The Director Information Security is a senior role with our growing customer’s technology leadership team, responsible for managing the organization’s overall information security, risk, and compliance position.  This individual plays a critical role in developing and maintaining their information security program to ensure it is robust, scalable, and aligns with the organization’s overall mission.  The Director Information Security supports our customer by participating in the leadership, implementation and maintenance of an effective and comprehensive compliance and security program that protects our customer’s health information data and operations. The Director serves as a project lead and subject matter expert for our customer in security operational initiatives, and is responsible for facilitating, executing, monitoring, and documenting policies, procedures, processes, and overall compliance operations. He or she also assists in developing and executing communication and training initiatives. The Director performs monitoring activities and assists our customer’s management team in analyzing outcomes and communicating findings as appropriate. Additional responsibilities include leading and/or participating in the investigation of privacy, security and other ethics concerns, workplace safety, and compliance with federal, state and HITRUST rules and regulations.

The role reports into our customer’s CIO. 

While delivering services, all company staff interact with the Delaware healthcare community stakeholders.  The Director must be able to communicate concepts clearly and concisely to a variety of audiences and participate in the ecosystem of security leaders in the region.

Scope of Work:

Principle Duties and Responsibilities
•    Security of data assets: Oversee security and risk practices to ensure the organization is as protected against internal and external threats to the extent possible.
•    Security Risk Management: Manage the ongoing risk assessment function to identify the greatest threats to the organization and recommend approaches. Oversee strategies to assess, prioritize, and mitigate risks to physical and virtual assets.
•    Incident Management: Supervise incident investigations and disposition.
•    Security Controls: Develop and implement security controls, policies & procedures, and enforcement.
•    Security Certifications: Oversee the selection and recommendation of appropriate security frameworks and organizational certifications (such as HITRUST, EHNAC, and NIST), and be the project sponsor for the implementation and ongoing maintenance of that program.
•    Compliance: Working with legal, ensure the company complies with local, state, and national regulations in areas of security and privacy.
•    Innovation: Continually research best practices, industry trends, and vendor solutions to ensure the organization is functioning with an optimal approach, knowledge, and toolsets.
•    Documentation & Knowledge Sharing: Maintain appropriate documentation of incidents, risk assessments, and education.  Must be intimately familiar with, and author of company policies and procedures related to technology and security.
•    Disclosures: Assist in the analysis and reporting of Privacy and Security disclosures.
•    External Activities: Act as a liaison for the organization in regional security groups and events.  Serve as a liaison to state and federal agencies for communication of cybersecurity concerns, breach concerns, etc.  Also engage with the organization’s customers on their security practices and how the community can work more closely and effectively together.
•    Budgeting: Provide input into annual organizational budget planning and manage the execution of approved security department budget, for the technologies, contracts, and professional services required each year.

Key Competencies and Skills:

The Director of Information Security should possess a combination of technical expertise, leadership skills, business and industry knowledge, and soft skills to effectively manage the security function for our customer.

1.    Legal & Regulatory: Knowledge and strong understanding of relevant legal and regulatory requirements, such as Health Insurance Portability and Accountability Act (HIPAA), Service Organization Control (SOC) standards, NIST, and HITRUST.
2.    Security Management: Knowledge and experience in information security management frameworks, policy and procedure development, information security assessments, audits, threat and detection.
3.    Risk Management: Knowledge of risk analysis methodologies and how to apply them.
4.    Infrastructure: Strong working knowledge of virtual infrastructures to understand and identify cybersecurity threats and how to mitigate them.
5.    Controls: Knowledge of technology as it relates to privacy and security controls. 
6.    Balance: Knowledge of how to balance the needs of security with the workflow and needs of company employees, customers, and vendor partners.
7.    Strategic Thinking: The ability to align security efforts with the organization’s strategic goals and objectives.
8.    Staff Management: Inspire, motive, coach/mentor, and educate technical staff by being a catalyst for visionary technology, creative problem solving, solution oriented, implementation friendly, and team building.

Qualifications:

The successful candidate will possess the following education, experience and credentials:

Education
•    Bachelor’s Degree: A bachelor’s degree in a relevant field such as computer science, information technology, cybersecurity, informatics, or a related discipline is required.
•    Master’s Degree: A master’s degree in a similar relevant field is preferred.

Work Experience
•    Information Security Experience: Minimum of seven years of experience in information security, quality control, risk management, regulatory compliance, corporate compliance, healthcare compliance, privacy compliance or workplace safety compliance roles. Employment history must demonstrate increasing levels of responsibility.
•    Leadership Experience: At least 2 years of leadership and management experience, such as managing teams, leading projects, and/or providing strategic guidance.
•    Industry Experience: A minimum of 5 years’ experience in healthcare, HIE experience is a plus.

Certifications
•    Certification in one or more of the following is required: CISSP, CISA, CISM, CRISC or comparable. If not currently held, the candidate must successfully complete certification within the first year of employment.
•    All employees are expected to be certified in ITIL Foundations or commit to becoming certified within the first year of employment. This is a condition of employment.