VP, Information Security (Security Officer)

Company Description

As a leader in Medicare health insurance distribution, Spring Venture Group guides people through one of their most important life decisions — finding the right insurance coverage. We are on a mission to be the most trusted partner for our customers and our people, enabling empowered decisions along the journey to health and financial well-being.

Spring Venture Group offers incredible culture, benefits, and fantastic income potential in a stable and successful work environment at a Medicare agency. This starts with a workplace that empowers people to do their best work. Come build a rewarding career and make a meaningful impact on peoples’ lives in an environment that values your determination. Join our diverse, inclusive team and get ready to crush your goals!

Job Description

The VP, Information Security (Security Officer) provides a variety of operational, compliance, and consultative functions. This role is responsible for managing the delivery of information security systems, software and services and is responsible for the continuous development and oversight of the company’s information security program, policies, procedures and technical systems in order to maintain the confidentiality, integrity and availability of all organizational information. This role will also work across IT and business department boundaries and fulfill a senior leadership role to drive cybersecurity operations initiatives such as Enterprise wide security programs & compliance, Incident management, Security awareness & training, security monitoring, vulnerability management, identity and access management, endpoint security, network security, security architecture and application security, as well as HITRUST compliance.

The essential duties for this role include, but are not limited to: 

• Holds the position of HIPAA Security Officer under 45 CFR 164.308 (https://www.law.cornell.edu/cfr/text/45/164.308). 

• Work closely with all leaders to achieve the overall security goals of the organization. Additionally, will coordinate with the Privacy Officer, as necessary.

• Mature the information security vision and strategy and lead the information security function across the company for SVG in a manner that supports business imperatives and enables organizational objectives.

• Engage with various stakeholders as part of the information security program, to ensure the consistent application of policies and standards across all technology projects, systems, and services, including customer contractual requirements, privacy, risk management, compliance, and business continuity management.

• Manage a cost-efficient information security organization, consisting of direct reports and dotted line staff members. This includes hiring, training, staff development, performance management, vendor management, and annual performance reviews.

• Handle the 3rd party risk management function, evaluating vendors on their capabilities related to privacy, security, business continuity, and disaster recovery.

• Responsible for managing the delivery of information security systems, software and services and is responsible for the continuous development and oversight of the company’s information security program, policies, procedures and technical systems in order to maintain the confidentiality, integrity and availability of all organizational information.

• Responsible for assessing security plans for existing vulnerabilities, prioritizing security strategies to best cover strategically important data, analyze reports generated by their threat monitoring systems and even run testing where they anticipate potential issues. 

• Helps lead the company in maintaining its HIPAA & HITRUST certifications, working with external auditors to address findings and maintain compliance.

• Mature the incident response plans and procedures to ensure that business-critical services are recovered in the event of a security event, providing leadership, direction, support, and in-house consulting in these areas.

• Engage with business units to conduct or manage periodic risk assessments to identify vulnerabilities, threat vectors, impact, and probability. Devise effective ways to mitigate those threats in alignment with the company's risk appetite/tolerance.

• Performs reviews on major initiatives, projects, and changes, to determine the information security impact and provide relevant guidance and recommendations related to security requirements

• Create a risk-based process for the assessment and mitigation of any information security risk related to vendors, contractors, and any other third parties.

• Oversees the incident response program, working with internal and external parties to identify, classify incidents and handle incidents appropriately to protect corporate assets, intellectual property, and the company's reputation.

• Develop and oversee effective disaster recovery policies and standards to align with the enterprise business continuity program (BCP) goals.

• Monitor the external threat environment for emerging threats, and advise relevant stakeholders on the appropriate courses of action.

• Responsible for ensuring that the risk to the organization’s information posed by a variety of cyber breaches or threats are minimized; Review, analyze and recommend secure solutions that implement information security policy and standards; If cyber-attacks occur or if data is compromised or stolen, these incidents are dealt with promptly and effectively.  

• Oversee, implement and monitor the security requirements levied by Federal and State Rules and Regulations. Accurately communicate pertinent information to relevant departments and individuals.

• Develop and direct implementation of security standards and best practices for the organization. Develop appropriate policies, standards, guidelines, and procedures for information security systems.

• Manage and configure physical security, disaster recovery and data backup systems

• Create and manage a targeted information security awareness training program for all employees, and establish metrics to measure the effectiveness of this security training program for the intended audiences.

• Assist in the development and implementation of quality improvement efforts. Recommend, implement, and oversee technological upgrades, improvements, and major changes to the information security environment.

• Align/realign resources to projects based on current organization priorities.

• Develop data-driven reporting and security metrics to manage and report on the health of the cybersecurity and data governance programs & ensure that the security team has proper understanding of the current and relevant KPIs and measure the success and failures of projects.

• Provide engineers and analysts support with resolving challenging technical problems.

• Monitor the organization’s networks for security breaches and investigate violations when they occur; Review breaches in compliance and remediate deficiencies. 

• Perform additional responsibilities as assigned. 

Qualifications

• Bachelor's degree in Computer Science, or a related technical field, or equivalent practical experience

• 5+ years of people leadership experience

• 3+ years of information security work

• Demonstrated successful project management expertise

• In-depth expertise overseeing HIPAA & HITRUST Security & Compliance Frameworks

• Sound knowledge of business management, information security risk management, and cybersecurity technologies

• Budgetary and financial management, proven ability to derive and manage an annual budget based on prioritized security initiatives and spending in line with appropriate risk management and financial methodologies.

• An intelligent, articulate, and persuasive leader who can serve as an effective member of the senior management team with an ability to communicate security-related concepts to a broad range of technical and non-technical staff.

• Self-starter with the ability to manage multiple concurrent projects with strong analytical, organizational, time management, and oral/written communication skills.

• Poise and ability to act calmly and competently in high-pressure, high-stress situations

• Must be a critical thinker, with strong problem-solving skills

• Demonstrated success working with data encryption, VPNs, traffic filtering and application security.

• Experience with TCP/IP networking

• Experience in cloud environments, i.e AWS, Azure, GCP

• One or more related certifications completed or in process (e.g. ISC2, ISACA, SANS GIAC, CompTIA, ITIL, etc.)

• CISSP or CISM strongly preferred

Additional Information

Benefits:

The Company offers the following benefits for this position, subject to applicable eligibility requirements:

• Competitive Compensation
• Medical, Dental and vision benefits after a short waiting period
• 401(k) matching program
• Life Insurance, and Short-term and Long-term Disability Insurance
• Optional enrollment includes HSA/FSA, AD&D, Spousal/Dependent Life Insurance, Travel Assist and Legal Plan
• Generous paid time off (PTO) program starting off at 15 days your first year
• 15 paid Holidays (includes holiday break between Christmas and New Years)
• 10 days of Paid Parental Leave and 5 days of Paid Birth Recovery Leave
• Annual Volunter Time Off (VTO) and a donation matching program
• Employee Assistance Program (EAP) - health and well-being on and off the job
• Rewards and Recognition
• Diverse, inclusive and welcoming culture
• Training program and ongoing support throughout your Venture Spring Venture Group career  

Security Responsibilities:

• Operating in alignment with policies and standards
• Reporting Security Incidents
• Completing assigned training
• Protecting assigned organizational assets

Spring Venture Group is an Equal Opportunity Employer