Director Chief Information Security Officer

Director Chief Information Security Officer St. Peter's Health Description About the job The Chief Information Security Officer (CISO) is responsible for establishing and maintaining the enterprise vision, strategy, and program for protecting the organization's information assets, including all forms of protected health information (PHI) and confidential data. The CISO will lead the effort in identifying, assessing, and mitigating information security risks across clinical, administrative, and third-party environments, ensuring compliance with all applicable regulations, including HIPAA, and industry best practices. This role requires a balance of strategic leadership, technical expertise, and a deep understanding of the unique challenges in the healthcare industry, with a focus on patient safety and care continuity. Strategic Leadership & Governance Develop and execute a comprehensive, long-term information security strategy and roadmap that is aligned with the organization's clinical and business objectives. Establish and maintain the organization's information security management framework (e.g., based on 405D, NIST CSF, ISO 27001, or HITRUST). Collaborate with SPH leadership, including the Board of Directors, to define the organization’s risk tolerance and regularly report on the overall security posture, emerging threats, and mitigation plans. Manage the information security budget and oversee all security-related technology investments. Risk Management and Regulatory Compliance Lead enterprise-wide risk assessments to identify, prioritize, and manage security risks to all information systems and data. Partner with SPH Risk and Compliance Officer. Ensure rigorous compliance with all relevant federal, state, and international data privacy and security regulations, including HIPAA/HITECH, GDPR, and other applicable laws. Oversee the development, implementation, and maintenance of all security policies, procedures, and standards. Manage audit readiness and lead remediation efforts for all internal and external security and compliance audits (e.g., HITRUST, SOC 2). Oversee a robust Vendor and Third-Party Risk Management program to assess and mitigate security risks introduced by external partners. Security Operations and Incident Response Direct security operations, including threat and vulnerability management, identity and access management (IAM), Security Information and Event Management (SIEM), and endpoint protection. Lead the development, implementation, and ongoing testing of the Incident Response (IR), Disaster Recovery (DR), and Business Continuity (BC) plans to ensure operational resilience for clinical and administrative systems. Serve as the executive crisis manager for all major security incidents and breaches, coordinating investigation, forensic analysis, root cause determination, and executive-level communications. Oversee the security of electronic health record (EHR) systems, medical devices, and all clinical technology platforms. Team Leadership and Security Culture Build, mentor, and lead a high-performing information security team with expertise across governance, risk, compliance (GRC), and security operations (SecOps). Foster a strong, security-conscious culture across the entire organization (employees, clinicians, and contractors) through mandatory and role-specific security awareness and training programs. Act as a collaborative partner to all business units, including IT, Clinical Operations, Legal, and HR, to ensure security is embedded into all new technologies and clinical workflows. Qualifications Knowledge/Experience: Minimum 2 years of progressive experience in Information Security, with at least 2 years in a senior leadership/executive role (CISO or equivalent) preferred. Deep and demonstrated expertise in the healthcare industry, with a strong understanding of clinical workflows, EHR systems, and the protection of PHI preferred. Certifications (Preferred): Certified Information Security Manager (CISM) Certified Information Systems Security Professional (CISSP) Certified Chief Information Security Officer (CCISO) HITRUST CSF Practitioner (CCSFP) Required Skills and Competencies: Cybersecurity Technologies: Expertise with enterprise-grade security architecture, including IAM, cloud security (AWS/Azure/GCP), network segmentation, and advanced threat detection tools. Risk Management: Proven track record of conducting and managing enterprise risk assessments and developing effective mitigation strategies. Education: Bachelor’s degree in Computer Science, Information Security, or a related field. Master’s degree preferred. License/Certification/Registry: None Attributes: Healthcare Compliance Expertise: In-depth knowledge of HIPAA, HITECH, and relevant security frameworks (e.g., NIST CSF, NIST 800-53). Strategic & Technical Acumen: Ability to translate complex technical risks into business implications for executive and board-level audiences. Leadership and Communication: Exceptional executive communication, negotiation, and interpersonal skills, with a proven ability to lead cross-functional teams and manage crises under pressure. #J-18808-Ljbffr