Chief Information Security Officer

Engineering Remote - United States


Description

This position is for the Consensus entity being created as part of the initiative mentioned in this press release

Reporting directly to the Chief Technology Officer of Consensus, the Chief Information Security Officer (CISO) will direct Information Security (InfoSec) and Governance, Risk, and Compliance (GRC) activities for our Consensus product offerings as well as all internal business systems.

The CISO must be capable of interacting effectively with C-level executives, members of the board of directors, clients, and prospects. The CISO must also possess a strong hands-on technical and security practitioner background and the ability to effectively collaborate with technical staff, understand governance, risk mitigation, and technical controls. As the leader of the information security program, the CISO establishes highly effective policies, corporate protocols and appropriate collaboration among teams.

Duties

  • Develop, manage and set the vision for the company’s Information Security Program
  • Recruit and manage the Information Security Team.
  • Manage the budget for Information Security.
  • Work with Executive Management to determine acceptable levels of risk for the company.
  • Review, revise, and maintain the Security Incident Response policy and procedure.
  • Oversee Security Incident responses. 
  • Work with outside partners or consultants as required to meet independent security audit needs; manage outside security partners, stakeholders, vendors, and solutions providers working on security implementations.
  • Collaborate with departments to ensure proper security language is integrated in contracts.
  • Ensure that Information Security is adequately represented across all departments.
  • Lead compliance efforts consisting of HIPAA, HITRUST, PCI, SSAE 18 SOC 2 reporting, client audit response (For IT and Security items), and other compliance requirements.
  • Maintain awareness of Information Security industry trends, evaluate solutions and techniques, and remain aware of new and emerging threats.
  • Conduct presentations to and collaborate with company stakeholders to raise awareness of security risk management concerns.
  • Direct, oversee and manage the Information Security Team activities, including:
    • Creation of security architecture artifacts which reflect and support business, operational, technical, and compliance objectives.
    • Development and maintenance of organizational Security Architecture Plans and Designs.
    • Work with Engineering and Operations to implement and maintain secure coding and deployment practices, secure production environments, and implement systems to monitor and maintain the security of our products in development and production.
    • Establish a regular program to audit application architectures to ensure security standards are in force and effective.
    • Design and operate the data loss prevention program and systems for the company.
    • Security product purchase proposals and implementation plans.
    • The timely review of threat and vulnerability reports and the creation of action plans to address risks identified by them.
    • Plan and execute vulnerability scans, penetration testing, and cyber-forensic activities for IT audits and incident responses; ensure the outcomes improve company security posture.
    • Review all vendors and partners, and conduct risk assessments against services proposed where sensitive data is used.
    • Log management review activities.
    • Conduct regular vulnerability scans on systems across the organization and collaborate with departments to ensure systems are remediated and/or security controls set in place.
    • Create and deploy a security awareness training program and communicate best practices and risks to all parts of the business.
    • Oversee and contribute to the annual review and update of the Disaster Recovery and Business Continuity Plan.
    • Ensure compliance of the Information Security and Risk Management programs with all Regulatory, Contractual, Association, and Client requirements.
  • Other duties as assigned.

Qualifications/Requirements

  • Bachelor's degree in related field or equivalent combination of experience and education
  • CISSP, CISM, or other equivalent security certification required; CRISC, CISA, CISM preferred
  • 10+ years of progressive expertise in managing Corporate Security Programs, at least 5 of which were in a SaaS environment
  • 8+ years of progressive experience in managing Information Security team staffing, contracting, budgeting, vendors, and security programs and projects
  • 4+ years of Information Security management experience in a healthcare-related setting
  • Experience supporting successful HITRUST CSF certification audits.
  • Hands-on Technical Experience with Physical Security Systems, Telecommunications and Networks, Security Solutions (Firewalls, IDS/IPS, SIEM, Vulnerability Assessment Tools), Employee Security Training, Access Control Systems, Cryptography, and Secure SDLC Methodologies
  • Experience with modern software development practices, such as SDLC, Agile, SAFe, etc.
  • Proficient knowledge of common information security management frameworks, such as ICSUAM Section 8000, HITRUST CSF, ISO/IEC 27001, and NIST as well as requirements relating to SOX.
  • Working knowledge of state and federal information security, compliance, and privacy procedures such as GDPR and CCPA securities policies.
  • Basic understanding of rules and laws governing public companies, including GLBA and SOX
  • Experience with FedRAMP security compliance preferred
  • Ability to interpret state and federal laws, company guidelines, and regulatory rules to determine how they apply to the company.
  • Ability to work with full confidentiality and a high level of personal integrity.
  • Excellent verbal and written communication skills, including the ability to draft and deliver technical reports, presentations, and correspondence.
  • Experience performing multifaceted projects in conjunction with normal activities.
  • Highly committed, thought leader, innovative and a team player.
#J2CloudServices
#LI-KB1
#LI-Remote