- Bachelor’s degree in Business Administration, Computer Science, Information Technology, Engineering or equivalent professional experience.
- CISSP, ClSM, CISA, or similar industry certifications.
- Appropriate certification in risk management and/or heath care compliance
- 4 years’ experience as a CISO or equivalent position for medium size organization
- Five to 10 years’ progressive experience in health information security management, health information management, information systems and/or health risk management is required
- Experience in driving change in security functions within multiple organizations.
- Experience working with IT security guidelines and requirements outlined or as driven by HIPAA, PCI-DSS, FedRAMP, SOX, GBLA, etc.
- Experience with contract and vendor negotiations.
- Executive-level written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate security and risk-related concepts to technical and nontechnical audiences.
- Poise and ability to act calmly and competently in high-pressure, high-stress situations.
- Must be a critical thinker, with strong problem-solving skills.
- Excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives.
- High level of personal integrity, as well as the ability to professionally handle confidential matters, and show an appropriate level of judgment and maturity.
- Fire and Safety Certification. If no card upon hire, one must be obtained within 30 days of hire, and maintained by renewal before expiration date.
Reporting to Keck Medical Center of USC’s Chief Technology Officer, the Chief Information Security Officer (CISO) is responsible for establishing and maintaining the Keck Medical Center of USC’s (KMC) enterprise-wide, global security management program for the purpose of protecting the information and technical assets. This position is responsible for identifying, evaluating, and reporting on security risks, aligning security posture of the organization in a manner that supports effective protection of information assets, and managing and executing security controls in support of the KMC’s and USC's compliance and regulatory requirements. This CISO position requires a visionary leader with knowledge of business management and a working global knowledge of information security technologies. The CISO will proactively work with KMC’s operating units and stakeholders to implement practices that meet defined policies and standards for information security. A key element of the CISO's role is working with senior staff and management across the medical center to determine acceptable levels of risk for the organization and drive security into business processes throughout KMC. The ideal candidate for this role will be a strong influencer, consensus builder, and an integrator of people, processes, and technology in a world-class university setting. While the CISO is the leader of the security program, he or she must also be able to coordinate disparate drivers, constraints and personalities, while maintaining objectivity and a strong understanding that security is just one of KMC’s activities. Ultimately, the CISO is a business leader, and should have a track record of competency in the field of information security or risk management, with eight or more years of relevant security experience, including three or more years in a significant leadership role. ESSENTIAL DUTIES AND RESPONSIBILITIES Program Leadership • Responsible for the strategic leadership of Keck Medical Center of USC’s information security program. • Responsible for the creation and maintenance of the organization’s Security Roadmap and its execution. • Work leadership to oversee the formation and operations of KMC’s information security organization. • Promote collaborative, empowered working environments across campus, removing barriers and realizing possibilities. • Lead information security planning processes to establish an inclusive and comprehensive information security program for the entire institution in support of academic, research, and administrative information systems and technology. • Establish annual and long-range security and compliance goals, define security strategies, metrics, reporting mechanisms and program services; and create maturity models and a roadmap for continual program improvements. • Stay abreast of information security issues and regulatory changes affecting higher education at the state and national level, participate in national policy and practice discussions, and communicate to campus on a regular basis about those topics. Engage in professional development to maintain continual growth in professional skills and knowledge essential to the position. • Represent the security interests of KMC on committees and boards associated with the Institution's System and in national and regional consortiums and collaborations • Develop, implement and monitor a global strategic, comprehensive enterprise information security and risk management program to ensure that the integrity, confidentiality, and availability of information is owned, controlled, or processed by the organization. • Manage the enterprise's information security organization, consisting of direct reports and indirect reports. This includes hiring, training, staff development, performance management and annual performance reviews. • Develop security organization talent, engaging/managing third parties as needed to ensure the required capabilities are available either internally or externally. • Facilitate information security governance through the implementation of a collaborative governance program. • Provide regular reporting on the current status of the security program to the risk management department, senior leadership, and the Board of Trustees as part of a strategic enterprise risk management program. • Create a framework for roles and responsibilities with regard to information ownership, classification, accountability, and protection. • Develop and implement an information security management framework that aligns with USC’s research- and academic business/operating model, our risk profile, and our existing compliance initiatives and efforts. • Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increase the maturity of the security. Policy, Compliance and Audit • Lead the development and implementation of effective and reasonable policies and practices to secure protected and sensitive data and ensure information security and compliance with relevant legislation and legal interpretation. • Lead efforts to internally assess, evaluate and make recommendations to management regarding the adequacy of the security controls for the Keck Medical Center of USC’s information and technology systems. • Work with Internal Audit, State Board of Regents, Auditor General's Office and outside consultants as appropriate on required security assessments and audits. • Coordinate and track all information technology and security related audits including scope of audits, colleges/units involved, timelines, auditing agencies and outcomes. Work with auditors as appropriate to keep audit focus in scope, maintain excellent relationships with audit entities and provide a consistent perspective that continually puts the institution in its best light. Provide guidance, evaluation and advocacy on audit responses. • Work with leadership and relevant responsible compliance department leadership to build cohesive security and compliance programs for the organization to effectively address state and federal statutory and regulatory requirements. • Develop a strategy for dealing with increasing number of audits, compliance checks and external assessment processes for internal/external auditors, PCI, ITAR, HIPAA, and FISMA. • Work with our compliance team to ensure that security and privacy programs are in compliance with relevant laws, regulations, and policies to minimize or eliminate risk and audit findings. • Define and facilitate the global information security risk assessment process, including the reporting and oversight of treatment efforts to address negative findings. Risk Management and Response • Keep abreast of security incidents and act as primary control point during significant information security incidents. Convene a Security Incident Response Team (SIRT) as needed, or requested, in addressing and investigating security incidences that arise. • Convene Ad Hoc Security Committee as appropriate and provide leadership for breach response and notification actions for Keck Medical Center of USC. • Develop, implement and administer technical security standards, as well as a suite of security services and tools to address and mitigate security risk. • Provide leadership, direction and guidance in assessing and evaluating information security risks and monitor compliance with security standards and appropriate policies. • Examine impacts of new technologies on the Institution's overall information security. Establish processes to review implementation of new technologies to ensure security compliance. • Work directly with the business units to facilitate security risk assessment and risk management processes, and work with stakeholders throughout USC on identifying acceptable levels of residual risk. • Manage security incidents and events to protect corporate IT assets, including intellectual property, regulated data, and the USC’s reputation. Outreach, Education and Training • Work closely with IT leaders, technical experts, deans and administrative leaders across campus on a wide variety of security issues that require an in-depth understanding of the IT environment in their units, as well as the research landscape and federal regulations that pertain to their unit's research areas. • Create education and awareness programs and advise operating units at all levels on security issues, best practices, and vulnerabilities. • Work with campus groups such as Network Managers, Information Security Liaisons and technical organizations such as University Information Technology Services to build awareness and a sense of common purpose around security. • Pursue student security initiatives to address unique needs in protecting identity theft, mobile social media security and online reputation program. • Develop, maintain, and publish up-to-date information security policies, standards, and guidelines. Oversee the approval, training, and dissemination of security policies and practices. • Create and manage information security and risk management awareness training programs for all employees, contractors, and approved system users.