Director, Information Security (Governance)
HeartFlow, Inc. is dedicated to making our products and technologies as secure as possible. Reporting to the VP, Chief Information Security Officer, the Director, Information Security (Governance) is a critical leadership role responsible for leading the Information Security Governance team. The successful candidate will be responsible for owning, defining, and delivering infrastructure security governance across the Information Security department. Responsibilities include but are not limited to assisting in external and internal audits, ensuring overall adherence to policy standards, overseeing the Security Awareness program and facilitating the highest level of compliance through assessment, remediation and escalation as necessary.
This is a role will lead and directly assist a small team that will provide: Business Unit Information Security Liaison \ Communication, Security Review and Exception Management, Policy and Procedure Management, Framework and Regulatory Security Certification and Training and Awareness
The work effort includes assisting the VP, CISO with the development of the overall security program strategy, budget and expense management, outreach and communication, training, policies, tools that define the campus security program and risk analysis, and security team oversight and supervision. Candidate must be a proven team leader and team builder, and have experience facilitating strong and effective IT Security teams.
Provide leadership and oversight to a Business Information Security Analyst (“BISA”) who will:
- Monitor and advise on information security issues related to the systems and workflow to ensure internal security controls are appropriate and operating as intended within the business units
- Support response to information security incidents for the respective business units
- Develop and publish business-focused Information Security policies, procedures, standards and guidelines based on knowledge of best practices and regulatory compliance requirements and ensure integration into Enterprise Information Security policy
- Conduct business-related data classification assessment and security audits and manage remediation plans
- Create, manage and maintain user security awareness for specific business units
- Coordinate and execute IT security policy, awareness training, security compliance, vulnerability and workflow/procedural remediation for specific business units
- Prepare Information Security documentation, including department policies and procedures, company Infosec notifications, web content (for awareness training, etc.), and alerts
- Develop and maintain the full lifecycle (creation, modification, retirement) of security policies, standards and procedures to enhance the overall posture of Information Security
Provide leadership and oversight to a Senior Information Security Analyst (Reviews/Exceptions) who will:
- Evaluate requests for exception to established security policies, guidelines and standards. Document all approved exceptions and review on a recurring basis for continued necessity
- Perform information security reviews of vendor software, solutions and services to assess risk imposed and compliance levels against regulatory (HIPAA, PCI, etc.), department policies, guidelines and standards
- Document all approved reviews and audit on a recurring basis for continued necessity
Provide leadership and oversight to a Senior Information Security Analyst (Certification) who will:
- Mitigate to completion; identified gaps for required certifications (ISO 270001, HIPAA, HITRUST, etc.), Attestations (i.e. SOC 2 Type 2) and frameworks (NIST 800-53, including but not limited to documentation and controls
- Conduct recurring internal audits and assessments of security controls and documentation in anticipation of re-certification and determining readiness to achieve new certifications
- Clearly identify, communicate and document any deficiencies in a timely manner; which will still allow HFI to complete its attestation and certification goals on or before agreed upon deadlines
- Provide report of controls mapped across multiple frameworks for visibility into defense mechanism strengths and gaps
Leadership and Management
- Develop, train and mentor members of the Information Security Governance team; grow their technical and professional capabilities and skill sets
- Define and manage a set of interconnected processes
- Define clear roles and responsibilities and establish accountability and measure and report on operational effectiveness and efficiency; set goals and measure performance
- Communicate regularly and clearly to a wide variety of technical and non-technical audiences
- Develop vision and strategy for a team.
- Resolve disputes within the team and across the larger functional teams
- Perform other duties as assigned
- 7+ Years demonstrated experience and track record of attracting, retaining and leading teams with multiple core competencies successfully
- Strong analytical and problem-solving skills. Ability to effectively adapt to rapidly changing technology and apply it to business needs.
- Strong knowledge and understanding of business needs.
- Solid project management skills, especially in a cross-functional environment.
- Strong team-oriented interpersonal and communication skills; ability to present technical information in a way that establishes rapport, persuades others and gains understanding.
- Ability to effectively interface with a wide variety of audiences, up to executive management.
- Knowledge of common attack methodologies; common types of security vulnerabilities;
- Proficiency in the use of manual and automated techniques for scanning, vulnerability, and penetration testing of networks, applications, operating systems, databases, and email systems
- Effective communication and presentation skills with demonstrated ability to prepare documentation and presentations for technical and non-technical audiences.
- Excellent written and verbal communication skills, interpersonal and collaborative skills
- High level of personal integrity, as well as the ability to professionally handle confidential matters, and show an appropriate level of judgment and maturity
- Self-starter, positive attitude, ability to work independently, enjoys learning and staying current with industry developments, regulations and best practices.
- Experience dealing with all levels of management and across different teams, including managing conflicts
About HeartFlow, Inc.:
HeartFlow, Inc. is a medical technology company redefining the way heart disease is diagnosed and treated. Our non-invasive HeartFlow FFRct Analysis leverages deep learning to create a personalized 3D model of the heart. By using this model, clinicians can better evaluate the impact a blockage has on blood flow and determine the best treatment for patients. Our technology is reflective of our Silicon Valley roots and incorporates decades of scientific evidence with the latest advances in artificial intelligence. The HeartFlow FFRct Analysis is commercially available in the United States, Canada, Europe and Japan. For more information, visit www.heartflow.com.
HeartFlow, Inc. is an Equal Opportunity Employer. This company does not and will not discriminate in employment and personnel practices based on race, sex, age, handicap, religion, national origin or any other basis prohibited by applicable law. Hiring, transferring and promotion practices are performed without regard to the above listed items.