University of Rochester, Chief Information Security Officer

Confidential Employer | Rochester, NY

Posted Date 7/10/2024

The University of Rochester (UR) seeks to recruit a Chief Information Security Officer (CISO) who will lead cybersecurity for the University, including University of Rochester Medical Center (URMC) and its Affiliates. The CISO will set the strategy for cybersecurity in a complex, matrixed environment with a diverse constituency of stakeholder groups with varying degrees of cybersecurity maturity. The CISO must therefore communicate and collaborate effectively with the UR community to recognize differing needs and viewpoints related to security, while ensuring compliance with government, healthcare, University, and other policies and laws related to information security.

The CISO will develop and deliver an iterative cyber strategy and program that balances the requirements of UR’s key stakeholder groups including the medical center and its affiliates, academic center, research enterprise, staff/faculty, and students. They will present their security strategy and state of the program routinely to the Boards of the University, Medical Center and Affiliates, as well as to senior leadership and to academic/clinical/research faculty. They will also manage the institution’s response to security threats and incidents in a unified manner and serve as the accountable leader for internal and external communications related to information security. Ultimately, the CISO will have a “customer-focused” approach to balancing technical, operational, and compliance-related priorities in a constantly evolving threat environment and regulatory landscape.
The position reports to the Vice President for IT/Chief Information Officer. This role is based in Rochester, New York, or will require travel to Rochester one week per month, with more frequent travel required initially.

Reports to: Julie Myers, VP of IT and Chief Information Officer

Direct reports:
A team of ~60 FTE comprised, including:
-Director of Operations
-Director, Identity and Access Management
-Four Business Unit Information Security Officers

Other key relationships:
General Counsel
Chief Audit Officer
Chief Privacy Officer
Chief Information Officer, URMC
Chief Technology Officer, University of Rochester
Chief Technology Officer, URMC

-Balance the requirements, needs, and risks specific to core pillars of the University system consisting of academics, clinical care, and research, ensuring that all have equal support to accomplish their individual missions without introducing cyber-related risks to the greater system network.
-Deliver routine and impactful briefings to the audit and risk assessment committees of the University Trustees, the URMC Board, and Affiliate Boards.
-Strategically monitor and communicate to Boards and senior University leadership about relevant security trends, threats, vulnerabilities, and potential impacts in the academic, medical, and research environments.
-Collaborate with Academic Center, Research, and Medical Center (including Affiliates) leadership regarding the cybersecurity posture, vision, and strategy as well as articulating risk implications in light of changes within technology or cybersecurity.
-Assess the current state of the information security program and develop a long-term security road map with strategic solutions designed to evolve and continue to mature the cyber capability across the enterprise with an emphasis on iterative progress and change as opposed to “big bang” transformation.
-Identify information security priorities, potential threats, and system vulnerabilities while conducting regular and ongoing monitoring of organizational compliance with standards and policies, and recommend courses of action to key stakeholders.
-Lead efforts to identify technical, operational, or policy-related gap areas across the University environment and recommend and implement remediation measures in close partnership with technology and key stakeholders.
-Regularly evaluate short- and long-term goals and objectives to ensure compliance, support UR’s overall mission, and uphold a leading cybersecurity posture.
-Collaborate with key stakeholders including staff, faculty, and student populations to uphold the University’s information security culture, where the importance of security is understood and embraced across the organization.
-Incorporate aspects of AI governance to be effective across research, clinical, administration, and education, as well as provide security updates to the University system AI council.
-Evaluate cybersecurity frameworks to determine the best-fit protocol for the organization. Implement cyber protocol while educating stakeholders on the criticality of broad adoption of a cybersecurity program.
-Develop and manage operating and capital budgets for security programs that align with overall technology planning.
-Articulate for management risk and compliance committees (in collaboration with the University’s Enterprise Risk Management (ERM) Program) the latest risk trends and mitigation strategies across the broader information security industry and their potential impact on university systems, both as operational assets or liabilities and how leadership should evaluate them.
-Manage overall HIPAA security compliance, including annual risk analysis, tracking, and remediation, working closely with the Chief Privacy Officer (CPO), with additional oversight of aspects of PCI, GDPR, FERPA, FDA, FISMA, and other applicable compliance requirements compliance.
-Recruit, lead, and mentor a diverse and highly inclusive cybersecurity team.

-A security posture that successfully and flexibly supports the diverse needs of UR’s stakeholders, each with their own appetite for information security.
-Ensure compliance with all applicable information security state, federal, and international compliance requirements.
-A collaborative and transparent relationship with the University, Medical Center and Affiliates, clinical, research, staff/faculty, students, and Boards, whereby the CISO keeps stakeholders abreast with regular, clear communication on the status of cybersecurity.
-Education programs that support an engaged and cyber-aware population.
-Resiliency supported by processes, technology, and policies that keep the University and affiliates secure, but more importantly allow the University to quickly recover and restore any affected program in the event of cyberattack.
-The delivery of a proactive and forward-looking strategy and road map to continuously mature the cybersecurity program, with metrics to measure progress over time.

Salary Range
-The base salary range for this position is $300,000-375,000, with final determination of compensation made after consideration of qualifications and experience.

For Candidates:
-The University of Rochester is being assisted in this process by Spencer Stuart and welcomes nominations or expressions of interest. If you wish to submit your own application materials or nominate someone to serve as the next Associate Vice President, Chief Information Security Officer for the University of Rochester, please send an email message with supporting materials to:

The University of Rochester is committed to fostering, cultivating, and preserving a culture of equity, diversity, and inclusion to advance the University’s mission to Learn, Discover, Heal, Create – and Make the World Ever Better.

In support of our values and those of our society, the University is committed to not discriminating on the basis of age, color, disability, ethnicity, gender identity or expression, genetic information, marital status, military/veteran status, national origin, race, religion/creed, sex, sexual orientation, citizenship status, or any other status protected by law. This commitment extends to non-discrimination in the administration of our policies, admissions, employment, access, and recruitment of candidates from underrepresented populations, veterans, and persons with disabilities consistent with these values and government contractor Affirmative Action obligations.




-Relevant regulatory knowledge: Strong knowledge of regulatory requirements including HIPAA, PCI, FERPA, GDPR are preferred.
-10 years of information security leadership: Preferably progressive senior leadership experience in a multi-site, academic health system, integrated academic delivery network, or other similarly complex/matrixed environments.
-Experience leading teams of 30 or more
-Experience leading remote and/or hybrid teams is preferred.
-Successful implementation of cybersecurity programs or frameworks
Including NIST SP800, NIST CSF, and HiTrust.

-Certifications: CISSP, CISSM, or CCISO are preferred.
-Bachelor’s degree in information systems or related disciplines,  Master's degree in business, MIS , Cyber Security or computer science preferred.

Collaborating and Influencing
-Strong leadership skills, analytical skills, planning and organizational skills, facilitation skills, and ability to deal with ambiguity.
-Excellent communication skills, demonstrated ability to successfully interface at all levels, including leadership and Board-level.
-Strong commitment to customer service.
-Identifies all necessary stakeholders and connects with them to gain support or agreement.
-Negotiates with a genuine give-and-take approach that takes all parties’ perspectives into account.
-Takes advantage of opportunities to build strategic relationships to achieve a specific outcome.
-Engages others in open dialogue and adapts own influence approach to different stakeholders in ways that address their interests or concerns.
-Anticipates emerging or potential conflicts among all stakeholders and takes steps to preempt them.

Leading Change
-Works with minimal direction toward predetermined long-range goals. Acts independently to determine methods and procedures on new or special assignments. Determines and pursues courses of action essential in obtaining desired results. Takes calculated risks.
-Sets and pursues high standards of excellence. Candidate Profile 
-Identifies and brings attention to needed changes.
-Encourages others to challenge existing ways of doing things and propose new approaches.
-Challenges assumptions about current approaches or practices (“the way things are done around here”).
-Willing to respectfully take a contrary or unpopular position on a specific change, despite others’ interests to keep things as they are.

Strategic Thinking
-High level of problem-solving ability. Integrates and interprets data from diverse sources to find solutions to very complex problems.
-Identifies and acts on short-term opportunities, considering potential risks and benefits.
-Creates plans to achieve annual goals.
-Balances usability of information security solutions with security effectiveness.
-Considers potential consequences before making decisions or acting.
-Maintains a two-to-three-year roadmap or blueprint to continuously improve the University strategy.
-Identifies and prioritizes the most critical future factors to consider in making decisions.
-Makes plans to address changes or trends in the external landscape.

Salary300,000.00 - 375,000.00 Annual
Employment Type
Full Time

Share this job