Vice President, Information Security and ComplianceApply Now Job ID 11957223 Location Atlanta, Georgia Position Type Full-Time
Save lives. Fulfill yours.
At the American Cancer Society, saving lives is our mission. We achieve our mission by drawing on our humanity. Humanity made up of courage, determination, innovation, passion, empathy, and caring. These are the values that give us the advantage over cancer.
Our work is important. And so are the people doing it. The people who work at the American Cancer Society focus their diverse talents on our singular mission: to end the pain and suffering of cancer. It is a calling. And the people who answer it are fulfilled. We value our employees and nearly 2 million volunteers around the globe that have stood with us through the years, and we will not rest until the fight is won. And that day is drawing nearer.
The VP, Information Security and Compliance leads a team of technical professionals and is responsible for the identification, development, implementation, and management of the organization’s information security, risk and compliance strategies and programs. This individual is responsible for evaluating the effectiveness existing systems, while directing the administration of security policies, activities, and standards surrounding mitigation of information risk, and cybersecurity threats.
This position requires a visionary leader with sound knowledge of business management and deep knowledge of information security technologies. A key element of the VP of Information Security and Compliance’s role is working with executive management to determine acceptable levels of risk for the organization. He or she must be highly knowledgeable about the business environment and ensure that information systems are maintained in a fully functional, secure mode.
The ideal candidate is a thought leader, a consensus builder, and an integrator of people and processes. While the VP of Information Security and Compliance is the leader of his or her area, they must also be able to coordinate disparate drivers, constraints and personalities, while maintaining objectivity and strong understanding that security is just one of the organization’s activities.
The position also includes the roles of HIPAA “Security Official” and the GDPR “Data Protection Official” and knowledge, skills, and abilities for those roles is instrumental for success.
• Participate as a member of the IT Leadership Team in governance processes of the organization’s security & compliance strategies.
• Provides regular updates to board committees on risk register, state of information security and mitigation of cybersecurity threats within the Society.
• Assist with the design and implementation of disaster recovery and business continuity plans, procedures, audits and enhancements.
• Manage and administer all computer security systems and their corresponding or associated software, including firewalls, intrusion detection systems and anti-virus/malware software.
• Develop, implement, maintain and oversee enforcement of policies, procedures, and associated plans for system security administration and user system access based on industry-standard best practices.
• Effectively manage, monitor and take action to ensure coordination and effectiveness of all Information Risk and Threat Management components and activities and decide on issues requiring escalation.
• Work closely with corporate compliance, internal audit, legal and talent strategy to develop holistic approaches to ACS’ security and compliance needs.
• Ensure continued regulatory compliance as HIPAA Business Associate, PCI-DSS, GDPR and other future regulatory requirements.
• Participate in and/or lead incident response and crisis management program.
• Perform remediation, exception and risk acceptance efforts across the range of risk findings associated with diverse stakeholders across the enterprise.
• Collaborate with other IT Leadership to ensure alignment between the security and enterprise architectures.
• Promote a data protection culture within the organization
• Inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to the GDPR and to other Union or Member State data protection provisions;
• Monitor compliance with the GDPR, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
• Provide advice where requested as regards to a data protection impact assessment and monitor its performance;
• Act as the contact point for the GDPR supervisory authority and data subjects on issues relating to processing and to consult, where appropriate, with regard to any other matter.
• Work closely with the Privacy Official to ensure alignment between security and privacy compliance programs including policies, practices and investigations, and acts as a liaison to the information systems and compliance departments.
• Collaborates with organization senior management, Privacy Official, and other corporate groups to establish governance for the security program.
• Participate in the development, implementation, and ongoing compliance monitoring of all BA's and business associate agreements, to ensure -security concerns, requirements, and responsibilities are addressed.
• Assist Privacy Official as needed with breach determination and notification processes under HIPAA and applicable State breach rules and requirements.
• Partner with Human Resources and Privacy official to ensure consistent sanctions for security violations
• Maintain current knowledge of applicable federal and state security laws, licensing and certification requirements and accreditation standards.
• Bachelor’s degree in Information Systems, Computer Science, or 15 years minimum equivalent experience. Master’s Degree in Computer Science, Information Systems or Business a plus.
• 10 + years of experience in a lead role or managing an information security, or compliance function.
• Possession of industry certifications, which should include: CISSP, MSCE, CCIE, CISA, etc.
• PCI-DSS audit experience is important. Lead auditor or primary audit respondent, or current / former PCI QSA.
• Demonstrated knowledge of recognized IT audit-related standards and regulations.
• Demonstrated knowledge of recognized IT process, security and quality frameworks such as SANS Top 20, NIST, COBIT, COSO, ISO 27000, ITIL.
• Proven history of developing and maintaining long-term relationships with client organizations.
• Proven ability to manage both people and processes to meet client and company objectives.
• Demonstrated desire to build a team that will learn client businesses. Ability to motivate and drive a team and process.
• Expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR
• Knowledge of HIPAA, state and federal guidelines on privacy, transactions and security.
Demonstrates Leadership Competencies: Builds effective teams, Collaborates, Courage, Drives engagement, Ensures accountability, Manages ambiguity, Manages complexity, Strategic mindset
• Be an independent self-starter and have the ability to multi-task and work with minimal supervision.
• Must be a team player and dedicated to team goals.
• Good communication and time management skills.
• Ability to work under tight time constraints and deadlines.
• Willing to share knowledge and provide technical guidance.
• Excellent interpersonal skills, including the ability to work well with all levels of both internal IT and client staff.
• Critical decision-making ability and experience.
• Ability to identify problems and resolve collaboratively with internal teams and vendor partners.
• Strong customer service behavior and continuous quality improvement orientation.
• Ability to maintain a high level of confidentiality.
• Strong written and verbal communication skills as well as solid analytical skills.
• Excellent project management skills; ability to manage large-scale, multi-faceted projects.
• Excellent conflict management skills. Consistent follow-through and time management skills.
• Excellent knowledge of all customer support areas.
• Ensure change management workflow is followed.
• Be able to communicate clearly with internal customers to understand their needs and provide status updates.
• Have a fundamental understanding of the underlying technologies for the environments you will be managing.
• Be able to present complex and technical concepts to a non-technical audience.
Specialized Training or Knowledge:
• Proficient in advanced security controls: Data Loss Prevention (DLP), Vulnerability Scanning, IDS / IPS, Firewall, SIEM, Network Behavior, etc.
• Active Directory
• “Cloud Technologies” including: public, private, hosted services
• Network protocols and concepts, including: IPX, NetBEUI/NETBIOS, TCP/IP, DHCP, DNS, WINS Ethernet, MPLS, T1s, DSL, DOCSIS, and other Internet-based technologies are required
• Best practices in Cloud Security Models and operations.
SPECIAL MENTAL OR PHYSICAL DEMANDS:
• Must be able to balance multiple priorities
• Must be able to work under pressure
• May be required to work long or irregular hours
• Travel is required
We are committed to providing staff with fulfilling opportunities to learn, grow and make an impact in their local communities. We offer staff a generous paid time off policy; medical, dental and retirement benefits, and professional development programs to enhance staff skills.
Equal Opportunity Employer.
See our commitment to a policy of Equal Employment Opportunity to continually ensure equal opportunity to our employees and to our applicants.