Previous Job
Chief Information Security Officer (CISO)
Ref No.: 18-02176
Location: Rochester, New York
Experience Level: 11 Years
Start Date: 04/24/2018

Our Client is recruiting an experienced leader to serve as enterprise-wide Chief Information Security Officer (CISO) with senior leadership responsibilities for the the organization and its affiliates. The position reports to the Vice President for IT / Chief Information Officer
With guidance from the VP for IT / CIO, the Officer will develop a best in class information security program for the organization; further develop security architecture guidelines and advance information security education for the institution. The successful candidate will work collaboratively with the community to assure compliance with government, healthcare and other regulatory policies and laws related to information security and privacy. Responsibilities include assessing information systems and network security risk and developing strategies to reduce risk and allow for business continuity. The CISO will also be accountable for status and progress reports related to information security.
The Officer will manage the institution's response to security threats and incidents and serve as the point of contact for internal and external communications related to information security. The Officer will oversee the review of information security resources, assist with project prioritization to appropriately protect information assets and oversee security system and related implementations. This position will be responsible for overall HIPAA security compliance, include annual risk analyses, tracking and remediation, while working closely with the Chief Privacy Officer. Oversight of some aspects of PCI, GDPR, and FISMA compliance are required. In addition, the successful candidate will lead efforts to identify areas requiring policy development and recommend information security-related policies and standard practices for the enterprise.

Operational Responsibilities:
  • Establish goals and objectives in coordination with the VP/CIO and various advisory councils
  • Recommend policies and procedures related to the use and management of data, information, and systems.
  • Work collaboratively with leadership to manage priorities, allocate resources effectively, and promote organization-wide process and constituent focus.
  • Supervise, coordinate and evaluate the work of information security management and staff.
    • Provide leadership and mentorship to a team that is inclusive by recruiting and including diverse perspectives in all aspects of the organization's operations.
  • Prepare and manage departmental budgets in coordination with the VP/CIO and IT Finance Team.
  • Provide leadership to the Information Security Officers responsible for community outreach in the clinical, administrative, research and education spheres.
  • Lead security operations in the areas of network security, systems management and threat & vulnerability management.
  • Benchmark peers and keep abreast of IT market trends related to information security and policy.
  • Represent the organization as an information technology leader as appropriate, at local, state, and national levels.
Incident Response: Prevention, Detection, and Remediation
  • Provide leadership to the overall incident response program. Maintain a collaborative relationship with senior leadership to ensure appropriate information security incident prevention, detection and remediation.
  • Oversee an information technology response team, which addresses information security related intrusions and other emergencies.
  • Direct assessment and acquisition of information security hardware and software. Assist in setting priorities for use of resources. Ensure the implementation of features and products to provide appropriate controls over information systems and networks.
  • Participate with senior leadership in monitoring, assessing, and addressing violations of the institution's information technology policies.
  • Act as the point of contact with internal and external organizations to respond to information security problems and intrusions as needed.
Risk Management
  • Actively participate in information security committees through the IT Governance framework to establish institution-wide security policies, verify compliance, and advance institutional security goals and objectives.
  • Collaborate with Privacy Officer, divisional information security liaisons, and partners working in the areas of risk management and compliance to advance institution-wide security policies and practices.
  • Lead the effort to monitor, assess, and report on risks and controls related to the institution's information assets.
  • Identify information system security requirements and practices to ensure the safety and security of the institution's information assets.
  • Work collaboratively to develop and administer programs to promote compliance with information security policies and procedures.
Prevention, Education, and Communication
  • Create and administer an institution-wide information security education program.
  • Serve as the institutional authority on emerging technologies related to information security.
  • Organize, convene, and moderate committees and working groups related to the institution's information security program.
  • Where appropriate, act as the institution's point of contact for partners, vendors, regulatory bodies, government agencies, press and other external groups for information security related efforts.

The position requires strong analytic skills and the ability to assess and express tradeoffs between extremes of tight control and open exchange as this applies to campus environments. It requires the ability to communicate effectively with diverse constituencies and to gain consensus. The individual must be results-oriented and measure and document progress achieved.

  • Excellent communication skills, demonstrated ability to successfully interface at all levels, including executive and board level
  • Strong knowledge of regulatory requirement including HIPAA, PCI, GDPR
  • Strong understanding of various security frameworks, including NIST SP800, NIST CSF, and HiTrust
  • Strong commitment to customer service
  • Demonstrated ability to develop information strategy for large, decentralized organizations and to make standards-based architecture recommendations and facilitate implementation
  • Excellent management and general leadership skills, including coaching and facilitation
  • High level of integrity and excellent judgment concerning security and privacy issues
  • Ability to work with academic and business units to understand information security needs, make recommendations and document the business case for change where needed
  • Ability to understand and implement cultural change related to technology with an awareness that developing strong security practices involves technology and people
  • Demonstrated team performance and change management skills
  • Bachelor's degree in information systems or related disciplines. Master's degree in business, MIS or computer science preferred. Security certification is desirable.
  • Seven to ten years of progressive IT-related work experience in information systems with a focus on information security or related areas, preferably in a healthcare institution
  • Equivalent combinations of experience, training and/or education will be considered.