Interim CISO

Proposed Title: Chief Information Privacy and Security Officer (CIPSO or CISO/CPO)

Job Profile Summary:

FUNCTION Information Technology is responsible for the use of any computers, software applications, storage, networking and other hardware or physical devices, infrastructures and processes for creating, managing, securing and exchanging all forms of electronic data. It incorporates leading-edge techniques for collaboratively enhancing the performance of installed systems, identifying new technologies, developing applications and transitioning from legacy to new systems.

SUB-FUNCTION Information Security and Risk Management provides security engineering, risk management, design, access and identity control, operational support and consultation. Provides policy and governance oversight; security operational services; set-up, verification, and audit of user access and authorizations; risk analysis and response. Partners with stakeholders at the organization or unit level to ensure systems and data are secured against a range of physical, electronic, cyber and other threats.

CAREER BAND People Leader - Managerial - Work is primarily achieved through others with direct accountability for setting direction and deploying resources. Responsible for leading people including conducting performance management, reviewing pay, and typically making employment decisions. Accountable for business or operational processes and/or program management. Utilizes business acumen and industry or discipline knowledge to directly or indirectly influence others. Manages a team of two or more individuals who deliver work product related to an expected core competency of the leadership role.

CAREER LEVEL Provides leadership and strategic direction through leadership team of directors and managers (M1-4). Significant barriers to entry and few positions available at this level. Provides extensive leadership in multiple areas that have depth and complexity, with significant institutional span. Typically reports to an Associate Vice President (E1), Vice President (E2), Dean or Vice Provost. Requires broad and substantive knowledge and expertise of principles, practices, and theories within areas and related disciplines and advanced leadership. Develops programs or initiatives that meet major college, unit, or organization objectives. Addresses complex operational and strategic challenges where new solutions need to be devised based on limited information or prior precedent. Impact is on long-term (5 year) goals; sets strategic vision for areas within organizational context of college, unit, or organization. Decisions determine overall success or failure of areas of accountability and external stakeholders. Develops and manages interpersonal relationships to influence senior leadership decisions within college, unit and at times across the organization. Negotiates change and compromise with multiple levels of stakeholders across the organization.

MINIMUM REQUIRED QUALIFICATIONS Bachelor's degree or equivalent experience. 12 years of relevant experience required. 15 or more years of relevant experience preferred.

Job Description Details:

Key Responsibilities

Strategy & Governance:

Develop and Champion Strategy: Define, execute, and maintain a comprehensive, multi-year information security program aligned with Wexner Center's and Organization's, business objectives, risk tolerance, tooling, and the NIST Cybersecurity Framework (CSF).

Establish and lead an information security governance framework, including the development, enforcement, and auditing of security policies, procedures, and standards.

Collaborate with the Organization CISO to align on common security standards, controls, and practices, ensuring a cohesive security posture where systems and missions overlap.

Chair relevant security committees and advise senior leadership and the board on security risks and strategy. Security Operations & Risk Management:

Enterprise Risk Management: Lead continuous Security Risk Assessments (SRAs) and vulnerability management across clinical, research, administrative, and third-party environments. Develop and prioritize risk mitigation and remediation strategies. Work with the Organization CISO on a streamlined risk assessment process for technologies that impact both the Medical Center and the Organization.

HIPAA and ePHI Protection: Ensure rigorous compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act across all electronic Protected Health Information (ePHI) systems and processes. This includes oversight of the HIPAA Security Rule compliance, breach notification protocols, and managing security for Electronic Health Record (EHR) systems.

Academic and Research Data Security: Implement controls to protect high-value, sensitive academic and research data.

Third-Party and Vendor Risk Management (VRM): Establish a robust program for assessing and managing the security risks posed by all third-party vendors and business associates.

Serve as the key liaison for internal and external audits related to information security.

AI and Emerging Technology Governance

AI Risk Assessment and Policy: Develop and enforce security policies specifically addressing the unique risks associated with the use of Artificial Intelligence (AI), Machine Learning (ML), and Generative AI in clinical and research settings. This includes data provenance, bias mitigation, model integrity, and compliance with ethical guidelines.

Secure Adoption: Partner with research and clinical leadership to integrate security controls and "privacy-by-design" principles into the evaluation and deployment lifecycle of new AI-driven tools and technologies. Team Leadership and Culture:

Team Building: Recruit, mentor, and lead a high-performing, diverse information security organization with expertise in governance, risk, compliance (GRC), security architecture, and security operations.

Security Awareness: Design and lead a comprehensive, continuous security education and awareness program for all faculty, staff, clinicians, and researchers, fostering a culture of security accountability throughout the institution.

Qualifications

Experience:

Minimum of 10 years of experience in information security, with at least 5 years in a significant leadership role.

Demonstrated experience in a large, complex organization, preferably within an academic medical center, healthcare system, or higher education.

Proven track record of developing and implementing a successful, enterprise-level information security program.

Certifications: Professional security management certification, such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), or an equivalent, is highly desirable.

Skills:

Deep expertise in information security principles, practices, and technologies.

Strong knowledge of relevant legal and regulatory requirements (e.g., HIPAA).

Excellent communication, negotiation, and interpersonal skills with the ability to articulate complex security concepts to technical and non-technical audiences.

Demonstrated ability to build relationships, collaborate, and lead through influence across a decentralized enterprise.

Adaptability to Innovation: Proven ability to manage security implications of rapid innovation in clinical care, biomedical research, and education, including cloud computing, telehealth, and AI/ML.

Responsibilities:

I. Strategy, Governance, and Risk Management (50%)

Enterprise Security Strategy: Develop, champion, and execute a visionary, multi-year information security strategy and roadmap, leveraging industry frameworks (e.g., NIST CSF, HITRUST).

Risk Ownership and Tolerance: Establish the Medical Center's cybersecurity risk appetite in partnership with executive leadership, and proactively manage and report on the overall cyber risk posture, translating technical exposure into clear business impact to the C-suite and the Board.

Regulatory Compliance: Ensure stringent adherence to all applicable laws and regulations, including but not limited to HIPAA/HITECH, 21 CFR Part 11, state data privacy laws, and security mandates for research data and grant funding (e.g., CUI).

AI and Emerging Technology Governance: Develop security standards and governance models for the secure and ethical adoption of Artificial Intelligence (AI) and Machine Learning (ML) in clinical, diagnostic, and research environments, ensuring data provenance, model integrity, and patient safety are prioritized.

Third-Party Risk Management (TPRM): Oversee a robust program for assessing and mitigating the security risks posed by vendors, business associates, and supply chain partners. II. Security Operations and Leadership (30%)

Security Operations Center (SOC) Oversight: Direct the day-to-day operations of the information security function, including threat intelligence, security monitoring, Security Information and Event Management (SIEM), and vulnerability management across on-premise, cloud, and hybrid environments.

Incident Response: Own the Computer Security Incident Response and Reporting (CSIRR) function, leading the coordination, containment, investigation, and recovery efforts for all major security incidents and breaches, and fulfilling regulatory breach notification requirements.

Security Architecture and Consulting: Provide authoritative security consultation for the design and implementation of new systems (including EHR systems, clinical IoT, and cloud services) and review of existing systems, promoting security-by-design principles.

Access Management and Controls: Oversee the IT Access Management function, including the development of advanced Identity and Access Management (IAM) and Privileged Access Management (PAM) strategies consistent with a Zero Trust model. III. Culture, Talent, and Collaboration (20%)

Executive Collaboration: Collaborate directly and continuously with the Organization CISO, CIOs, and other executive and departmental leaders to align security initiatives with broad institutional and academic goals.

Team Leadership: Lead, manage, mentor, and coach a diverse, high-performing team of information security professionals, fostering a culture of continuous learning, accountability, and excellence.

Security Awareness and Training: Drive a mandatory, ongoing security education and awareness program for all faculty, staff, researchers, and students to effectively reduce the "human element" risk in a decentralized academic environment.

Communication: Serve as the visible, articulate internal and external champion for information security, possessing the ability to engage diverse stakeholders-from technical staff and researchers to clinicians and the Board.