Chief Information Security Officer

The Chief Information Security Officer (CISO) is the executive leader responsible for all cybersecurity and data protection needs across HOPCo. This leader is tasked with proactively ensuring all systems, networks, methods of storing and moving data, are secured in a manner that is robust and protects member personal health information and all other sensitive or business confidential information and assets. The CISO will protect HOPCo from "bad actors" seeking to undermine the HOPCo business or access protected data. This leader will stay aware of all new threats, to proactively monitor, detect, and mitigate.

This leader will work with HOPCo Compliance to ensure all HOPCo employees understand the role they play in protecting HOPCo assets and data. The CISO is responsible for all security standards, policies, and enforcement across HOPCo. This includes accountability for the security standards enforced with all third parties upon which HOPCo depends. This also includes the security profiles for all clinical sites owned or managed by HOPCo.

This leader plays a critical role in making certain HOPCo is prepared to continue to function in the event of a ransomware attack or natural disaster.

The CISO is also tasked with gaining and maintaining HiTrust certification for HOPCo and ensuring ongoing compliance with regulatory requirements like HIPAA and GDPR.

Essential functions include developing and executing on a plan to gain and maintain HiTrust certification, owning ongoing compliance with data protection regulations like HIPAA and GDPR, staying aware and current on all government policies related to data protection, monitoring the HOPCo systems for suspicious activity, establishing cybersecurity policies and protocols, establishing data privacy policies and protocols, partnering with Compliance to maintain and deliver regular cybersecurity and data privacy training to all employees, enforcing HOPCo cybersecurity and data privacy policies with all third parties, initiating and sponsoring regular cybersecurity audits, including penetration tests, to identify vulnerabilities, assessing all audit findings, establishing a prioritized path to mitigation, reporting the state of cybersecurity threats and readiness to the CTO, CEO, and board on a regular basis, establishing dashboards and metrics to monitor current state and improvement over time, selecting and implementing appropriate monitoring tools, developing an annual budget and business case tied to security investment needs, establishing a plan to protect HOPCo against ransomware attacks and to ensure the business can continue uninterrupted in the event of an attack, working with other IT and business leaders to establish a robust Disaster Recovery Business Continuity Plan, managing prioritization and execution priority on all cybersecurity and data privacy work, managing MSSP vendors, including the selection and financial arrangement of using vendors, working with the CTO to manage the security-related budget, hiring, managing, and coaching security team members, managing security assessments of HOPCo for customers and potential customer audits, ensuring HOPCo Access Management processes and policies are robust and followed.

Education: Bachelor's Degree required (Computer Science preferred); CISSP or equivalent security professional certification.

Experience: 10+ years in various roles leading IT cybersecurity and data privacy teams and processes within healthcare, exceptional written and verbal communication skills. Ability to communicate complex technical topics effectively to executive audiences, experience within a HiTrust certified organization and involvement in ongoing adherence, experience implementing security programs within complex environments, experience directly managing third parties to implement security tools and protocols, demonstrated experience as successful influential leader across matrixed teams, experience leading, hiring and coaching a team that includes internal and external team members.

Requirements: None

Knowledge: Expert knowledge and insight into threat vectors, ransomware risks, and data privacy regulations, expert knowledge of available monitoring and threat-detection tools, familiarity with IAM toolsets including Active Directory and Okta.

Skills: Strong negotiation skills for keeping organizational focus on needed investments, while keeping the bigger HOPCo business picture in mind, expertise in technical infrastructure, network architecture, and data movement, expertise in data storage, cloud technologies, database configuration, data protection techniques, expertise in system monitoring and threat detection toolsets and techniques, excellent listening, analytical, and communication skills, analytical thinking and problem-solving skills, with acute attention to detail, accuracy and accountability balanced with sound business judgment.

Abilities: Ability to successfully manage multiple projects simultaneously, ability to communicate complex information in a clear and concise manner to managers and executives, ability to practice good judgment and discretion, ability to act with integrity, ability to engage and foster strong partnerships.

Environmental Working Conditions: Normal office environment, travel required.

Physical/Mental Demands: Requires sitting and standing associated with a normal office environment. Manual dexterity using a calculator and computer keyboard.

Organizational Requirements: HOPCo Mission, Vision and Values must be read and signed.

This description is intended to provide only basic guidelines for meeting job requirements. Responsibilities, knowledge, skills, abilities and working conditions may change as needs evolve.

Equal Opportunity Employer This employer is required to notify all applicants of their rights pursuant to federal employment laws. For further information, please review the Know Your Rights notice from the Department of Labor.