Manager, Cybersecurity - IT Security - Full Time

What You’ll Do

As a member of the Information Security and Risk Management leadership team, the Manager, Cybersecurity will lead the design and operations of two service lines: Information Security Governance, Risk and Controls, and Identity and Access Governance programs. This role will provide leadership and technical expertise identifying existing, new and emerging threats, analyzing the risk of these threats, determine risk impact severity for inclusion in the cyber risk register and manage the prioritization of cyber risk treatment. This role will consult and collaborate with senior leadership, IT and clinical staff and other non-IT departments including Compliance, Legal, Insurance, Finance and third-party stakeholders to conduct cyber risk analysis, the business impacts cyber risks and make actionable recommendations to reduce cyber risk.

Cyber Risk Management Delivery

• Evaluate and gain advanced understanding of the Guthrie Clinics business, clinical and IT processes, and the internal controls managing cyber risk over these processes 
• Create and maintain a 3-year service line strategic roadmap to continue to mature the Cybersecurity Governance, Risk Management and Control, and Identity and Access governance programs
• Deep working knowledge, application and leading a cybersecurity governance and risk program based on the NIST Cybersecurity Framework and or HITRUST Common Security Framework (CSF)
• Lead the completion of the annual HIPAA Security risk assessment and HITRUST CSF assessments and annual cyber risk maturity assessment
• Lead the participation and completion of industry benchmark cyber risk surveys and studies (EPIC, CENSINET, etc.)
• Identify threats and business activities that introduce cyber risk to the Guthrie Clinic operations including patient care delivery and revenue
• Conduct quantitative and qualitative risk assessments to inform cyber risk treatment and control investments
• Produce purposeful cyber risk analysis, reports and actionable metrics and effectively articulate the findings to both technical and non-technical audiences
• Measure, report metrics and risk treatment recommendations to CISO, CDO, CPO and other senior leaders
• Collaborate with risk owners on risk treatment strategies
• Manage and oversee the supplier cyber risk management processes
• Manage and ensure security assessments are conducted to reduce cyber risk for various projects within the organization
• Manage the review of issues and policy exceptions to ensure cyber risk is being managed appropriately
• Author and update information security policies, standards, and procedures that are related to IT, information security cyber risk management
• Facilitates the use of technology and process to review, design and implement user identity and access governance services to provide a strong program that balances patient care, cyber risk reduction and compliance requirements
• Responsible for timely and appropriate user Active Directory and Epic non-provider record provisioning
• Leads an annual user access review
• Identifies the broader impact of current decisions related to user access to streamline Identity and Access Management (IAM) processes across the organization.
• Evaluates and implements tools and processes to help automate and simplify existing IAM workflows.
• Participate, as needed, in critical incidents and implementation reviews
• Actively participates in and presents at industry groups and committees (Health-ISAC, B-SIDES, HSCC, etc.)
   

Professional

• Keeps abreast of the latest applicable industry information security and privacy laws and regulations; ensure internal information security policies meet applicable laws and regulations
• Serve as a resource for change enablement by embracing change and championing innovative ideas/opportunities.
• Develop business partnerships to build & increase buy-in across multiple lines of business and functions. Establish effective relationships with Technology and Information Security personnel, program and project managers, and other business partners.
• Prioritize and manage own and team’s workload to deliver quality results and meet timelines. 
• Support a positive work environment that promotes service to the business, patient safety, quality, innovation, and teamwork.
• Ensure timely communication of issues/ points of interest.
• Identify and recommend opportunities to enhance productivity, effectiveness, and operational efficiency of the business unit and/or team.
• Facilitate cross departmental meetings effectively with prepared agendas and clear next steps to move toward implementation, completion, or resolution of projects or issues.
• Establish and/or strengthen disciplines, standard operating routines, and employee performance objectives to achieve desired business outcomes and key results
• Lead cross training activities within team to ensure backup/on-call support is available

What You’ll Need

• Bachelor’s degree in information systems, cybersecurity or related field
• Minimum seven (7) years of professional work experience
• Minimum three (3) years managing people and leading teams
• Experience within Information Security, Risk, Compliance, Audit and Information Technology
• Experience with Governance Risk and Compliance (GRC) and Identity and Access management systems
• Experience with the FAIR methodology
• Certified in Factor Analysis of Information Risk (FAIR) and Certified in Risk and Information Systems Control (CRISC) desired, but not required
• EPIC Electronic Medical Record System certification desired
• One or more professional cybersecurity certifications such as: CISSP, CISA, CRISC, etc.
• Continually increase knowledge and expertise by keeping current with trends/developments, regulatory changes, and obtaining additional training and/or certifications
• Excellent written and verbal communication skills in English to support security programs. Must be able to provide formal reports and presentations as required
• High attention to detail and the ability to prioritize work to successfully deliver outcomes 
• Proficient with Microsoft Office Suite (Word, Excel, PowerPoint, SharePoint etc.)
   

Joining the Guthrie team allows you to become a part of a tradition of excellence in health care. In all areas and at all levels of Guthrie, you’ll find staff members who have committed themselves to serving the community.

The Guthrie Clinic is an Equal Opportunity Employer.

The Guthrie Clinic is a non-profit, integrated, practicing physician-led organization in the Twin Tiers of New York and Pennsylvania. Our multi-specialty group practice of more than 500 physicians and 302 advanced practice providers offers 47 specialties through a regional office network providing primary and specialty care in 22 communities. Guthrie Medical Education Programs include General Surgery, Internal Medicine, Emergency Medicine, Family Medicine, Anesthesiology and Orthopedic Surgery Residency, as well as Cardiovascular, Gastroenterology and Pulmonary Critical Care Fellowship programs. Guthrie is also a clinical campus for the Geisinger Commonwealth School of Medicine.