Manager, Cybersecurity (Governance, Risk & Controls)- ...

Job DescriptionWhat You'll DoAs a member of the Information Security and Risk Management leadership team, the Manager, Cybersecurity will lead the design and operations of two service lines: Information Security Governance, Risk and Controls, and Identity and Access Governance programs. This role will provide leadership and technical expertise identifying existing, new and emerging threats, analyzing the risk of these threats, determine risk impact severity for inclusion in the cyber risk register and manage the prioritization of cyber risk treatment. This role will consult and collaborate with senior leadership, IT and clinical staff and other non-IT departments including Compliance, Legal, Insurance, Finance and third-party stakeholders to conduct cyber risk analysis, the business impacts cyber risks and make actionable recommendations to reduce cyber risk.Cyber Risk Management DeliveryEvaluate and gain advanced understanding of the Guthrie Clinics business, clinical and IT processes, and the internal controls managing cyber risk over these processes Create and maintain a 3-year service line strategic roadmap to continue to mature the Cybersecurity Governance, Risk Management and Control, and Identity and Access governance programsDeep working knowledge, application and leading a cybersecurity governance and risk program based on the NIST Cybersecurity Framework and or HITRUST Common Security Framework (CSF)Lead the completion of the annual HIPAA Security risk assessment and HITRUST CSF assessments and annual cyber risk maturity assessmentLead the participation and completion of industry benchmark cyber risk surveys and studies (EPIC, CENSINET, etc.)Identify threats and business activities that introduce cyber risk to the Guthrie Clinic operations including patient care delivery and revenueConduct quantitative and qualitative risk assessments to inform cyber risk treatment and control investmentsProduce purposeful cyber risk analysis, reports and actionable metrics and effectively articulate the findings to both technical and non-technical audiencesMeasure, report metrics and risk treatment recommendations to CISO, CDO, CPO and other senior leadersCollaborate with risk owners on risk treatment strategiesManage and oversee the supplier cyber risk management processesManage and ensure security assessments are conducted to reduce cyber risk for various projects within the organizationManage the review of issues and policy exceptions to ensure cyber risk is being managed appropriatelyAuthor and update information security policies, standards, and procedures that are related to IT, information security cyber risk managementFacilitates the use of technology and process to review, design and implement user identity and access governance services to provide a strong program that balances patient care, cyber risk reduction and compliance requirementsResponsible for timely and appropriate user Active Directory and Epic non-provider record provisioningLeads an annual user access reviewIdentifies the broader impact of current decisions related to user access to streamline Identity and Access Management (IAM) processes across the organizationEvaluates and implements tools and processes to help automate and simplify existing IAM workflowsParticipate, as needed, in critical incidents and implementation reviewsActively participates in and presents at industry groups and committees (Health-ISAC, B-SIDES, HSCC, etc.) ProfessionalKeeps abreast of the latest applicable industry information security and privacy laws and regulations; ensure internal information security policies meet applicable laws and regulationsServe as a resource for change enablement by embracing change and championing innovative ideas/opportunitiesDevelop business partnerships to build & increase buy-in across multiple lines of business and functions. Establish effective relationships with Technology and Information Security personnel, program and project managers, and other business partnersPrioritize and manage own and team's workload to deliver quality results and meet timelines. Support a positive work environment that promotes service to the business, patient safety, quality, innovation, and teamworkEnsure timely communication of issues/ points of interestIdentify and recommend opportunities to enhance productivity, effectiveness, and operational efficiency of the business unit and/or teamFacilitate cross departmental meetings effectively with prepared agendas and clear next steps to move toward implementation, completion, or resolution of projects or issuesEstablish and/or strengthen disciplines, standard operating routines, and employee performance objectives to achieve desired business outcomes and key resultsLead cross training activities within team to ensure backup/on-call support is availableWhat You'll NeedBachelor's degree in information systems, cybersecurity or related fieldMinimum seven (7) years of professional work experienceMinimum three (3) years managing people and leading teamsExperience within Information Security, Risk, Compliance, Audit and Information TechnologyExperience with Governance Risk and Compliance (GRC) and Identity and Access management systemsExperience with the FAIR methodologyCertified in Factor Analysis of Information Risk (FAIR) and Certified in Risk and Information Systems Control (CRISC) desired, but not requiredEPIC Electronic Medical Record System certification desiredOne or more professional cybersecurity certifications such as: CISSP, CISA, CRISC, etcContinually increase knowledge and expertise by keeping current with trends/developments, regulatory changes, and obtaining additional training and/or certificationsExcellent written and verbal communication skills in English to support security programs. Must be able to provide formal reports and presentations as requiredHigh attention to detail and the ability to prioritize work to successfully deliver outcomes Proficient with Microsoft Office Suite (Word, Excel, PowerPoint, SharePoint etc.)About UsJoining the Guthrie team allows you to become a part of a tradition of excellence in health care. In all areas and at all levels of Guthrie, you'll find staff members who have committed themselves to serving the community.The Guthrie Clinic is an Equal Opportunity Employer.The Guthrie Clinic is a non-profit, integrated, practicing physician-led organization in the Twin Tiers of New York and Pennsylvania. Our multi-specialty group practice of more than 500 physicians and 302 advanced practice providers offers 47 specialties through a regional office network providing primary and specialty care in 22 communities. Guthrie Medical Education Programs include General Surgery, Internal Medicine, Emergency Medicine, Family Medicine, Anesthesiology and Orthopedic Surgery Residency, as well as Cardiovascular, Gastroenterology and Pulmonary Critical Care Fellowship programs. Guthrie is also a clinical campus for the Geisinger Commonwealth School of Medicine.

Created: 2025-10-02