VP, Chief Information Security Officer Details

VP, Chief Information Security Officer

Sentara Healthcare - Virginia Beach, VA

Employment Type : Full-Time

The Vice President, Chief Information Security Officer (VP/CISO) position is an exceptional opportunity for a dynamic IT security leader to join an innovative, progressive, multi-billion-dollar health system that is experiencing tremendous growth through mergers and acquisitions. As a financially successful organization, Sentara is an integrated delivery system which includes 12 hospitals, a clinically integrated network and a health plan. Sentara is supported by a mission driven, team-based culture that is focused on quality, efficiency, and service. The VP/CISO will have the opportunity to make a significant impact and represent one of the top health systems in the country on a national level regarding information security.

The VP/CISO will report to the Senior Vice President & Chief Information Officer (CVP/CIO) and will serve as an active member of the IT leadership team. Advancing information security is continually one of the top goals of the Sentara Executive Leadership Team, and a key area of focus for the Board of Directors of Sentara Healthcare. As such, the VP/CISO is a critical hire and will have broad exposure and support across the health system to build out a robust information security environment.

The VP/CISO is a senior level position responsible for leading and managing information security at Sentara Healthcare and majority owned affiliates. This leader will fully evaluate the existing environment and provide the leadership to sustain, strengthen and adapt information security solutions to meet the needs of the health system. An Information Security Oversight Committee, and the Board Audit and Compliance Committee provide input and support to the VP/CISO’s strategy and success.

Sentara Healthcare has invested in IT and possesses a complex technology environment. The health system has an integrated EMR with the Epic system live in both inpatient and outpatient settings. In addition to information security and under the leadership of the CIO, the IT organization will be focused on supporting enterprise digital solutions, data analytics and preparation for significant growth through mergers and affiliations.

The ideal candidate for the VP/CISO position will be a polished executive with a track record of success in information security. The VP/CISO will be viewed as a trusted advisor who is collaborative, transparent and solutions driven. He/she will be able to build the business case and garner consensus with leaders across Sentara. This position requires a strong leader who can communicate effectively and develop trusting relationships at all levels. The VP/CISO will have the ability to develop a plan and execute in a large and growing health system.


Under the guidance of the Senior Vice President & Chief Information Officer, the Vice President, Chief Information Security Officer will provide the leadership for planning, developing, directing, and operating an innovative, trusted, and reliable IT Security Program to support Sentara in areas of confidentiality, integrity, and availability of electronic institutional information. Electronic information includes PHI, PII and confidential intellectual property. The scope of infrastructure includes EMRs and other institutional information systems, that may be in local infrastructure, in public cloud, or in a hybrid model. The organization has over 100,000 computing devices owned by Sentara, and by vendors – with associated infrastructure components. Along with providing security of Sentara’s data, the security program must be compliant with Sentara policies, applicable laws and regulations, and multiple contractual obligations requiring SOC 2 and/or HITRUST certifications. These may include, but are not limited to HIPAA, PCI, and state privacy laws for each of the 50 states.

The position will be responsible for the direction of staff and activities which is in support of Sentara’s strategic/operational direction of security resources and business activities. Also responsible for developing annual operating and capital budgets for all Sentara Security Programs.

The position works closely and collaboratively with the IT department as well as other departments and internal Sentara groups- including Legal, Compliance, Audit, Privacy, Risk Management, Brand Engagement, and HR.

The position will direct a team of IT security professionals and analysts knowledgeable in clinical and business activities to meet user information needs and the strategic goals of the organization.

The position will exercise substantial discretion, independent judgment and decision-making authority to design, prioritize, implement, and measure Security benchmarks and metrics that will be reported up to the BOD level.

The VP/CISO will collaborate with other senior leadership departments to assess risks, coordinate mitigation efforts, establish internal controls, respond to incidents, and manage shared concerns. The VP/CISO should demonstrate sound judgement and analysis of threat, vulnerabilities, probability of exploitation, and business impact. The VP/CISO will partner closely with the CIO, CTO and business leaders to determine how incidents will be detected what appropriate near and long term response and recovery scenarios may be.

The VP/CISO will have external responsibilities as well to attend and represent Sentara at major IT and Security conferences and events.

The position has three direct reports: Director of Enterprise Cyber Risk, Director of Enterprise Cyber Security, and Director of Enterprise Identity Services.
The total team make-up is approximately 32 full-time positions, 8-10 part-time positions, and outsourced services that are equivalent to approximately 20 full-time positions.
will have leadership oversight for IT Security Operations, Policy Development and Implementation, Vulnerability Management, IT support for Audits and monitoring, Incident Response and Handling, Education and Outreach and Reporting.
Specifically - These duties include:

• Management and Leadership

• Hiring, evaluating, training, performance management, salary administration, staff mentorship, development & retention.

• Participate and perform continuous quality improvement activities in security.

• Review and evaluate technology and incoming new vendors for future risks and opportunities to improve IT Security.

• Oversee the security requirements in system development life cycle, business continuity planning and disaster recovery.

• Liaison with the enterprise architecture review board to ensure alignment between the security and enterprise architectures, thus coordinating the strategic planning implicit in these architectures.

• Policy Development and Implementation

• Implement Sentara information security policies, standards, and procedures for Sentara core assets: including EMR system, data warehouses, computing devices used for access to these systems and for patient data collection, security systems used to monitor these activities, and business systems, including those supporting all administrative functions and business activities in the Sentara healthcare system.

• Vulnerability Management

• Continuously improve a VM program which includes: Automated vulnerability scanning customized vulnerability assessment and penetration testing. Create, communicate a risk-based process for vendor risk management, including the assessment and treatment for risks that may result from partners, consultants, and other service providers.

• Provide strategic risk guidance for Sentara IT Projects, including the evaluation and recommendation of technical controls.

• In collaboration with Compliance, identify IT Service tools and activities for managing the risks of electronic sharing of information in medical records with patient and other providers.

• IT Auditing and Monitoring

• Monitor the external threat environment for emerging threats and advise relevant stakeholders on the appropriate course of action.

• Provide audit response management and ongoing guidance on solutions to achieve and maintain security compliance, to mitigate information security risks and to correct compliance exposures and gaps.

• Incident Response and Handling

• Manage the timely response and investigation efforts for security incidents, breaches, and forensics to meet all regulatory and business requirements and minimize their impact.

• Ensure that information security strategies and processes meet all regulatory and business requirements so that the impacts of incidents are minimized.

• Liaise with external agencies, such as law enforcement and other advisory bodies as necessary to ensure that the organization maintains strong security posture.

• Education and Outreach

• Partner with IT department heads, Compliance, Legal, Privacy and Audit groups to assess education and outreach needs, develop related strategies, develop training content, and lead/participate in outreach activities.

• Reporting

• Provide regular reporting on the status of information security efforts to senior IT Leadership and enterprise risk teams, senior business leaders and as required to the CEO and BOD committees.

• Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the security program, facilitate appropriate resource allocation, and increase the maturity of the security.

• A Bachelor’s degree in a relevant field is required; master’s degree or MBA is preferred.

• CISSP, CISM, CISA, or other industry accepted certification (minimum of one)

• Minimum of eight to ten years of experience in information security management, planning, and policy development in a diverse information systems environment.

• Minimum of five years management experience in an information security leadership position, such as CISO, ideally in a large and complex health system. Senior information security executives with equivalent experience in other industries including the financial and banking sectors will also be considered.

• Successfully built and maintained an information security program in a large and complex organization.
• Developed a multi-year information security roadmap and plan, which includes metrics to measure performance and can be understood by a variety of audiences.
• Deep knowledge and experience with security and regulatory compliance as well as external audits.
• Experience working in a complex and growing organization that has expanded through mergers and acquisitions is desirable.
• Proven track record and experience in developing information security policies and procedures, as well as successfully executing programs that meet the objectives of excellence in a dynamic environment.
• Knowledge and understanding of relevant legal and regulatory requirements, such as the HIPAA Act and Payment Card Industry/Data Security Standard, and Federal Information Security Management Act.

• Strong management, relationship building and communication skills.

• Superior written, negotiation, organizational, and presentation skills.

• Proven analytical ability to solve complex business and technical problems, a critical thinker.

• Strong interpersonal skills to effectively interface with internal/external customers, senior management, and Board of Directors.

• Ability to influence and build consensus across the health system; partner and manage vendors effectively.

• Transparent leader with high integrity.

• Ability to lead and motivate cross-functional, interdisciplinary teams to achieve tactical and strategic goals.

• Confident, visible leader who is approachable and can build strong, trusting relationships.
• Collaborative team player and team builder.

• Up to date on new tools and technologies related to information security.

• Poise and the ability to act calmly and competently in high-pressure, high-stress situations.