Director, Cyber Risk & Compliance
symplr

Overview
The Director, Cyber Risk & Compliance is an individual with solid understanding and experience in information security, IT governance, data privacy, cybersecurity risk assessment, compliance, business requirements, customer service, and revenue operation. This person will collaborate with the business and other teams to prioritize and manage security initiatives, drive project plans, create new processes, and mature existing workflows. This role will oversee the Cyber Risk & Compliance (CRC) and Customer Security divisions within the Information Security department; risk assessments, process and control improvements, third-party risk management process, develop policies and procedures, deliver training and awareness, implement supporting system workflows, monitor adherence using pre-defined metrics based on corporate controls frameworks, and engage with clients to assist the organization to achieve its objectives with pre and post sales activities.
Duties & Responsibilities

• Under the guidance of organization's CISO, the Director's primary role will be to establish a world-class Cyber Risk & Compliance program that will contribute significantly to safeguarding the company and its brand.
• Develop, consolidate, enhance, and operationalize enterprise-level security, risk and privacy policies, processes and controls to mitigate risk and comply with applicable laws and regulations.
• Partner with appropriate business teams including but not limited to security teams to develop and execute appropriate audit process(es) based on best practices and customers' requests. Partner with Sales to advance the organization's RFP system regarding customers' security requests.
• Lead the effort to identify, track, monitor and report on privacy controls and all applicable Data Privacy requirements.
• Serve as the escalation point to engage with clients to assist the organization to achieve its objectives with pre and post sales activities (e.g., explain our security program, support external audits, support bids RFP process, etc.).
• Partner with the team to provide vision and guidelines with applicable regulations and cybersecurity frameworks (e.g., HIPAA, PCI DSS, NIST 800).
• Develop and use Key Risk Indicators (KRIs) to drive program adherence and deliver on overall program performance.
• Monitor compliance to Information Security policy and practices and develop processes to follow up on non-adherence (ex. Exception process).
• Partner with primary stakeholders (business, operations, technology, risk, audit, compliance, legal) to align with strategic vision and goals.
• Assist with internal and external audit process(es) for relevant compliance matters, including but not limited to SOC2, HIPAA, HITRUST, etc.
• Collaborate to develop and implement appropriate policies, procedures, and reporting metrics to ensure the security controls and compliance requirements are met.
• Oversee the designing, deploying, and maintaining organization's GRC platform.
• Help lead and define organization's overall third-party risk management efforts.
• Assisting in designing, testing, and executing the company's security incident response and BC/DR plans.
• Participate in internal and external security audits and risk analysis to identify weaknesses, assess the effectiveness of existing controls, and recommend remedial actions.
• Stay current and up to date with latest security news, threats, and applicable regulations.
• Work individually and in a team environment. Multitask and use time efficiently to meet project/task deadlines in a fast-paced environment.
• Provide recommendations to stakeholders when appropriate.
• Other duties as assigned.

Skills Required

• Ability to develop and/or modify policies and procedures in compliance with relevant regulatory requirements and management objectives
• Understanding of IP networking, data centers, IT systems, applications, and databases
• High level of personal integrity and ability to professionally handle confidential matters
• Capable of acting calmly and managing incidents under high pressure and stress
• Capable of multitasking in a fast paced, multifaceted environment
• Ability to work well with customers, peers, and management
• Demonstrated organizational, facilitation, presentation, and project management skills with excellent written and verbal communication skills at all levels
• Proficient with Microsoft Office Suite and Office365 (i.e., Teams, SharePoint)

Qualifications Required:

• University degree in Information Security, Computer Science, Computer Engineering, Information Technology (or equivalent of education and work experience)
• Minimum of 5+ years of experience in Information Security, IT Assurance, Privacy, GRC and/or IT Risk Management
• Minimum of 3+ years of people management and leadership experience
• At least one of the following certifications: CISM, CISA, CRISC, CGEIT (or similar)
• Proven HITRUST experience; both technical and management of the process throughout the certification lifecycle
• Strong understanding of data privacy regulations (i.e., HIPAA, CCPA, GDPR, etc.)
• Proven technical experience in governance, risk management, and compliance within the cybersecurity realm
• Demonstrated technical skills in conducting gap analysis regarding baseline security standards
• Demonstrated experience and knowledge of relevant regulatory requirements, such as The U.S. Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standards (PCI DSS)
• Strong understanding of Information Security control frameworks (i.e., NIST 800-53, COBIT, ISO 27001/2, etc.), SOC 1 and SOC 2, and applicable laws and regulations
• Experience completing and managing Third Party Information Security Assessments
• Experience in utilizing, managing, and maintaining a commercially available GRC platform

Preferred Qualifications:

• Previous experience in healthcare IT / SaaS vendor
• Previous working experience in healthcare environments
• Knowledge and experience in information security and privacy laws, general electronic health information access, release of information, and release control technologies
• PMP or similar certifications are a plus

MinUSD $140,000.00/Yr. MaxUSD $160,000.00/Yr.

---