Dir, Cybersecurity

Job Title: Director, Cybersecurity & Information Security

Reports To: SVP, Technology

Job Summary:

In this role, you will serve as the Director, Cybersecurity & Information Security an individual-contributor-oriented senior program leader who partners closely with the SVP, Technology. You'll lead the cybersecurity program (strategy through execution), collaborate deeply across IT operations, infrastructure, product development, software/dev teams, data analytics and clinic-IT operations, and also support the privacy program (in collaboration with Legal/Compliance). You'll remain hands-on with technical controls, incident response and vendor/third-party security operations, while also aligning with broader business and regulatory risk imperatives.

This role reports to the SVP, Technology, and is a core partner to them in defining and delivering our security and privacy goals.

Duties/Responsibilities:

• Develop, own and execute the cybersecurity/information-security program strategy — aligned with business objectives, risk appetite and regulatory/privacy landscape.
• Identify, assess and prioritize cybersecurity and privacy risks (technical, process, third-party/supply-chain, analytics, clinic IT) and drive mitigation/remediation plans.
• Oversee third-party and vendor security risk assessments and represent the organization in security discussions with external partners, auditors, or regulators as needed.
• Perform or oversee vulnerability assessments, penetration testing, threat-hunting, monitoring (SIEM/EDR), incident detection & response, forensics as required.
• Work closely with IT operations/infrastructure to ensure secure configuration, patching, network segmentation, identity & access management (IAM), endpoint protection, cloud security controls, logging/monitoring, business continuity/disaster recovery.
• Collaborate with product, software development and data analytics teams to embed security and privacy controls: code reviews, secure APIs, data protection/encryption, access controls, analytics platform security.
• Partner with clinic IT operations (medical systems, EHR/EMR, medical devices, remote/clinic networks) to ensure cybersecurity controls in a clinical/health-care environment: endpoint protection, identity management, network security, data protection, regulatory compliance with patient-data implications.
• Support the privacy program in collaboration with Legal/Compliance: implement data-privacy policies & procedures, perform privacy impact assessments (PIAs)/data protection impact assessments (DPIAs), manage data-subject rights, cross-border data flows, privacy-by-design integration in technology/business processes.
• Establish, maintain and train on incident response and crisis-communications plans (including those involving privacy incidents); lead incident response when needed; drive post-incident review/lessons learned.
• Develop and maintain security and privacy policies, standards and procedures (e.g., aligned with frameworks such as NIST CSF, ISO 27001/2) and foster a culture of security & privacy awareness across the organization.
• Provide regular reporting to senior leadership (including the SVP, Technology) on security/privacy metrics, risk posture, incident status, vendor/third-party security performance and program maturity.
• Act as a strategic advisor to senior leadership by translating cybersecurity and privacy risks into clear business impact and recommendations.
• Stay current on cybersecurity threats, vendor/supply-chain risk trends, privacy/regulatory changes and emerging technologies; propose improvements, tools or architectural enhancements.
• Develop and maintain a multi-year cybersecurity and privacy roadmap focused on improving program maturity and organizational resilience.
• Mentor and guide junior security analysts/engineers or vendor teams (especially if role grows) and contribute to building our security/privacy capability and maturity.

Required Skills/Abilities:

• Demonstrated experience implementing security controls, managing risk, incident response and working across infrastructure, application and data domains.
• Technical proficiency with security tools/technologies: firewalls, IDS/IPS, endpoint detection & response (EDR), SIEM, vulnerability scanning/penetration testing, cloud security (AWS/Azure/GCP), IAM, encryption/data protection, network segmentation, secure SDLC practices.
• Strong understanding of regulatory/compliance requirements applicable to healthcare/clinical settings (patient data protection, medical device networks, clinic IT environment) and privacy regulations (e.g., PIPEDA, GDPR, CCPA) in a Canadian/Global context.
• Strategic mindset: ability to engage senior leadership, articulate cybersecurity, privacy and vendor/third-party risk in business terms; influence across functional teams; treat security & privacy as enablers not blockers.
• Excellent communication skills (technical and non-technical audiences), ability to operate in a collaborative, fast-paced environment and influence without direct authority.
• Self-starter mindset: comfortable being an individual contributor, leading by example, working hands-on and strategic concurrently.

Education and Experience:

• Bachelor's degree in Computer Science, Information Technology, Cybersecurity, Information Assurance or related field (Master's preferred but not required).
• 8-10+ years of experience in cybersecurity/information security — including hands-on technical work.
• Certifications such as CISSP, CISM, CEH (or equivalent) are strongly preferred. Privacy-certifications (CIPM, CIPP) are a plus.
• Experience in healthcare or a regulated environment, product/SaaS development, data/analytics-driven business and clinic/health-IT operations strongly preferred.