The VP, Chief Info Security Officer is responsible for establishing and maintaining the information security program to ensure that information assets and associated technology, applications, systems, infrastructure and processes are adequately protected in the innovative, industry leading digital ecosystem in which Hackensack Meridian Health operates. The VP, Chief Info Security Officer is responsible for identifying, evaluating and reporting on legal and regulatory, IT, and cybersecurity risk to information assets, while driving and enabling the bleeding edge clinical, research and business objectives of Hackensack Meridian Health.
The VP, Chief Info Security Officer position requires a high energy, visionary people leader with sound knowledge of organizational management and a knowledge of cybersecurity technologies covering the corporate network as well as the broader digital ecosystem. The VP, Chief Info Security Officer will proactively work with operating units and partners to implement practices that meet agreed-on policies and standards for information security. (S)he should understand IT and must oversee a variety of cybersecurity and risk management activities related to IT to ensure the achievement of organization outcomes where the process is dependent on technology. The VP, Chief Info Security Officer will be responsible for implementing and running the enterprise information security program.
The VP, Chief Info Security Officer should understand and articulate the impact of cybersecurity on the digital business of healthcare, and be able to communicate this to the board of directors and other senior stakeholders. (S)he serves as the process owner of the appropriate second-line assurance activities related to confidentiality, integrity and availability of information owned or processed by Hackensack Meridian Health in compliance with applicable law, regulation, policy, procedure and best-practices requirements. The VP, Chief Info Security Officer understands that securing information assets and associated technology, applications, systems and processes in the wider ecosystem in which the organization operates is as important as protecting information within the organization's perimeter. A key element of the VP, Chief Info Security Officer 's role is working with executive management to determine acceptable levels of risk for the organization.
The CISO must be knowledgeable about both internal and external healthcare environments, and ensure that information systems are maintained in a fully functional and secure mode and are compliant with legal, regulatory and contractual obligations. The ideal candidate is a thought leader, a people leader, and someone relentlessly focused on getting to Yes.. (S)he is an integrator of people, process and technology. While the VP, Chief Info Security Officer is the leader of the information security program, (S)he must alsobe able to coordinate disparated demands, constraints and personalities, while maintaining objectivity and a strong understanding that cybersecurity is foundational for the organization to deliver on its goals and objectives. Ultimately, the VP, Chief Info Security Officer is a leader, and should have a track record of thought leadership in the information security field.
- Develop and implement a world-class information security program that enables the digital objectives of Hackensack Meridian Health while ensuring the Confidentiality, Integrity and Availability of our digital assets.
- Be recognized as a healthcare information security expert in the United States.
- Facilitate an information security governance structure through the implementation of a hierarchical governance program, including the formation of an information security steering committee.
- Provide regular reporting on the current status of the information security program to senior business leaders and committees of the board of directors.
- Work with purchasing and legal to ensure that information security requirements are included in contracts.
- Create and manage a targeted information security awareness training program for all employees, contractors and approved system users, and establish metrics to measure the effectiveness of this security training program for the different audiences.
- Understand and interact with related disciplines through committees to ensure the consistent application of policies and standards across all technology projects, systems and services, including privacy, risk management, compliance and business continuity management.
- Provide clear risk mitigating directives for projects with components in IT, including the mandatory application of controls.
- Lead the security champion program to mobilize employees in all locations.
- Lead the information security function across the enterprise to ensure consistent and high-quality information security management in support of organizational goals.
- Determine the optimal information security approach and operating model in consultation with key stakeholders.
- Manage the budget for the information security function.
- Manage the cost-efficient information security organization, consisting of direct reports and outsourced resources.
- Develop an information security vision and strategy that is aligned to organizational priorities and enables and facilitates the organization's business objectives, and ensure senior stakeholder buy-in and mandate.
- Work effectively with operating units to facilitate information security risk assessment and risk management processes, and empower them to own and accept the level of risk they deem appropriate for their specific risk appetite.
- Develop and enhance an up-to-date information security management framework based on COBIT/Risk IT and National Institute of Standards and Technology (NIST) Cybersecurity Framework.
- Develop and maintain a document framework of continuously up-to-date information security policies, standards and guidelines. Oversee the approval and publication of these information security policies and practices.
- Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increase the maturity of the information security, and review it with stakeholders at the executive and board levels.
- Build and nurture external networks consisting of industry peers, ecosystem partners, vendors and other relevant parties to address common trends, findings, incidents and cybersecurity risks.
- Liaise with external agencies, such as law enforcement and other advisory bodies, as necessary, to ensure that the organization maintains a strong security posture and is kept well-abreast of the relevant threats identified by these agencies.
- Create a risk-based process for the assessment and mitigation of any information security risk in the ecosystem consisting of supply chain partners, vendors, consumers and any other third parties.
- Work with the compliance staff to ensure that all information owned, collected or controlled by or on behalf of Hackensack Meridian Health is processed and stored in accordance with applicable laws and other global regulatory requirements.
- Collaborate with the data privacy officer to ensure that data privacy requirements are included where applicable.
- Define and facilitate the processes for information security risk and for legal and regulatory assessments, including the reporting and oversight of treatment efforts to address negative findings
- Oversee technology dependencies outside of direct organizational control. This includes reviewing contracts and the creation of alternatives for managing risk.
- Manage and contain information security incidents and events to protect corporate IT assets, intellectual property, regulated data and the company's reputation.
- Monitor the external threat environment for emerging threats, and advise relevant stakeholders on the appropriate courses of action.
- Coordinate the development of implementation of incident response plans and procedures to ensure that business-critical services are recovered in the event of a security event; provide direction, support and in-house consulting in these areas.
- Facilitate and support the development of asset inventories, including information assets in cloud services and in other parties in the organization's ecosystem.
The CISO must have in-depth knowledge and experience of the following:
- Poise and ability to act calmly and competently in high-pressure, high-stress situations
- Must be a critical thinker, with strong problem-solving skills
- Knowledge and understanding of relevant legal and regulatory requirements, such as: Sarbanes-Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry/Data Security Standard.
- Excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives
- Project management skills: financial/budget management, scheduling and resource management
- Ability to lead and motivate the information security team to achieve tactical and strategic goals, even when only "dotted line" reporting lines exist
- A master of influencing entities and decisions in situations where no formal reporting structures exist, but achieving the desirable outcome is vital
The following experience is considered essential:
- Demonstrated and progressive experience in information security and IT
- Strategic leader and builder of both vision and bridges, and able to energize the appropriate teams in the organization
- Sound knowledge of business management and a working knowledge of information security risk management and cybersecurity technologies
- Up-to-date knowledge of methodologies and trends in both business and IT
Preferred Certification/Licensing: CISSP or CEH