Note: The job is a remote job and is open to candidates in USA. The Ohio State University is a prominent educational institution, and they are seeking a Chief Information Security Officer for the Wexner Medical Center. This role involves leading security initiatives, risk management, and compliance efforts to protect healthcare data and ensure a secure operational environment.
Responsibilities
- Develop, champion, and execute a visionary, comprehensive, multi-year information security strategy and roadmap across all mission areas of WMC, leveraging the University Security Framework
- Work in collaboration with University CISO to align on common standards, controls and practices, ensuring a cohesive security posture where systems, services and missions overlap. Oversee the development, enforcement and auditing of security policies, procedures, and standards for the health system
- Oversee Security Risk Assessments (SRAs) and vulnerability management across clinical, research, administrative, and third-party environments for the Health System. Develop and prioritize risk mitigation and remediation strategies. Coordinate with the University CISO on a streamlined risk assessment process for technologies that impact both the Medical Center and the University. Report on the WMC’s cybersecurity risk appetite in partnership with executive leadership and proactively manage and report on the overall cyber risk posture, translating technical exposure into clear business impact to the C-suite and the board through established reporting under the university CISO
- Ensure stringent adherence to all applicable laws and regulations, including but not limited to HIPAA/HITECH, 21 CFR Part 11, PCI DSS, state data privacy laws, and security mandates for research data and grant funding (e.g., CUI). Serves as the Security Officer to oversee implementation of HIPAA security regulations and to provide ongoing compliance monitoring and education on security
- Establish and lead emerging technology governance frameworks for AI, cloud, automation, and other next-generation technologies, ensuring alignment with risk management, cybersecurity strategy, regulatory requirements, and business objectives
- Provide executive oversight of the Third-Party Risk Management program, ensuring vendor risks are assessed, governed, and aligned with enterprise security and compliance requirements. Oversee assessing and mitigating the security risks posed by vendors, business associates, and supply chain partners in alignment with university standards and frameworks where possible
- Provide executive oversight and strategic direction for enterprise Business Continuity and Disaster Recovery (BC/DR) programs, ensuring governance, resilience, regulatory compliance, and alignment with organizational risk management objectives to maintain and restore mission-critical operations during disruptionsin alignment with university standards and frameworks where possible
- Oversee the day-to-day operations of the information security function, including threat intelligence, security monitoring, Security Information and Event Management (SIEM), and vulnerability management across on-premise, cloud, and hybrid environments in alignment with university standards and tools where possible
- Own the Computer Security Incident Response and Reporting (CSIRR) function, leading the coordination, containment, investigation, and recovery efforts for all security incidents and breaches, and fulfilling regulatory breach notification requirements
- Provide authoritative security consultation for the design and implementation of new systems (including EHR systems, clinical IoT, and cloud services) and review of existing systems, promoting security-by-design principles
- Oversee the IT Access Management function, including the alignment to advanced Identity and Access Management (IAM) and Privileged Access Management (PAM) strategies consistent with a Zero Trust model established by the University CISO
- Collaborate directly and continuously with the University CISO, CIDO, and other executive and departmental leaders to align security initiatives with broad institutional and clinical goals
- Lead, manage, mentor, and coach a diverse, high-performing team of information security professionals, fostering a culture of continuous learning, accountability, and excellence
- Advise Health Systems senior leadership on security risks and strategy. Drive a mandatory, ongoing security education and awareness program for all Health Systems faculty, staff, researchers, and students to effectively reduce the "human element" risk in a decentralized academic environment
- Serve as the visible, articulate internal and external champion for information security, possessing the ability to engage diverse stakeholders—from technical staff and researchers to clinicians
Skills
- Minimum of 12 years of experience in information security, with at least five years in a significant leadership role
- Baccalaureate degree or higher in information systems or related degree
- Demonstrated experience in a large, complex organization, preferably within an academic medical center, or healthcare system
- Proven track record of developing and implementing a successful, enterprise-level information security program
- Strong business acumen to enable technology's impact to support secure business objectives
- Demonstrated ability to build relationships, collaborate, and lead through influence across a decentralized enterprise
- Excellent communication, negotiation, and interpersonal skills with the ability to articulate complex security concepts to technical and non-technical audiences
- Strong knowledge of relevant legal and regulatory requirements (e.g., HIPAA)
- Deep expertise in information security principles, practices, and technologies
- Proven ability to manage security implications of rapid innovation in clinical care, biomedical research, and education, including cloud computing, telehealth, and AI/ML
- Professional security management certification, such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), or an equivalent, is highly desirable
Company Overview