Director of Information Security

Your opportunity  

The Director of Information Security is responsible for the high-level cyber security design and blueprint.  Leads in strategic development and provides governance for the execution of a multi-year enterprise cyber security strategy using current, emerging, and next gen technologies. Works closely with the cyber security team and IT teams to transition from design or pilot to deployment and ensure all appropriate documentation and processes are developed in accordance with the information security policies.  Oversight and management of the information risk management program. This role ensures the protection of patient data and organizational information assets, aligning with regulatory requirements and industry best practices. 

What You Will Do  

Enterprise Architecture 

• Leadership role in planning, recommending, tools, techniques and technologies to protect and secure Vytalize infrastructure, systems, and data. 
• Development of orchestration, automation, and response and integration and streamline the different security tools to reduce mean time to detect (MTTD) and mean time to respond (MTTR), improving overall security posture.  
• Evaluates financial and resources and recommends new information security products  
• Provides information security expertise in the development of complex solutions and new information security projects.  Serves as the technical information security subject matter. 
• Maintains knowledge of emerging technologies for future information security tools and products.  Develop and socialize the information security technologies vision and roadmap. 
• Development of orchestration, automation, and response and integration and streamline the different security tools to reduce mean time to detect (MTTD) and mean time to respond (MTTR), improving overall security posture. 

Response Plans 

• Develop, maintenance, and test of the business continuity plans to effectively sustain business process during and after a disruption. 
• Develop, maintenance, and test of the crisis communication plan to effectively communicate with internal and external stakeholders during and after a disruption. 
• Develop, maintenance, and test of the disaster recovery plan communication to effectively restore the operability of a system, application, or infrastructure. 
• Integration of the incident response plan into the disaster recovery and business continuity, serve as an incident response lead, and assist with testing of the incident response plan.  

 Training and Awareness 

• Develop and maintain the training programs to educate employees on regulatory and cyber security and privacy best practices, fostering a culture of awareness and accountability. 
• Conduct regular simulated phishing exercises to educate and detect malicious emails and other malicious events.   
• Develop metrics to demonstrate the effectiveness of the training program and improve phishing detection and response. 

Risk Management 

• Develop a cyber security risk management program to quantify and qualify cyber security threats, vulnerabilities, and risks and apply risk mitigation strategies. 
• Conduct comprehensive risk assessments to identify potential threats and vulnerabilities within the organization's operations. 
• Identify, assess, and prioritize risks related to the organization’s operations, processes, and systems. 
• Develop and maintain a cyber security risk register with the risks, risk ratings, risk mitigation strategies and action plans. 
• Monitor risk exposure and risk action plans and report to the Chief Information Security Officer and the Compliance Committee. 
• Collaborate with the compliance team regarding the cyber security risks and the action plans. 
• Prepare and distribute regular reports to management and stakeholders summarizing risk assessments, compliance status, risk treatments plans, and recommendations for improvement. 

Supplier Risk 

• Conduct vendor risk assessments to identify and document potential supplier cyber security risks, threats, and vulnerabilities for management approval.  
• Develop a process for third-party compliance requests monitoring and tracking and ensure timely completion. 
• Collaborate with legal and procurement teams to manage vendor relationships and ensure timely execution of vendor risk assessments. 

Governance 

• Identify data where data is processed, transmitted, and stored to ensure that data is secure and accessible in accordance with business and regulatory requirements and retention.  
• Collaborate with data analytics to reduce data silos, ensure compliance and information security, non-production environments data is de-identified, and data access in accordance with minimum necessary. 
• Develop and maintain a Governance Risk and Compliance Committee charter that defines the purpose, goals and objectives, organizational structure, membership and responsibilities and meeting cadence that aligns the regulatory, policy and organizational requirements. 
• Prepare and distribute Governance Risk and Compliance Committee cyber security reports to summarize risk assessments, compliance status, and recommendations for improvement. 
• Foster a culture of compliance and risk management throughout the organization 

Compliance Oversight 

• Monitor and track regulatory changes, ensuring that the organization remains compliant with all relevant cyber security laws, standards, and industry regulations. 
• Maintain the information security policies and procedures to align with best practices and compliance requirements. 
• Collaborate with internal and external audit teams, providing documentation and evidence as needed to demonstrate compliance and adherence to the information security policies. 
• Develop and maintain a cyber security framework continuous assessment process to provide assurances that the controls in place are operating effectively.  

Exposure Management 

• Maintain and enhance the vulnerability dashboard to remediate the vulnerability assessment findings, including penetration test, application security test, and internal and external vulnerability scans.  

Collaboration and Communication 

• Collaborate with cross-functional teams to socialize the information security tool roadmap to incorporate all requirements into the solution.  
• Communicate security risks, issues, and recommendations to CISO and stakeholders with the recommendations and residual risk. 

Information Security Policies 

• Maintain the information security policies to align with information security frameworks and industry best practices. 

What will make you successful here  

• 15+ years of experience in cybersecurity and secure configuration of systems within the healthcare industry. 
• Certifications such as CISM, CISA, CISSP, etc. and bachelor’s degree or equivalent in Computer Science, Computer Engineering, Business Administration 
• Strong knowledge of incident response,  orchestration, automation, and threat hunting processes. 
• Expertise in evaluation and recommend enterprise cyber security architecture tools and solutions. 
• Knowledge of Health Insurance Portability and Accountability Act (HIPAA), Health Information 
• Technology for Economic and Clinical Health (HITECH), and Payment Card Industry Data Security Standards (PCI DSS). 
• Expertise with recommending and designing enterprise information security tools and solutions. 
• Expertise with information security risk and risk management processes. 
• Mentor team members, fostering an environment of continuous learning and professional development in advanced security technologies. 
• Collaborate closely with the cybersecurity team to develop comprehensive security strategies and resolve complex cyber security issues. 
• Leadership role in defining AI, tools, techniques, and technologies used to connect and secure the Vytalize ecosystem. 
• Experience with development of compliance monitoring programs to identify control deficiencies and recommend process improvements. 
• Sound business discernment and flexibility to identify compensating or mitigating controls to reduce risk. 
• Excellent written and verbal communication skills. 
• Bachelor's degree or equivalent in Computer Science, Computer Engineering, Business Administration 
• Monitor the threat landscape and intel to communicate timely and a sense of urgency the vulnerabilities being exploited and recommendations for remediation, monitoring and/or mitigating controls. 
• Excellent interpersonal and broad technical skills. 
• Excellent communication, leadership, and problem-solving skills. 
• Demonstrated ability to drive organizational growth and meet operational goals. 
• Financial acumen with experience in budget management and reporting. 
• Current awareness of healthcare industry trends and regulatory changes. 
• Entrepreneurial spirit, a sense of ownership and comfortable operating in ambiguity 

Perks/Benefits 

• Competitive base compensation 
• Annual bonus potential 
• Health benefits effective on start date; 100% coverage for base plan, up to 90% coverage on all other plans for individuals and families  
• Health & Wellness Program; up to $300 per quarter for your overall well-being available on start date  
• 401K plan effective on the first of the month after your start date; 100% of up to 4% of your annual salary 
• Unlimited (or generous) paid "Vytal Time", and 5 paid sick days after your first 90 days 
• Company paid STD/LTD 
• Technology setup  
• Ability to help build a market leader in value-based healthcare at a rapidly growing organization  

Please note at no time during our screening, interview, or selection process do we ask for additional personal information (beyond your resume) or account/financial information.  We will also never ask for you to purchase anything; nor will we ever interview you via text message. Any communication received from a Vytalize Health recruiter during your screening, interviewing, or selection process will come from an email ending in @vytalizehealth.com