mitigate.

This leader will work with HOPCo Compliance to ensure all HOPCo employees understand the role they play in protecting HOPCo assets and data. The CISO is responsible for all security standards, policies, and enforcement across HOPCo. This includes accountability for the security standards enforced with all third parties upon which HOPCo depends. This also includes the security profiles for all clinical sites owned or managed by HOPCo.

This leader plays a critical role in making certain HOPCo is prepared to continue to function in the event of a ransomware attack or natural disaster.

The CISO is also tasked with gaining and maintaining HiTrust certification for HOPCo and ensuring ongoing compliance with regulatory requirements like HIPAA and GDPR.

ESSENTIAL FUNCTIONS

• Develop and execute on a plan to gain and maintain HiTrust certification


• Own ongoing compliance with data protection regulations like HIPAA and GDPR


• Stay aware and current on all government policies related to data protection


• Stay aware of the developing cybersecurity threat landscape using regular NIST alerts (or equivalent) and filter noise from actual threats to the HOPCo ecosystem


• Monitor the HOPCo systems for suspicious activity


• Establish cybersecurity policies and protocols


• Establish data privacy policies and protocols


• Partner with Compliance to maintain and deliver regular cybersecurity and data privacy training to all employees


• Enforce HOPCo cybersecurity and data privacy policies with all third parties


• Initiate and sponsor regular cybersecurity audits, including penetration tests, to identify vulnerabilities


• Assess all audit findings, establishing a prioritized path to mitigation


• Report the state of cybersecurity threats and readiness to the CTO, CEO, and board on a regular basis


• Establish dashboards and metrics to monitor current state and improvement over time


• Select and implement appropriate monitoring tools


• Develop an annual budget and business case tied to security investment needs


• Establish a plan to protect HOPCo against ransomware attacks and to ensure the business can continue uninterrupted in the event of an attack


• Work with other IT and business leaders to establish a robust Disaster Recovery Business Continuity Plan


• Manage prioritization and execution priority on all cybersecurity and data privacy work


• Manage MSSP vendors, including the selection and financial arrangement of using vendors


• Work with the CTO to manage the security-related budget


• Hire, manage, and coach security team members


• Manage security assessments of HOPCo for customers and potential customer audits


• Ensure HOPCo Access Management processes and policies are robust and followed

EDUCATION

• Bachelor’s Degree required (Computer Science preferred); CISSP or equivalent security professional certification.

EXPERIENCE

• 10+ years in various roles leading IT cybersecurity and data privacy teams and processes within healthcare


• Exceptional written and verbal communication skills. Ability to communicate complex technical topics effectively to executive audiences.


• Experience within a HiTrust certified organization and involvement in ongoing adherence


• Experience implementing security programs within complex environments


• Experience directly managing third parties to implement security tools and protocols


• Demonstrated experience as successful influential leader across matrixed teams


• Experience leading, hiring and coaching a team that includes internal and external team members

REQUIREMENTS

• None

KNOWLEDGE

• Expert knowledge and insight into threat vectors, ransomware risks, and data privacy regulations


• Expert knowledge of available monitoring and threat-detection tools


• Familiarity with IAM toolsets including Active Directory and Okta

SKILLS

• Strong negotiation skills for keeping organizational focus on needed investments, while keeping the bigger HOPCo business picture in mind


• Expert knowledge and insight into cybersecurity threat vectors and ransomware risks


• Current and thorough knowledge regarding data privacy and protection regulations (HIPAA, GDPR, etc.)


• Expertise in technical infrastructure, network architecture, and data movement


• Expertise in data storage, cloud technologies, database configuration, data protection techniques


• Expertise in system monitoring and threat detection toolsets and techniques


• Excellent listening, analytical, and communication skills


• Analytical thinking and problem-solving skills, with acute attention to detail, accuracy and accountability balanced with sound business judgment.


• Exceptional interpersonal skills

ABILITIES

• Ability to successfully manage multiple projects simultaneously


• Ability to communicate complex information in a clear and concise manner to managers and executives


• Ability to practice good judgment and discretion


• Ability to act with integrity


• Ability to engage and foster strong partnerships

ENVIRONMENTAL WORKING CONDITIONS

• Normal office environment


• Travel required

PHYSICAL/MENTAL DEMANDS

• Requires sitting and standing associated with a normal office environment.


• Manual dexterity using a calculator and computer keyboard.

ORGANIZATIONAL REQUIREMENTS

• HOPCo Mission, Vision and Values must be read and signed.

This description is intended to provide only basic guidelines for meeting job requirements. Responsibilities, knowledge, skills, abilities and working conditions may change as needs evolve.