This function operates as a business line Security Officer within the broader CareFirst organization. The function establishes and executes a cybersecurity strategy to enable the business while ensuring the confidentiality, integrity, and availability of the company's information assets and related technology from cyber threats. The function must proactively work with all key stakeholders to develop a security roadmap with supporting principles, practices, and controls to enable the business vision while ensuring the protection of the technical environment. It is accountable for ensuring compliance and the successful assessment of compliance against all cybersecurity aspects of applicable regulations and contracts and must be able to represent the security program and state of security across a wide range of stakeholders including, but not limited to, the workforce, customers, auditors, regulators, executive management, and the board.
This function is also responsible for leading the business lines Audit, Risk, & Compliance team. The function is responsible for identifying and mitigating risks; managing controls and safeguards to minimize the impact of potential and existing risks affecting the organization; providing governance over operational risk assessments; ensuring compliance with laws, regulations, and organization frameworks; providing a mechanism for capturing the dynamic nature of risks; and overseeing internal/external audits and effectuating remediation of issues identified.
ESSENTIAL FUNCTIONS:
• Manage the ongoing compliance, assessment, and maturity of the cybersecurity program against relevant security frameworks (e.g., NIST, HiTRUST, PCI, etc.), contracts, and regulations. Conduct/support assessments/audits by producing evidence of the security posture successfully meeting audit/assessment/maturity targets. Where gaps exist, identify, and execute remediation/continuous improvement plans.
• Proactively communicate with internal and external stakeholders on importance of cybersecurity, their role in securing the company, and relevant risks. Ensure that the workforce and extended partners have the appropriate training, education, awareness, and tools to securely perform their functions and understand the necessity of the relevant controls.
• Oversee the risk framework, including identifying risks, evaluating frequency, severity, and mitigation strategies. Define, measure, and monitor risks and related risk metrics impactful to the business and their associated mitigation, acceptance, transference, and avoidance. Establish risk appetite for the business ensure risk decisions, including alignment of strategic goals and objectives, are executed in consideration of the impact on the business risk profile and appetite.
• Oversee internal and external audits to ensure they are completed in a timely manner and identified issues are remediated to satisfy audit closeout as well as for long term business success.
• Oversee the development and implementation of sound business practices to ensure compliance with policies, contractual requirements, and regulatory, federal, and state laws and mandates.
• Oversees the strategic and the day-to-day activities of the functions, including directing, coaching, and guiding associates to implement departmental, divisional, and organizational mission/goals. Recruits, retains, and develops a high performing team. Evaluates performance of each team member, generates development plans and sets goals within the context of the corporate policies and procedures. Develops annual goals, and prepares, monitors, and analyzes variances of departmental budgets to control and appropriately allocate resources.
SUPERVISORY RESPONSIBILITY:
This position manages people.
QUALIFICATIONS:
Education Level: Bachelor's Degree in Computer Science, Information Technology, or related field OR in lieu of a Bachelor's degree, an additional 4 years of relevant work experience is required in addition to the required work experience.
Experience:
• 8 years Related professional experience.
• 3 years Management experience.
Preferred Qualifications:
• Master's degree
Knowledge, Skills and Abilities (KSAs)
• Ability to multitask and manage multiple IT vendor relationships.
• Ability to lead and work as part of a team.
• Ability to execute technology and tool automation processes.
• Deep knowledge of risk treatment and mitigation strategies.
• Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity.
• Thorough understanding of cyber threats and vulnerabilities.
• Must be able to meet established deadlines and handle multiple customer service demands from internal and external customers, within set expectations for service excellence. Must be able to effectively communicate and provide positive customer service to every internal and external customer, including customers who may be demanding or otherwise challenging.