IS Security Manager

Estimated Hiring Range:

Bonus Target:

Current CareOregon Employees: Please use the internal Workday site to submit an application for this job.

Program Leadership

• Implement and oversee a comprehensive Information Security Program aligned with organizational goals and industry best practices.

• Partner with IS and executive leadership to define security objectives, maintain the Information Security Roadmap, and report on program performance.

• Advise senior leadership on security risks, emerging threats, and strategic cybersecurity needs.

• Establish and maintain a security metrics framework and key performance indicators aligned with organizational priorities and standards.

• Prepare and deliver clear, actionable reports for senior leadership, including key risk indicators, program status, and operational metrics.

Governance, Risk, and Compliance

• Recommend updates to security policies and standards to align with HIPAA, HITRUST, NIST, and other frameworks.

• Coordinate implementation of security programs, policies, and configuration standards across IS.

• Lead risk assessments, vulnerability analyses, remediation planning, and the administration of a GRC platform.

• Manage third‑party risk processes, including vendor assessments and ongoing monitoring.

• Oversee penetration tests, program maturity assessments, and risk assessments.

• Ensure ongoing compliance with regulatory, contractual, and audit requirements.

• Lead the response to audit requests and efforts to remediate adverse results.

Security Operations & Incident Management

• Build and lead operational security capabilities to monitor, detect, analyze, and respond to threats.

• Utilize threat intelligence, monitoring, incident management, behavioral analysis, and advanced detection technologies.

• Maintain SOPs, runbooks, and playbooks supporting incident investigation, containment, recovery, and post‑incident review.

• Lead the Information Security Incident Response Plan, including training, exercises, and cross‑team readiness initiatives.

• Aggregate and analyze security data using SIEM technologies to identify patterns, evaluate alerts, and prioritize responses.

• Conduct proactive threat hunting and enhance monitoring to detect emerging threats.

Technical Security Oversight

• Provide guidance on secure architecture and operations for on‑premises and Azure cloud environments.

• Manage core security domains such as Vulnerability Management, Identity and Access Management, and Privileged Access Management.

• Collaborate with other IS teams to ensure robust security configuration management for systems, hardware, and firmware.

• Perform security reviews and risk assessments for software acquisitions and technology initiatives.

• Lead periodic testing and improvement of the IS Disaster Recovery Plan.

Leadership & Collaboration

• Lead, mentor, and develop a high‑performing cybersecurity team, fostering innovation, learning, and operational excellence.

• Act as a subject matter expert for IS and business teams, providing guidance on secure architecture, risk mitigation, and best practices.

• Maintain strong partnerships with key vendors, partners, and external stakeholders.

• Facilitate security governance meetings and deliver clear, actionable updates to executive leadership.

Awareness & Training

• Develop, maintain, and continuously improve the organization‑wide information security awareness program.

• Ensure training content is current, engaging, and effective in reducing human‑related risk and supporting compliance.

Employee Supervision

• Manage team and recommend team direction and goals in alignment with the organizational mission, vision, and values.

• Identify work and staffing needs to meet work expectations; recruit and hire, using an equity, diversity, and inclusion lens.

• Plan, organize, schedule, and monitor work; ensure employees have information and resources to meet job expectations.

• Lead the development, communication, and oversight of team and individual goals; ensure goals, expectations, and standards are clearly understood by staff.

• Train, supervise, motivate, and coach employees; provide support toward employee development.

• Incorporate guidance from CareOregon equity tools into people leadership, planning, operations, evaluation, and decision making.

• Ensure team adheres to department and organizational standards, policies, and procedures.

• Evaluate employee performance and provide regular feedback to support success; recognize strong performance and address performance gaps and accountability (corrective action). 

• Perform supervisory tasks in collaboration with Human Resources as needed.

Experience and/or Education

• Minimum 6 years' experience in information security systems, solutions or related services

• Experience must include most of the following:

• • Leading teams, including developing and mentoring staff and supporting change management

  • Leading complex systems projects

  • Managing vendors and contracts

  • Influencing others

  • Developing policy and strategy roadmaps with business partners and aligning work efforts and solutions accordingly

  • Developing and implementing information or cyber security programs

Preferred

• Minimum 2 years' experience in a supervisory position or minimum 1 year experience in a supervisory position with completion of CareOregon's Aspiring Leaders Program

Knowledge

• Strong understanding of information security best practices and secure design principles

• Knowledge of ITIL frameworks and their application within IS environments

• Knowledge of cross‑team alignment practices and organizational calibration processes

• Understanding of governance standards and adherence to established processes

Skills and Abilities

• Ability to apply core managerial disciplines, including project and change management, cross‑functional collaboration, innovation, and organizational effectiveness

• Experience across multiple information security domains, including governance risk and compliance, attack surface management, identity and access management, network security, data protection, disaster recovery, security operations, incident response, and threat modeling

• Experience managing Intrusion Detection and Prevention systems such as Rapid7, InsightIDR and Defender ATP

• Experience with Data Loss Prevention and data classification

• Ability to promote continuous learning, empowerment, engagement, and development opportunities for employees

• Strong oral and written communication skills, including meeting facilitation and presentations

• Ability to clearly convey complex or controversial topics to diverse audiences

• Ability to form an independent perspective, collaborate in decision‑making, and motivate others—especially during challenging situations

• Ability to propose solutions and articulate business value

• Ability to elevate strategic concerns to senior leadership clearly, accurately, and promptly

• Ability to build strong working relationships with internal leaders and external partners

• Ability to collaborate effectively with coworkers, staff, leaders, and executives across all departments

• Ability to maintain a high degree of professionalism and a positive attitude

• Ability to develop and monitor policies, risks, and solutions

• Sound judgment with the ability to develop, implement, and reinforce policy and strategy

• Ability to see the broader context behind requests and apply holistic, systems‑thinking approaches

• Advanced project management skills

• Advanced vendor management skills

• Advanced budget management skills

• Strong analytical and research skills

• Ability to identify patterns in data and draw accurate conclusions

• Ability to work effectively with diverse individuals and groups

• Ability to learn, focus, interpret information, and determine appropriate actions

• Ability to accept direction and feedback, and manage stress effectively

• Ability to see, read, and perform repetitive finger and wrist movement for at least 6 hours/day

• Ability to hear and speak clearly for at least 3-6 hours/day

Working Conditions

Work Environment(s): ☒ Indoor/Office    ☐ Community      ☐ Facilities/Security     ☐ Outdoor Exposure

Member/Patient Facing:    ☒ No ☐ Telephonic ☐ In Person

Hazards:  May include, but not limited to, physical and ergonomic hazards.

Equipment:  General office equipment and mobile technology

Travel:  May include occasional required or optional travel outside of the workplace; the employee's personal vehicle, local transit or other means of transportation may be used.

Work Location: Work from home

We offer a strong Total Rewards Program. This includes competitive pay, bonus opportunity, and a comprehensive benefits package.  Eligibility for bonuses and benefits is dependent on factors such as the position type and the number of scheduled weekly hours. Benefits-eligible employees qualify for benefits beginning on the first of the month on or after their start date. CareOregon offers medical, dental, vision, life, AD&D, and disability insurance, as well as health savings