Director of Data Security

Under the strategic instruction of the CLO/CCO/CPO and serving as the Data Security lead for HPOne, the Data Security Director (“Director”) will serve as the implementor and overseer of HPOne’s data security obligations (including but not limited to application security, data security, and infrastructure security), continued maturation and evolution, and audits, as well as leading the remediation stemming from any such audits.

This role will work with appropriate data, engineering, privacy, and governance counterparts to ensure cybersecurity capabilities for protecting HPOne’s data are appropriately designed, engineered, and monitored to meet HPOne’s needs.

This role requires technical competence and ability to work with stakeholders across various domains. Additionally, the role requires familiarity with recent threats and adversarial techniques, as well as the ability to quickly respond to new threats. Thought leadership for designing data protections in a rapidly evolving AI-driven world will be critical to this role’s success.

They also ensure establishment of and compliance with effective information security practices and must build and maintain data security awareness organization-wide.

Responsibilities

Communications and Leadership:

• Work with executive staff to represent HealthPlanOne on cyber security matters and liaise with external agencies, clients, and organizations, where required, ensuring that any information requested is provided on a timely and secure basis.
• Effectively communicates Data Security program status, risks, and mitigating actions to all requested leadership. Directly represents the program to business leaders/technical staff at all levels of the company, including preparing and presenting detailed, written information for multiple audiences.
• Manages overall program budget (working with finance).
• Provide guidance and support to other departments to ensure compliance with security policies and procedures and advocate for security culture and educate colleagues across all parts of HPOne.

Knowledge and Threat Awareness:

• Keep up to date with Information and cyber security trends, threats, and control measures, to be an active member of the Information/Data/Cyber Security communities.
• Maintain a very high level of knowledge in relevant technical areas, at present this includes: PCI, HiTrust, and similar data and security standards, Network and Routing concepts, Security concepts, Microsoft Authentication and provisioning technologies, Microsoft Windows, MacOS, Encryption Technologies.
• Maintain a very high level of knowledge of cybersecurity equipment and technologies to enable the evaluation, selection, testing, installation and monitoring of new / enhanced systems.

Oversight and Management:

• Oversee (directly and through your direct report(s)) the data security operations including but not limited to continuous monitoring, security information and event management, security architecture, security engineering, vulnerability scanning, endpoint security, security analytics, network access control, penetration testing, data forensics, security data ingestion, threat monitoring/hunt and security situational awareness.
• Works with Risk Management Head regarding the development of a multi-year Data Security program roadmap and annual/quarterly/monthly planning and execution of initiatives and department efforts.
• Assess program and security risks and provide mitigation recommendations and actions for program decision-making.
• Ensures the program deliverables are assessed against the appropriate controls and processes to ensure compliance to regulatory and contractual obligations (e.g. HiTrust, HIPAA/HITECH, PCI, etc.).
• Serve as a subject matter expert for data protection in responsible use of AI.
• Design, implement, and manage enterprise cybersecurity solutions to safeguard HPOne assets and information, while maintaining threat monitoring services.
• Conduct security analyses, drive risk decisions, and influence both infrastructure and product architecture across internal tools, frameworks, and applications.
• Gather and report on security metrics that demonstrate the relative cost/benefit of the security operations and other cybersecurity initiatives
• Meet security audit mandates, standards, and requirements
• Lead business continuity and disaster recovery preparation, continuous maturity, and testing by developing and maintaining backup procedures and Disaster Recovery documentation for the security infrastructure to ensure that business requirements are met in a timely manner and to accurately reflect user requirements.
• Direct implementation and execution of security standards, policies, processes, and best practices for the organization.
• Execute on an effective cyber incident management response plan. Coordinate the response to Cyber security incidents and investigations, managing them in a professional manner including computer forensics for evidence gathering and preservation. Ensure appropriate and sensitive handling of affected staff and efficiently liaison with external and law enforcement agencies when required.
• To lead and manage cybersecurity projects, ensuring completion to deadlines and within budget. In doing so undertake planning, costing, project management, liaison with suppliers.
• To manage other activities that may arise through company evolution, growth or restructuring.
• Performs other related duties as assigned.

Required Qualifications

• 10+ years of Data Security work experience.
• Bachelor Degree in Computer Science, Cybersecurity or other related field of study.
• Excellent communication skills and the ability to work well with people at every level of staff and with external suppliers.
• Excellent resilience to pressure, requiring the ability to manage competing high priority workloads while fulfilling responsibilities that are significant to data and security health of HPOne.
• Capable of managing staff and coordinating activities with internal personnel, leadership, and suppliers.
• Superior experience in implementing security and risk standards.
• Ability to react to dynamic changing environments.
• Superior problem solving and analytical skills with the ability to create and develop clear policies, standards, and procedures.
• Ability to analyze and recommend pragmatic & practical solutions to complex business and technical problems.
• Technical knowledge of cyber security management and approaches derived from in depth experience of this field, and a high level of knowledge of these technologies in a similar-sized organization.
• Superior understanding of data communications issues, including a reasonable knowledge of communications protocols and available security hardware and software products.
• High level of experience at a technical level of current versions of VPN, Firewall, Policies, ISA Proxy, Outlook Web Access Proxy, Anti-Virus software, MSFT Defender, TCP/IP suite of protocols.
• Expert knowledge level and experience with the following:
• Firewall Management (Boundary, MIS, Device)
• Cloud Access Security Broker Services
• Anomaly Detection
• User and Entity Behavior Analytics
• Security Information and Event Management
• Expert knowledge level of knowledge regarding vulnerabilities, threats, attack methods, and infection vectors.
• Expert knowledge in computer networking fundamentals & security control, firewalls, routing, etc.
• Demonstrable understanding of application security (web based) and how to protect business services through multiple protection mechanisms (controls).
• CCSFP (HiTrust) plus CISM, CISA, or similar certification

Preferred Skills/Abilities:

• CISSP certification and/or Certified HITRUST Quality Professional (CHQP) certification.
• Master’s degree in computer science, management information systems, or related discipline.

Physical Requirements:

• Prolonged periods of sitting at a desk and working on a computer, typically in a cubicle environment (constant noise, fluorescent overhead lighting)
• Willingness to work outside normal hours and travel 10%.

Equal Employment Opportunity (EEO) is a fundamental principle at HPOne, where employment is based upon personal capabilities and qualifications. HPOne does not discriminate because of actual or perceived sex, sexual orientation or preference, gender identity, gender, transgender, race, color, religion, national origin, creed, citizenship status, ancestry, age, marital status, pregnancy, childbirth or related medical conditions, medical conditions including genetic characteristics, mental or physical disability, military and veteran status, or any other protected characteristic as established by law. HPOne requires the necessary drug testing and background checks as part of our pre-employment practices. If assistance or accommodation due to a disability is needed, requests should be sent to: accommodations@hpone.com.