Director of Information Security

Summary

Join Vytalize Health as the Director of Information Security and lead the development and execution of a multi-year enterprise cybersecurity strategy. You will be responsible for the high-level cyber security design and blueprint, overseeing the information risk management program, and ensuring the protection of patient data. This leadership role requires collaboration with various teams, including IT and compliance, to implement and maintain security measures. You will develop and maintain security policies, procedures, and training programs, conduct risk assessments, and manage vendor relationships. The ideal candidate possesses extensive experience in cybersecurity within the healthcare industry, relevant certifications, and strong leadership and communication skills.

Requirements

• 15+ years of experience in cybersecurity and secure configuration of systems within the healthcare industry
• Certifications such as CISM, CISA, CISSP, etc. and bachelor’s degree or equivalent in Computer Science, Computer Engineering, Business Administration
• Strong knowledge of incident response, orchestration, automation, and threat hunting processes
• Expertise in evaluation and recommend enterprise cyber security architecture tools and solutions
• Knowledge of Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health (HITECH), and Payment Card Industry Data Security Standards (PCI DSS)
• Expertise with recommending and designing enterprise information security tools and solutions
• Expertise with information security risk and risk management processes
• Bachelor's degree or equivalent in Computer Science, Computer Engineering, Business Administration
• Excellent written and verbal communication skills
• Excellent interpersonal and broad technical skills
• Excellent communication, leadership, and problem-solving skills
• Demonstrated ability to drive organizational growth and meet operational goals
• Financial acumen with experience in budget management and reporting
• Current awareness of healthcare industry trends and regulatory changes

Responsibilities

• Lead in strategic development and provide governance for the execution of a multi-year enterprise cyber security strategy using current, emerging, and next gen technologies
• Work closely with the cyber security team and IT teams to transition from design or pilot to deployment and ensure all appropriate documentation and processes are developed in accordance with the information security policies
• Oversee and manage the information risk management program
• Ensure the protection of patient data and organizational information assets, aligning with regulatory requirements and industry best practices
• Lead in planning, recommending tools, techniques and technologies to protect and secure Vytalize infrastructure, systems, and data
• Develop orchestration, automation, and response and integration and streamline the different security tools to reduce mean time to detect (MTTD) and mean time to respond (MTTR), improving overall security posture
• Evaluate financial and resources and recommend new information security products
• Provide information security expertise in the development of complex solutions and new information security projects. Serve as the technical information security subject matter
• Maintain knowledge of emerging technologies for future information security tools and products. Develop and socialize the information security technologies vision and roadmap
• Develop, maintain, and test of the business continuity plans to effectively sustain business process during and after a disruption
• Develop, maintain, and test of the crisis communication plan to effectively communicate with internal and external stakeholders during and after a disruption
• Develop, maintain, and test of the disaster recovery plan communication to effectively restore the operability of a system, application, or infrastructure
• Integrate the incident response plan into the disaster recovery and business continuity, serve as an incident response lead, and assist with testing of the incident response plan
• Develop and maintain the training programs to educate employees on regulatory and cyber security and privacy best practices, fostering a culture of awareness and accountability
• Conduct regular simulated phishing exercises to educate and detect malicious emails and other malicious events
• Develop metrics to demonstrate the effectiveness of the training program and improve phishing detection and response
• Develop a cyber security risk management program to quantify and qualify cyber security threats, vulnerabilities, and risks and apply risk mitigation strategies
• Conduct comprehensive risk assessments to identify potential threats and vulnerabilities within the organization's operations
• Identify, assess, and prioritize risks related to the organization’s operations, processes, and systems
• Develop and maintain a cyber security risk register with the risks, risk ratings, risk mitigation strategies and action plans
• Monitor risk exposure and risk action plans and report to the Chief Information Security Officer and the Compliance Committee
• Collaborate with the compliance team regarding the cyber security risks and the action plans
• Prepare and distribute regular reports to management and stakeholders summarizing risk assessments, compliance status, risk treatments plans, and recommendations for improvement
• Conduct vendor risk assessments to identify and document potential supplier cyber security risks, threats, and vulnerabilities for management approval
• Develop a process for third-party compliance requests monitoring and tracking and ensure timely completion
• Collaborate with legal and procurement teams to manage vendor relationships and ensure timely execution of vendor risk assessments
• Identify data where data is processed, transmitted, and stored to ensure that data is secure and accessible in accordance with business and regulatory requirements and retention
• Collaborate with data analytics to reduce data silos, ensure compliance and information security, non-production environments data is de-identified, and data access in accordance with minimum necessary
• Develop and maintain a Governance Risk and Compliance Committee charter that defines the purpose, goals and objectives, organizational structure, membership and responsibilities and meeting cadence that aligns the regulatory, policy and organizational requirements
• Prepare and distribute Governance Risk and Compliance Committee cyber security reports to summarize risk assessments, compliance status, and recommendations for improvement
• Foster a culture of compliance and risk management throughout the organization
• Monitor and track regulatory changes, ensuring that the organization remains compliant with all relevant cyber security laws, standards, and industry regulations
• Maintain the information security policies and procedures to align with best practices and compliance requirements
• Collaborate with internal and external audit teams, providing documentation and evidence as needed to demonstrate compliance and adherence to the information security policies
• Develop and maintain a cyber security framework continuous assessment process to provide assurances that the controls in place are operating effectively
• Maintain and enhance the vulnerability dashboard to remediate the vulnerability assessment findings, including penetration test, application security test, and internal and external vulnerability scans
• Collaborate with cross-functional teams to socialize the information security tool roadmap to incorporate all requirements into the solution
• Communicate security risks, issues, and recommendations to CISO and stakeholders with the recommendations and residual risk
• Maintain the information security policies to align with information security frameworks and industry best practices

Preferred Qualifications

• Mentor team members, fostering an environment of continuous learning and professional development in advanced security technologies
• Collaborate closely with the cybersecurity team to develop comprehensive security strategies and resolve complex cyber security issues
• Leadership role in defining AI, tools, techniques, and technologies used to connect and secure the Vytalize ecosystem
• Experience with development of compliance monitoring programs to identify control deficiencies and recommend process improvements
• Sound business discernment and flexibility to identify compensating or mitigating controls to reduce risk
• Monitor the threat landscape and intel to communicate timely and a sense of urgency the vulnerabilities being exploited and recommendations for remediation, monitoring and/or mitigating controls
• Entrepreneurial spirit, a sense of ownership and comfortable operating in ambiguity

Benefits

• Competitive base compensation
• Annual bonus potential
• Health benefits effective on start date; 100% coverage for base plan, up to 90% coverage on all other plans for individuals and families
• Health & Wellness Program; up to $300 per quarter for your overall well-being available on start date
• 401K plan effective on the first of the month after your start date; 100% of up to 4% of your annual salary
• Unlimited (or generous) paid "Vytal Time", and 5 paid sick days after your first 90 days
• Company paid STD/LTD
• Technology setup
• Ability to help build a market leader in value-based healthcare at a rapidly growing organization