Current UPHS employees must apply HERE
Director, Cybersecurity Governance Risk Compliance
Job ID: 150852
Category: Information Services/Technology/Service Desk/Telecom
Work Type: FT
Location: Philadelphia, PA, United States
Work Schedule: 8:30AM-5:00PM, M-F | Hybrid
Penn Medicine is dedicated to our tripartite mission of providing the highest level of care to patients, conducting innovative research, and educating future leaders in the field of medicine. Working for this leading academic medical center means collaboration with top clinical, technical and business professionals across all disciplines.
Today at Penn Medicine, someone will make a breakthrough. Someone will heal a heart, deliver hopeful news, and give comfort and reassurance. Our employees shape our future each day. Are you living your life's work?
- Reporting to the Chief Information Security Officer, the Director, Cybersecurity Governance, Risk and Compliance (GRC) is responsible for the oversight and coordination of the GRC program within Penn Medicine's enterprise Cybersecurity program. The incumbent serves as the owner of the Cybersecurity Risk Management Framework and Cybersecurity policies, directs the business resilience, disaster recovery (DR) and third-party cybersecurity risk management programs, and the cybersecurity training and awareness program. The Sr. Director is expected to have a full understanding of legal and regulatory requirements relating to Cybersecurity risk management and ensure the organization's framework is designed and implemented accordingly.
- Defines, implements, and maintains the Cybersecurity Risk Management Framework, Cybersecurity policies and standards through understanding control requirements and industry standards.
- Oversees the Cybersecurity program governance processes including Cybersecurity risk reporting, and Governance Council and board updates.
- Ensures compliance with the security rules of HIPAA, PCI and relevant regulations in jurisdictions where the organization operates.
- Liaises with Internal Audit and Corporate Compliance to remediate new and outstanding issues; tracks security-related issues.
- Oversees Cybersecurity policies, standards, guidelines, and baselines; ensure policies are reviewed and updated regularly.
- Formalizes business continuity planning and leads its maturation.
- Manages enterprise cybersecurity training and awareness program.
- Defines, develops, and implements capabilities to manage third party Cybersecurity risks.
- Communicates the status and accomplishments of the organization’s activities and projects to executive leaders, peers in the IT organization, customers and stakeholders.
- Establishes and maintains strong working relationships with industry peers and other external stakeholders.
- Performs duties in accordance with Penn Medicine and entity values, policies, and procedures.
- Other duties as assigned to support the unit, department, entity, and health system organization.
- Bachelor's Degree (Required)
- 10+ years of Information Technology (IT) experience, with 7+ years within cybersecurity (Required).
- 5+ years of Management/Leadership experience (Required)
Skills & Abilities:
- Strong track record of managing people, projects and processes
- Demonstrated interpersonal/verbal communication skills
- Ability to work effectively with a range of business, clinical, and academic leaders
- Strong understanding of Cybersecurity risk frameworks and ability to lead and oversee the execution and implementation of the frameworks.
- Strong understanding of Cybersecurity risk management and ability to effectively communicate Cybersecurity risk functions to executives.
- Ability to determine and set the strategic direction of the Cybersecurity GRC function.
- Ability to develop policies and standards.
- Strong understanding of industry standards such as ISO, NIST, HITRUST, etc.
- Understanding of business resiliency, business continuity and disaster recovery.
- Ability to manage third party risk.
- Ability to develop and implement cybersecurity training and awareness programs.
- Proven analytical rigor in formulating strategies, objectives and measuring results.
- Strong skills and experience in designing and documenting complex processes, and identifying and eliminating deficiencies in existing process designs.
- Demonstrated ability to establish and maintain strong working relationships with stakeholders, partners, and industry peers.
- Demonstrated track record of successfully developing and maturing cyber risk organizations with the emphasis on delivering results.
- Effective communication skills and ability to synthesize complex technical topics for non-technical audiences.
We believe that the best care for our patients starts with the best care for our employees. Our employee benefits programs help our employees get healthy and stay healthy. We offer a comprehensive compensation and benefits program that includes one of the finest prepaid tuition assistance programs in the region. Penn Medicine employees are actively engaged and committed to our mission. Together we will continue to make medical advances that help people live longer, healthier lives.
Live Your Life's Work
We are an Equal Opportunity and Affirmative Action employer. Candidates are considered for employment without regard to race, ethnicity, color, sex, sexual orientation, gender identity, religion, national origin, ancestry, age, disability, marital status, familial status, genetic information, domestic or sexual violence victim status, citizenship status, military status, status as a protected veteran or any other status protected by applicable law.
Current UPHS employees must apply HERE