Opening
Full Time 40 hours Range URG 121 University IT / IS
Spencer Stuart, a national executive recruiting firm, has been retained to support the search advisory committee. Spencer Stuart welcomes nominations or expressions of interest. If you wish to submit your own application materials or nominate someone for this position, please send an email message with supporting materials to: UR_CISO@SpencerStuart.com.
Schedule
8 AM-5 PM
Responsibilities
GENERAL PURPOSE:
The CISO will develop and deliver an iterative cyber strategy and program that balances the requirements of UR’s key stakeholder groups including the medical center and its affiliates, academic center, research enterprise, staff/faculty, and students. They will present their security strategy and state of the program routinely to the Boards of the University, Medical Center and Affiliates, as well as to senior leadership and to academic/clinical/research faculty. They will also manage the institution’s response to security threats and incidents in a unified manner and serve as the accountable leader for internal and external communications related to information security. Ultimately, the CISO will have a “customer-focused” approach to balancing technical, operational, and compliance-related priorities in a constantly evolving threat environment and regulatory landscape.
The position reports to the Vice President for IT/Chief Information Officer. This role is based in Rochester, New York, or will require travel to Rochester one week per month, with more frequent travel required upfront.
RESPONSIBILITIES:
- Balance the requirements, needs, and risks specific to core pillars of the University system consisting of academics, clinical care, and research, ensuring that all have equal support to accomplish their individual missions without introducing cyber-related risks to the greater system network.
- Deliver routine and impactful briefings to the audit and risk assessment committees of the University Trustees, the URMC Board, and Affiliate Boards.
- Strategically monitor and communicate to Boards and senior University leadership about relevant security trends, threats, vulnerabilities, and potential impacts in the academic, medical, and research environments.
- Collaborate with Academic Center, Research, and Medical Center (including Affiliates) leadership regarding the cybersecurity posture, vision, and strategy as well as articulating risk implications in light of changes within technology or cybersecurity.
- Assess the current state of the information security program and develop a long-term security road map with strategic solutions designed to evolve and continue to mature the cyber capability across the enterprise with an emphasis on iterative progress and change as opposed to “big bang” transformation.
- Identify information security priorities, potential threats, and system vulnerabilities while conducting regular and ongoing monitoring of organizational compliance with standards and policies, and recommend courses of action to key stakeholders.
- Lead efforts to identify technical, operational, or policy-related gap areas across the University environment and recommend and implement remediation measures in close partnership with technology and key stakeholders.
- Regularly evaluate short- and long-term goals and objectives to ensure compliance, support UR’s overall mission, and uphold a leading cybersecurity posture.
- Collaborate with key stakeholders including staff, faculty, and student populations to uphold the University’s information security culture, where the importance of security is understood and embraced across the organization.
- Incorporate aspects of AI governance to be effective across research, clinical, administration, and education, as well as provide security updates to the University system AI council.
- Evaluate cybersecurity frameworks to determine the best-fit protocol for the organization. Implement cyber protocol while educating stakeholders on the criticality of broad adoption of a cybersecurity program.
- Develop and manage operating and capital budgets for security programs that align with overall technology planning.
- Articulate for management risk and compliance committees (in collaboration with the University’s Enterprise Risk Management (ERM) Program) the latest risk trends and mitigation strategies across the broader information security industry and their potential impact on university systems, both as operational assets or liabilities and how leadership should evaluate them.
- Manage overall HIPAA security compliance, including annual risk analysis, tracking, and remediation, working closely with the Chief Privacy Officer (CPO), with additional oversight of aspects of PCI, GDPR, FERPA, FDA, FISMA, and other applicable compliance requirements compliance.
- Recruit, lead, and mentor a diverse and highly inclusive cybersecurity team.
Other duties as assigned.
QUALIFICATIONS:
Required:
- Bachelor’s degree in information systems or related disciplines.
- 10 years of information security leadership.
Preferred:
- Master’s degree in business, MIS, Cyber Security or computer science preferred.
- Progressive senior leadership experience in a multi-site, academic health system, integrated academic delivery network, or other similarly complex/matrixed environments
- Experience leading remote and/or hybrid teams of 30 or more
- Strong knowledge of regulatory requirements including HIPAA, PCI, FERPA, GDPR.
- Strong leadership skills, analytical skills, planning and organizational skills, facilitation skills, and ability to deal with ambiguity.
- Excellent communication skills, demonstrated ability to successfully interface at all levels, including leadership and Board-level.
- Strong commitment to customer service.
- Identifies all necessary stakeholders and connects with them to gain support or agreement.
- Negotiates with a genuine give-and-take approach that takes all parties’ perspectives into account.
- Takes advantage of opportunities to build strategic relationships to achieve a specific outcome.
- Engages others in open dialogue and adapts own influence approach to different stakeholders in ways that address their interests or concerns.
- Anticipates emerging or potential conflicts among all stakeholders and takes steps to preempt them.
- Works with minimal direction toward predetermined long-range goals. Acts independently to determine methods and procedures on new or special assignments. Determines and pursues courses of action essential in obtaining desired results. Takes calculated risks.
- Sets and pursues high standards of excellence.
- Identifies and brings attention to needed changes.
- Encourages others to challenge existing ways of doing things and propose new approaches.
- Challenges assumptions about current approaches or practices (“the way things are done around here”).
- Willing to respectfully take a contrary or unpopular position on a specific change, despite others’ interests to keep things as they are.
- High level of problem-solving ability. Integrates and interprets data from diverse sources to find solutions to very complex problems.
- Identifies and acts on short-term opportunities, considering potential risks and benefits.
- Creates plans to achieve annual goals.
- Balances usability of information security solutions with security effectiveness.
- Considers potential consequences before making decisions or acting.
- Maintains a two-to-three-year roadmap or blueprint to continuously improve the University strategy.
- Identifies and prioritizes the most critical future factors to consider in making decisions.
- Makes plans to address changes or trends in the external landscape.
- CISSP, CISSM, or CCISO.
The University of Rochester is committed to fostering, cultivating, and preserving a culture of equity, diversity, and inclusion to advance the University’s mission to Learn, Discover, Heal, Create – and Make the World Ever Better. In support of our values and those of our society, the University is committed to not discriminating on the basis of age, color, disability, ethnicity, gender identity or expression, genetic information, marital status, military/veteran status, national origin, race, religion/creed, sex, sexual orientation, citizenship status, or any other status protected by law. This commitment extends to the administration of our policies, admissions, employment, access, and recruitment of candidates from underrepresented populations, veterans, and persons with disabilities consistent with these values and government contractor Affirmative Action obligations.
How To Apply
All applicants must apply online.
EOE Minorities/Females/Protected Veterans/Disabled
Pay Range
Pay Range: $300,000 - $375,000 Annually
The referenced pay range represents the minimum and maximum compensation for this job. Individual annual salaries/hourly rates will be set within the job’s compensation range, and will be determined by considering factors including, but not limited to, market data, education, experience, qualifications, expertise of the individual, and internal equity considerations.