The Director, Information Security, in conjunction with the Chief Information and Security officer will provide oversight and input for the design, execution and maintenance of a security, risk and cyber operations strategy at Greenway Health. While primarily focused on mitigating risk for all systems containing Protected Health Information (ePHI) data, this position will also help establish the vision, strategy and programs necessary to protect information, assets, people and technologies. With oversight from the CISO, this position will oversee and direct security programs and efforts across the company to ensure compliant and current security technologies are employed that will enable Greenway Health to deliver high-quality and secure solutions to our customers. This includes developing and maintaining a security management program that governs the creation, administration and oversight of enterprise-wide information security activities. As part of the information security program, the Director, Information Security also is responsible for the development, implementation, and management of areas including enterprise information security services, cyber resilience, information security governance and information security risk management. As a People Leader at Greenway health, this position will be expected to provide proactive and real-time coaching and feedback to team members and demonstrate the Greenway competencies to include the Leadership Competencies of Care for Yourself, Care for Others and Care for our Brand.
· Serves in a leadership role responsible for assessing and evaluating security risk compliance, security standards and security communications across multiple locations.
· Responsible for collaborating with various stakeholders to build a strategic and comprehensive information security program that defines, develops, maintains, and implements controls, policies and processes that enable consistent, effective information security practices for systems containing Protected Health Information (ePHI).
· Serves as a member of the IT leadership team that initiates, facilitates, and promotes activities to foster information security awareness within the organization.
· Provides leadership, direction and guidance in assessing and evaluating information security risks and trends, monitors evolving threats, risks and vulnerabilities and ensures compliance with security standards and appropriate policies.
· Remediates and applies tools necessary to mitigate risk.
· Conducts regular reviews and feedback regarding the security roadmap to ensure that it meets regulatory compliance standard, current security protocols and other standards and methodologies including, but not limited to: HIPAA security, HITRUST, NIST CSF, 42 CFR, and any other applicable security and privacy laws.
· Collaborates with various stakeholders to proactively develop, communicate, and implement annual and long-range security and compliance goals, define security strategies, metrics, reporting mechanisms and program services; and create maturity models and roadmaps for continual program improvements
· Maximizes the effectiveness of installed security systems and cloud-based infrastructure and leads the assessment, evaluation, and implementation of new technologies and enterprise security processes as appropriate.
· Identifies information security protection goals, objectives and metrics consistent with the overall mission of the information security management program.
· Sets and reviews KPIs in all key functional areas relevant to the organization’s security practices and roadmap.
· Oversees the information security risk management program, including internal and third-parties.
· Implements and oversees the effective management of technical and administrative controls and provides e leadership of cross-functional response teams (e.g., Security, IT, Legal, Compliance) to investigate and remediate security incidents.
· Collaborates with stakeholders at all levels of the organization to ensure critical business processes are maintained even when a cyber-attack may impact availability of systems and other technical resources.
· Provides leadership over the development, deployment and maintenance of a business continuity management program with ties to disaster recovery program.
· Creates and updated education and awareness programs and advises operating units at all levels on security issues, best practices, and vulnerabilities.
· Keeps abreast of security incidents and acts as primary control point during significant information security incidents. Convenes a Security Incident Response Team (SIRT) as needed, or requested, in addressing and investigating security incidences that arise.
· Coordinates and tracks all IT and security related audits including scope of audits, units involved, timelines, auditing agencies and outcomes. Works with auditors as appropriate to keep audit focus in scope, maintain excellent relationships with audit entities and provide a consistent perspective that continually puts the organization in its best light. Provides guidance, evaluation and advocacy on audit responses.
· Provides experience and expertise in developing and executing risk-driven information security programs to meet business objectives in a landscape of rapidly evolving consumer expectations, market conditions, regulatory requirements, and threat factors.
· Works with executive management to devise proper resourcing and budget needs.
Skills & Requirements
· Bachelor’s degree in cyber security, computer science or related field; or an equivalent combination of education and/or experience.
· A Master’s degree in the above or related field is preferred.
· 6+ years of progressive experience that includes designing and implementing an enterprise information security strategy and program, HITRUST, ISO and NIST highly preferred.
· An information security related certification, such as, Certified Information Privacy Professional (CIPP), Certified Information System Security Professional (CISSP), Certified Information System Security Manager (CISM), Certified Information Systems Auditor (CISA), or comparable certification preferred.
· Proven track record in the information security or technology space in highly regulated environments, a background in healthcare IT is a plus.
· Expertise in information security, technology, and risk management is essential.
· Business and financial acumen to include budgeting and forecasting.
· Ability to build solid business plans which include appropriate ROI and related business analysis and justification.
· Is a strategic and tactical thought-leader, a consensus builder and an integrator of people and processes.
· Outstanding verbal and written presentation skills are essential in this position.
· Ability to get “hands-on” and act as a utility player on the team.
· Naturally curious, learning leader.
· Demonstrates initiative and adds value to the role and the team.
· Demonstrates ability to achieve functional transformation, change management and collaboration across multiple levels within the organization.
· Ability to prioritize tasks with competing urgency.
· Knowledge and understanding of regulatory requirements related to healthcare IT.
· Ability to take a proactive and collaborative approach to security and develop a security and quality culture within Greenway Health.
· Adept at creating and communicating a clear vision throughout the team to align resources to achieve functional area goals.
• While at work, this position is primarily a sedentary job and requires that the associate can work in an environment where they will consistently be seated for the majority of the work day.
• This role requires that one can sit and regularly type on a key board the majority of their work day.
• This position requires the ability to observe a computer screen for long periods of time to observe their own and others’ work, as well as in-coming and out-going communications via the computer and/ or mobile devices.
• The role necessitates the ability to listen and speak clearly to customers and other associates.
• The work environment is an open room with other associates and noise from others will be part of the regular work day.
• This position requires up to 20% travel.