Associate VP and Chief Information Security Officer

The AVP and CISO will report directly to the Vice President, CIO and Chief Innovation Officer. The AVP and CISO will work closely with executive leadership, various stakeholders, and members of the Saint Louis University community to be an advocate for the University’s information security needs in order to improve the security posture of the organization.

The Associate Vice President and Chief Information Security Officer (CISO) is responsible for overseeing the enterprise-wide information security program for the purpose of protecting Saint Louis University and SLUCare Physician Group’s customer information as well as technical assets. This position is responsible for identifying, evaluating and reporting on security risks, aligning security posture of the University in a manner that supports effective protection of information assets, and managing and executing security controls in support of Saint Louis University’s compliance and regulatory requirements. The AVP and CISOoversees the creation and maintenance of information security policy, leads security risk assessment efforts, and owns the organization’s cyber awareness and training programs.

This position requires a visionary leader with knowledge of business management and a working knowledge of information security technologies. The AVP and CISO will proactively work with various stakeholders across the organization to implement practices that meet defined policies and standards for information security.

The ideal candidate for this role will be a consensus builder and an integrator of people, processes, and technology in a diverse environment that covers health care, research, and academics. While the AVP and CISO is the leader of the security program, he or she must also be able to coordinate disparate drivers, constraints and personalities, while maintaining objectivity and a strong understanding that security is an enabler of organizational goals and activities. The complexity of this position requires a leadership approach that is engaging, imaginative, and collaborative, with a sophisticated ability to work with other leaders to set the best balance between security strategies and other priorities across the University.

Experienced, polished, consensus building, and persuasive leader who can serve as an effective member of the IT senior management team and communicate information security-related concepts to a broad range of technical and non-technical staff.
Progressive experience in information risk or information security 
Experience with internet technology and security issues
Experience driving transformational change within a complex environment.
Experience working with IT security guidelines and requirements outlined or as driven by HIPAA, PCI-DSS, GLBA etc.
Experience presenting to Board of Trustees
Experience in driving change in security functions within multiple organizations.
Demonstrated experience with advising and influencing senior management
Ability to work and effectively prioritize in a highly dynamic work environment.

BA or BS in Computer Science, Information Management, or related field, or equivalent experience (advanced degree preferred) supplemented with five (5) years of leadership experience, ten (10) ten years of progressive experience in information risk or information security, including experience with internet technology and security issues, and seven (7) years of experience working with IT security guidelines and requirements outlined or as driven by HIPAA, PCI-DSS, GLBA etc.

Develops, implements and monitors a comprehensive enterprise information security program to ensure that the integrity, confidentiality and availability of information is owned, controlled or processed by the organization.

Manages the enterprise’s information security organization, consisting of direct reports and indirect reports. This includes hiring, training, staff development, performance management and annual performance reviews.

Develop security organization talent, engaging/managing third parties as needed to ensure the required capabilities are available either internally or externally.

Facilitate information security governance through the implementation of a hierarchical governance program. Develops, maintains and publishes up-to-date information security policies, standards and guidelines. Oversees the approval, training, and dissemination of security policies and practices.

Aligns with the Office of the General Counsel to communicate published security policies, standards and guidelines; aligns with executive stakeholders to align to key initiatives, implement appropriate security practices; works directly with the major stakeholders to facilitate security risk assessment processes; aligns with stakeholders throughout the enterprise on identifying acceptable levels of mitigated or residual risk; provides regular reporting on the current status of the security program to Executive Leadership and the Board of Directors; aligns with the IT architecture teams to ensure inclusion of security requirements during the design, implementation, and maintenance of application and systems; aligns with the Office of the General Counsel to ensure that security and privacy programs are in compliance with relevant laws, regulations and policies to minimize or eliminate risk and audit findings; works with Internal Audit and outside consultants as appropriate on required security audits.

Develops and manages information security budgets; creates and manages information security awareness training programs for all employees, contractors and approved system users.

Creates a framework for roles and responsibilities with regard to information ownership, classification, accountability and protection; develops and implements an information security management framework that aligns with our organization, our risk profile, and our existing compliance initiatives and efforts.

Provides strategic information security guidance for organizational initiatives, including the evaluation and recommendation of technical security controls.

Investigates security breaches providing updates to all stakeholders on source and mitigation actions; defines and facilitates the information security risk assessment process, including the reporting and oversight of findings and remediation strategies; manages security incidents and events to protect corporate IT assets, including intellectual property, regulated data and the organization’s reputation; monitors and understands potential threats, vulnerabilities, and control techniques affecting the organization, and advise relevant stakeholders on the appropriate courses of action; partners with external agencies, such as law enforcement, government agencies and other advisory bodies as necessary, to ensure that the organization maintains a strong security posture; coordinates the use of external resources involved in the information security program, including, but not limited to, interviewing, negotiating contracts and fees, and managing external resources.

Facilitates a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitates appropriate resource allocation, align to emerging threats, and increase the maturity of the information security program.