The Director of Information Security and Compliance (DoIS&C) role is to provide leadership for developing, leading and managing security initiatives. He/she directs the planning, engineering, and implementation of enterprise IT eco-system, business operation, and facility defenses against security breaches and vulnerability issues. He/she is also responsible for auditing existing systems, while overseeing and directing the enforcement of security policies, activities, and standards.
The DoIS&C is responsible for managing internal staff and third-party security vendors and operate technologies employed by the organization and owns key processes such as:
- Security Event Management
- Vulnerability Threat Management (VTM)
- Investigations, Incident Response & Forensics
- Malicious Program Detection & Prevention
- Security Intelligence
- Security Assessments & Penetration Testing
- Security Technology Care & Feeding
The DoIS&C will oversee all IT compliance efforts and will lead remediation activities associated to regulatory and company policy requirements. He/she will help build a proactive, sustainable compliance management framework and will integrate with other risk functions to establish a holistic program.
The DoIS&C will build a highly efficient and effective security operational model that includes a world class monitoring and incident response capability. He/she will also establish a framework that helps ensure that the maturity of key operational processes and technologies is continuously measured and improved upon. He/she will work closely with the Corporate Security Officer to build an effective metrics program that measures the security health of the environment, value of the processes/technologies deployed and tracks trends that can be acted upon to improve both preventative and detective capabilities.
DoIS&C is responsible for managing key staff and third-party security vendors. And, creates a vision, establishes an overall security strategy, sets goals and objectives, manages performance and deliverables, and develops / mentors staff.
Threat & Vulnerability Management
- Define processes and supporting technology to assist the security infrastructure team to actively monitor for threats and vulnerabilities.
- Proactively identify threats before they impact the organization.
- Integrate continuous threat intelligence into our SIEM tools and processes.
- Enhance and integrate security solutions to automate the detection-to-remediation activities (e.g., Security Event Management optimization and integration with ticketing system).
- Automate vulnerability scanning and integrate into the ticketing system.
- Consistently measure the output from the scanning process and ensure that remediation SLAs are established and met.
- Provide leadership to the engineering and operations security team who is responsible for the care and feeding of many of the security technologies employed at HI (e.g., Security Event Management, Vulnerability Management, and Malicious Program Detection & Prevention).
- Work closely with security architecture to develop the processes and technologies to prevent and detect malicious software in the environment.
- Build repeatable and sustainable penetration testing processes.
- Establish a framework to drive ongoing security assessment plans.
- Manage security related incidents in the corporate environment that were not mitigated through 1st tier operational activities.
- Provide oversight to the identification, containment and remediation of a security incident.
- Lead investigative activities that involve electronic data.
- Work closely with other risk management functions, legal and HR to support corporate investigations.
- Ensure that forensic evidence is preserved and can be used for legal proceedings if necessary.
- Work closely with the security compliance & controls function to align threat and vulnerability management processes and controls with the compliance requirements facing HI systems and data.
- Build and enforce security hardening standards.
- Implement preventative and detective controls to mitigate the risk of denial-of-service attacks.
- Interpret and ensure organizational knowledge and understanding of regulatory drivers including but not limited to the Health Insurance Portability and Accountability Act (HIPAA)
- Understand control frameworks (e.g., HITRUST, NIST, ISO, and PCI) and how they can be integrated into the overall security program
- Define the governance models, processes and supporting technology that will improve compliance management enterprise-wide
- Lead the efforts to perform recurring technology risk assessments
- Develop corporate policies, procedures and guidelines aligned to regulatory requirements and recognized security standards (i.e., ISO 27001)
- Work closely with business and IT leaders to ensure HI systems are in compliance with regulations and standards
- Oversee and support project teams and IT process leaders to ensure that remediation efforts meet deadlines
- Prepare executive-level presentations and facilitate technical workshops
- Develop security awareness programs that include security and compliance and span various functional units within HI
- Integrate with external parties to monitor changes to regulatory mandates that impact IT
- Responsible for execution of control to a satisfactory level and in a timely manner
- Communicate deviations if and when they occur
- Is familiar with SOC 2 compliance and its impact on company policies and processes
- Understands importance of adhering to SOC 2 requirements, and maintains an effort to do so
- Reviews and understands the Employee Handbook, and internal policies that define individual security responsibilities, and maintains segregation of duties in accordance with their role requirements
The position responsibilities outlined above are in no way to be construed as all encompassing. Other duties, responsibilities, and qualifications may be required and/or assigned as necessary.
- Minimum of 7+ years of experience in information security positions, with 5+ years’ experience in a role providing information security or information risk management services preferred.
- Working knowledge of regulatory requirements, security standards and compliance issues (HIPAA, HITRUST, etc.).
- Experience implementing compliance with industry security frameworks (ISO 27001, PCI, NIST 800-53, and NIST Cybersecurity).
- Experience implementing and supporting core Security solutions and processes such as:
- Security Event Management
- Vulnerability Management (e.g., enterprise vulnerability scanners, static/dynamic code )
- Endpoint security technologies
- Advanced malware
- Forensic toolsets
- Firewalls, VPNs and Proxies
- Experience working with Managed Security Service Providers (MSSPs) and ensuring adherence to established service levels.
- Skills required for conducting audits of information systems and their application to ensure accuracy of information and promote operational efficiency.
- Ability to stay abreast of emerging technologies and trends in assigned domain area(s).
- In depth technical knowledge of various aspects and components of information security spanning all layers of the OSI model.
- Experience with IT governance tools and processes.
- Experience with root cause analysis, risk mitigation, security assessments, analysis of security threats, trends and security architecture preferred.
- Proven ability to collaboratively plan, document, and present security strategies, achieve buy-in from IT leadership, and manage the implementation and ongoing support.
- Experience presenting and promoting information security awareness, training and education programs required.
- In addition to security, proficient in other IT control areas (i.e., change management, SDLC, Operations).
- Must be available to work off hours as-needed for 24/7/365 support.
- Bachelor’s degree in computer science, Information Technology, Information Security, or related field required.
- Security certifications such as GIAC, CISSP, CISM, CIPP or CFE preferred. Multiple designations desired.
- Strong analytical, problems-solving, and conceptual skills.
- Excellent written and verbal communication skills, strong customer focus and demonstrated ability to work in geographically dispersed teams.
- Strong teamwork and interpersonal skills; ability to communicate and influence at all management levels and with both technical and non-technical individuals and successfully manage in a cross-functional environment.
- Strong project management and time management skills required.
- Ability to work on numerous projects/activities simultaneously.
- Must be able to make accurate decisions related to task delegation and provide leadership in filling project and/or support team responsibilities.
- Demonstrated ability to build top performing teams and lead through example.
- Able to work across a matrixed environment of internal and contract resources.
- Must be able to mentor engineers in new systems, concepts and technical procedures.