Director of Security and Risk
Title: Director of Security and Risk
Salary Commensurate with Experience / Posted Thru: 5-8-22
Location: Remote/Virtual - Michigan Residency Required
Purpose: Responsible for the development, implementation, coordination and oversight of security strategies, policies, procedures, systems, processes, and ongoing delivery of proactive security programs designed to protect MPHI employees, visitors, products, data, and operations. Provides functional expertise on matters related to security risks, protection of sensitive information and alignment of operations with compliance and regulatory criteria. Responsible for overseeing and delivering security systems policies, processes and procedures aligned with SOC 2 and NIST 800-53 standards.
Functions as the organization’s Security Officer and provides leadership and vision to implement sound business management and information security technologies. Proactively works with business units to implement practices that meet or exceed SOC and NIST standards for information security.
Actively participates as a member of the MPHI Security team as a hands-on servant leader. Also participates with the IT Leadership Team representing enterprise-wide technology interests.
Duties and Responsibilities
- Develop, implement, and monitor a strategic, comprehensive enterprise information security and IT risk management program in alignment with SOC 2 and NIST 800-53 Moderate standards to ensure that the integrity, confidentiality, and availability of all information owned, controlled, or processed by the organization.
- Manages the enterprise's information security organization, consisting of security analysts and indirect reports, such as individuals in business continuity and IT operations.
- Develops, maintains, and publishes up-to-date information security policies, standards, and guidelines. Oversee the approval, training, and dissemination of security policies and practices.
- Creates and manages information security and risk management awareness training programs for all employees, contractors, and approved system users.
- Develops and manages information security budgets and monitor them for variances.
- Works with the business units to implement, test and continuously improve the organization’s Risk Program.
- Oversees annual IT and business risk assessments and risk management processes, and work with stakeholders throughout the enterprise on identifying acceptable levels of residual risk.
- Creates a framework for roles and responsibilities with regard to information ownership, classification, accountability and protection.
- Develops and enhances an information security management framework based on ISO standards used by MPHI.
- Provides strategic risk guidance for IT projects, including the evaluation and recommendation of technical controls.
- Works with the enterprise architecture team to ensure alignment between the security and enterprise architectures, thus coordinating the strategic planning implicit in these architectures.
- Ensures that security programs are in compliance with SOC 2, NIST 800-53, relevant laws, regulations and policies to minimize or eliminate risk and audit findings.
- Defines and facilitates the information security risk assessment process, including the reporting and oversight of treatment efforts to address negative findings.
- Manages security incidents and events to protect corporate IT assets, including intellectual property, regulated data, and the company's reputation.
- Monitors the external threat environment for emerging threats and advise relevant stakeholders on the appropriate courses of action.
- Develops and oversees effective disaster recovery policies and standards to align with enterprise business continuity management program goals.
- Coordinates the development of implementation plans and procedures to ensure that business-critical services are recovered in the event of a security event. Provides direction, support, and in-house consulting in these areas.
- Always represents the best interest of MPHI.
- Other duties as assigned.
Education: Bachelor’s degree or comparable combination of education/certification and work experience required.
Experience: Position requires five (5) years of management experience, and ten (10) years of IT experience. Position requires in depth knowledge of the security and risk management processes and procedures; strong communication and interpersonal skills, including a demonstrated ability to identify and build relationships with key stakeholders at all levels within the organization; and the ability to manage multiple complex assignments and priorities simultaneously while meeting deadlines. Experience in or exposure to public health, government, or non-profit organizations, is desirable. Knowledge of SOC 2, NIST 800 series and related security frameworks highly desirable.
Important Skills and Characteristics:
- Appropriate business, technical, and domain knowledge.
- Team and project management skills with a bias towards action and collaborative results.
- Interpersonal skills, e.g., the ability to work across functional lines and at many levels, and to effectively negotiate and facilitate solutions in a team environment.
- Effective oral and written communication skills (a writing sample may be requested).
- Proficiency in Microsoft Office—Excel, PowerPoint, Outlook, Word, and Visio (tests in one or more products may be administered).
- Exposure to Microsoft Project or equivalent (desirable) or the demonstrated ability to learn quickly.
- Exposure to Microsoft SharePoint (desirable) or the demonstrated ability to learn quickly.
Work Environment and Physical Requirements: MPHI is a standard office environment. May require viewing a CRT or VDT screen 25% to 75% of the time. May require a valid vehicle operator’s license. May require moderate physical effort, including lifting materials and equipment up to 50 pounds. May require communication after hours or on weekends in response to physical security alarms/ITues/etc.
RESPONSIBILITY FOR THE WORK OF OTHERS: Supervise, hire, discipline and conduct the performance review of support staff, or make effective recommendations for their hire, discipline, and performance review.
IMPACT ON PROJECTS, SERVICES AND OPERATIONS: This position is responsible for aligning security initiatives and operational processes with enterprise programs and business objectives, ensuring that information assets and technologies are adequately protected. This will include performing security reviews of IT projects, and leading Security Incident Response functions. This position also has occasional access to confidential data and a breach in confidentiality could be harmful to MPHI. Honesty, confidentiality, and accuracy are extremely important in this position.
MPHI works with you to promote health for everyone. Together, we will build a world where tomorrow is healthier than today!
MPHI is an EEO/AA employer that participates with e-verify.