Chief Information Security Officer

Job Description
The VP, Chief Information Security Officer, CISO, reports to the CIO of Marshall Health Network, Inc. (MHN). This role is a member of the CIO leadership team and serves a key role in Information Services leadership, working closely with the senior administration of MHN. This role is an advocate for the organization's total Information Security needs and is responsible for the development and delivery of a comprehensive Information Security strategy to optimize the security posture of the enterprise. This role leads the development and implementation of a security program that leverages collaborations and organization-wide resources, facilitates Information Security governance, advises senior leadership on security direction and resource investments, and designs appropriate policies to manage Information Security risk. Responsibilities also include long-term strategic planning, determining the policies of the organization, and allocating its resources and making decisions regarding organization growth and diversification to accomplish MHN's vision. An executive role that provides strategic vision and/or tactical/strategic direction across multiple teams with most of the time spent on overseeing area of responsibility and directing the responsibilities of employees. Goal achievement is typically accomplished through performance of direct and/or indirect reports. An MHN sub-function head role accountable to establish and implement strategies that have short to mid-term (1-3 years) impact on business results in alignment with function objectives. Leads multiple teams of directors/senior managers and managers and develops short to mid-term (1-3 years) plans for optimizing the function or sub-function and the talent required to execute strategies in job area.
The duties and responsibilities listed below are intended to describe the general nature of work and are not intended to be an all-inclusive list. Other duties and responsibilities may be assigned.

• Responsible for the strategic leadership of MHN Information Security program.
• Provides guidance and counsel to the CIO and key members of the leadership teams, working closely with senior administration, academic leaders, and the affiliated campus community in defining objectives for Information Security, while building relationships and goodwill.
• Works with organizational leadership to oversee the formation and operations of an enterprise-wide Information Security organization that is organized toward a common goal in Information Security.
• Manages enterprise-wide Information Security governance processes, member of the Joint Compliance Committee, and chair of the Information Security Steering Committee in the establishment of an Information Security program and project priorities.
• Leads Information Security planning processes to establish an inclusive and comprehensive Information Security program for the entire enterprise in support of clinical, revenue cycle, academic, research, and administrative information systems and technology.
• Establishes annual and long-range security and compliance goals, define security strategies, metrics, reporting mechanisms and program services; and create maturity models and a roadmap for continual program improvements.
• Stays abreast of Information Security issues and regulatory changes at the state and national level, participate in national policy and practice discussions, and communicate to the enterprise on a regular basis about those topics. Engage in professional development to maintain continual growth in professional skills and knowledge essential to the position.
• Provides leadership philosophy for the Information Security Office to create a strong bridge between organizations, build respect for the contributions of all and bring groups together to share information and resources and create better decisions, policies and practices for the campus.
• Mentors the Information Security Office team members and implement professional development plans for all members of the team.
• Represents MHN on committees and boards associated with the enterprise and in national and regional consortiums and collaborations.
• Leads the development and implementation of effective and reasonable policies and practices to secure protected and sensitive data and ensure Information Security and compliance with relevant legislation and legal interpretation.
• Leads efforts to internally assess, evaluate and make recommendations to management regarding the adequacy of the security controls for the enterprise information and technology systems.
• Coordinates and tracks all information technology and security related audits including scope of audits, business units involved, timelines, auditing agencies and outcomes. Works with auditors as appropriate to keep audit focus in scope, maintain excellent relationships with audit entities and provide a consistent perspective that continually puts the institution in its best light. Provides guidance, evaluation and advocacy on audit responses.
• Works with organization's leadership and relevant responsible compliance department leadership to build cohesive security and compliance programs for the enterprise to effectively address state and federal statutory and regulatory requirements.
• Develops a strategy for dealing with increasing number of audits, compliance checks and external assessment processes for internal/external auditors.
• Works closely with IT leaders, technical experts, and administrative leaders across the organizations on a wide variety of security issues that require an in-depth understanding of the IT environment in their units, as well as the research landscape and federal regulations that pertain to their unit's research areas.
• Creates education and awareness programs and advise operating units at all levels on security issues, best practices, and vulnerabilities.
• Works with groups such as Network Managers, Information Security Liaisons and Information Services teams to build awareness and a sense of common purpose around security.
• Pursues security initiatives to address unique needs in protecting identity theft, mobile social media security and online reputation program.
• Keeps abreast of security incidents and act as primary control point during significant Information Security incidents. Convene a Security Incident Response Team (SIRT) as needed, or requested, in addressing and investigating security incidences that arise.
• Convenes Ad Hoc Security Committee as appropriate and provide leadership for breach response and notification actions for the enterprise.
• Develops, implements and administers technical security standards, as well as a suite of security services and tools to address and mitigate security risk.
• Provides leadership, direction and guidance in assessing and evaluating Information Security risks and monitor compliance with security standards and appropriate policies.
• Examines impacts of new technologies on MHN's overall Information Security. Establishes processes to review implementation of new technologies to ensure security compliance.
• Leads an outsourced Cybersecurity Team and outsourced SOC.

Requirements
Education:

• Bachelor's degree in Information Security, Computer Science, or a related field.
• Certifications that include one of the following: CISM, CISSP, C-CISO or CHISL.
• Master's degree in Information Security, Computer Science, or a related field preferred.

Experience

• Ten (10) years of experience in Information Security, with a significant portion of that experience in a leadership or managerial role, preferably in a health care setting.

The kind of position-related experience includes:

• Works independently under general direction of supervisor
• Possesses knowledge of effective training and communication strategies
• Exhibits knowledge of company identity, mission, and goals
• Demonstrates strong writing and editing skills
• Experience with communicating with leadership and organization clearly and effectively
• Experience in exhibiting excellent interpersonal skills
• Experience in leadership skills
• Experience with thinking outside the box
• Possesses solid problem-solving skills
• Document issue resolution well and communicate to peers for improved support
• Performs other functions as requested

ABILITY TO:

• Expert skills in managing Information Security and mitigating security risk.
• Excellent oral and written communication skills, including ability to present to senior leadership and Boards.
• Strong understanding of cybersecurity technologies, tools, and best practices.
• Demonstrated knowledge of managing outsourced cybersecurity teams and vendor relationships.
• In-depth knowledge of cybersecurity regulations, compliance frameworks, and industry standards, such as NIST and HITRUST.
• Excellent communication, leadership, and problem-solving skills.
• Demonstrated knowledge of financial forecasting and budget management.

Physical Demands
Ability to push/pull light objects less than 20 pounds; perform simple manipulative skills such as writing, collating, and grasping objects; perform tasks that require eye-hand coordination such as operating computers and keyboarding skills; perform gross motor coordination such as reaching, turning, and moving about; be mobile and move from one place to another; hearing normal sounds with some background noise; hearing normal sounds with some background noise, perform moderately difficult manipulative skills; see objects closely.