Sys SVP Chief Information Security Officer

CommonSpirit Health was formed by the alignment of Catholic Health Initiatives (CHI) and Dignity Health. With more than 700 care sites across the U.S. from clinics and hospitals to home-based care and virtual care services CommonSpirit is accessible to nearly one out of every four U.S. residents. Our world needs compassion like never before. Our communities need caring and our families need protection. With our combined resources CommonSpirit is committed to building healthy communities advocating for those who are poor and vulnerable and innovating how and where healing can happen both inside our hospitals and out in the community.

The Chief Information Security Officer (CISO) is a seasoned executive responsible for establishing and maintaining a robust information security program within a complex healthcare environment. The CISO serves as a strategic partner to the executive leadership team, aligning security initiatives with business objectives while mitigating risk and ensuring regulatory compliance. This individual possesses a unique blend of technical expertise, business acumen, and leadership skills to navigate the evolving threat landscape and protect the organizations critical information and assets.

STRATEGIC LEADERSHIP:

● Develop, implement, and champion a comprehensive information security strategy that aligns with the organization’s overall business goals, risk appetite, and regulatory requirements.
● Provide strategic guidance to the executive leadership team on information security matters, emerging threats, and industry best practices.
● Foster a culture of security awareness and accountability throughout the organization, promoting education, training,and continuous improvement. 

RISK MANAGEMENT AND COMPLIANCE:
● Modify and maintain a robust risk management framework to identify, assess, and mitigate information security risks across the enterprise.
● Ensure compliance with relevant regulations and industry standards, such as HIPAA, HITECH, CIS 18, NIST Cybersecurity Framework, and PCI DSS.
● Oversee regular security audits, risk assessments, and penetration tests to identify vulnerabilities and track remediation efforts.
● Evaluate and manage third-party vendors and partners to ensure they meet the organization’s security standards and contractual obligations.

● Conduct regular security assessments of third-party vendors and implement appropriate risk mitigation strategies.

SECURITY ARCHITECTURE, OPERATIONS AND ENGINEERING:
● Partner with the business and other I.T. organizations to drive coherent end to end architectures that feature security as “built-in” rather than “bolted-on.”
● Verify the implementation and management of security technologies and controls, including intrusion detection and prevention systems, firewalls, endpoint protection, data loss prevention, and identity and access management solutions.
● Verify the operation of all security controls and cultivate a “bias for action and recovery” while maintaining cyber safety during outages.

INCIDENT RESPONSE, DIGITAL FORENSICS, AND RECOVERY:
● Regularly evaluate and maintain incident response and disaster recovery plans to minimize the impact of security breaches and ensure business continuity.
● Lead the investigation and resolution of security incidents, coordinating with internal and external stakeholders, including law enforcement and regulatory agencies, as needed.

TEAM MANAGEMENT AND COLLABORATION:
● Build and lead a high-performing information security team, providing mentorship, coaching, and professional development opportunities.
● Collaborate effectively with IT, legal, compliance, privacy, and other departments to achieve security objectives and foster a shared responsibility for information security.
● Manage security budgets and resource allocation, ensuring optimal utilization and return on investment.

EMERGING TECHNOLOGIES AND INNOVATION:
● Stay abreast of emerging technologies, cyber threats, and industry trends to proactively identify and address potential risks.
● Evaluate and recommend innovative security solutions to enhance the organization’s security posture.

ADDITIONAL CONSIDERATIONS:
● This position requires a high level of confidentiality, integrity, and ethical conduct.
● The CISO may be required to work outside of normal business hours in response to security incidents or other urgent matters.
● Travel may be required for a variety of business purposes.
● The CISO serves as a role model for the

REQUIRED EDUCATION AND EXPERIENCE:

●Minimum of fifteen (15) years of cybersecurity experience. Minimum of ten (10) years related management/leadership experience.
●Bachelors degree in Information Technology, Computer Science, Engineering, or a related discipline required (or an equivalent combination of education and/or experience). Master’s degree preferred.

REQUIRED LICENSURE AND CERTIFICATIONS:

●Certified Information Systems Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), CertifiedRecords Manager (CRM), Certified Information Privacy Professional (CIPP)

REQUIRED MIINIMUM KNOWLEDGE, SKILLS, ABILITIES AND TRAINING:

● Experience administering information security programs including risk assessments and forensic research, designing security architectures, developing policies, gathering metrics, and reporting status
● Experience in maintaining operational computer and network security, firewall administration, virus protection, intrusion detection and prevention, identity and access management, application security, automated security patching, and vulnerability scanning systems.
● Ability to translate technical cybersecurity issues/concerns into potential business implications that are meaningful to executive leadership
● Understanding and application of advanced principles and best practices of system security design, development, analysis, and testing
● Proven success working in a regulated environment within a highly matrixed organization while establishing strong cross-functional relationships

COMPETENCIES:

● Exceptional communication and interpersonal skills, with the ability to effectively interact with and influence all levels of the organization, including the board of directors.
● Strong analytical, problem-solving, and decision-making skills, with a focus on data-driven insights.
● Business acumen and financial literacy, with the ability to translate security risks into business impact and articulate the value of security investments.
● Deep understanding of the healthcare industry and its unique regulatory, operational, and technological challenges.
● Ability to stay calm and focused under pressure, particularly during security incidents or crises.

Benefits Include: Benefits include Medical, Dental, Vision, Paid Time Off, Holidays, Retirement Program, Disability Plans, Tuition Reimbursement, Adoption Assistance, Employee Assistance Program (EAP), Discount Programs, Life Insurance Plans, Worker Compensation, Dress for Your Day Policy, Voluntary Benefits.

Position is eligible for incentive pay based on company performance.