University of Rochester, Chief Information Security Officer

The University of Rochester (UR) seeks to recruit a Chief Information Security Officer (CISO) who will lead cybersecurity for the University, including University of Rochester Medical Center (URMC) and its Affiliates. The CISO will set the strategy for cybersecurity in a complex, matrixed environment with a diverse constituency of stakeholder groups with varying degrees of cybersecurity maturity. The CISO must therefore communicate and collaborate effectively with the UR community to recognize differing needs and viewpoints related to security, while ensuring compliance with government, healthcare, University, and other policies and laws related to information security.

The CISO will develop and deliver an iterative cyber strategy and program that balances the requirements of UR’s key stakeholder groups including the medical center and its affiliates, academic center, research enterprise, staff/faculty, and students. They will present their security strategy and state of the program routinely to the Boards of the University, Medical Center and Affiliates, as well as to senior leadership and to academic/clinical/research faculty. They will also manage the institution’s response to security threats and incidents in a unified manner and serve as the accountable leader for internal and external communications related to information security. Ultimately, the CISO will have a “customer-focused” approach to balancing technical, operational, and compliance-related priorities in a constantly evolving threat environment and regulatory landscape.
The position reports to the Vice President for IT/Chief Information Officer. This role is based in Rochester, New York, or will require travel to Rochester one week per month, with more frequent travel required initially.

KEY RELATIONSHIPS
Reports to: Julie Myers, VP of IT and Chief Information Officer

Direct reports:
A team of ~60 FTE comprised, including:
-Director of Operations
-Director, Identity and Access Management
-Four Business Unit Information Security Officers

Other key relationships:
General Counsel
Chief Audit Officer
Chief Privacy Officer
Chief Information Officer, URMC
Chief Technology Officer, University of Rochester
Chief Technology Officer, URMC

KEY RESPONSIBILITIES
-Balance the requirements, needs, and risks specific to core pillars of the University system consisting of academics, clinical care, and research, ensuring that all have equal support to accomplish their individual missions without introducing cyber-related risks to the greater system network.
-Deliver routine and impactful briefings to the audit and risk assessment committees of the University Trustees, the URMC Board, and Affiliate Boards.
-Strategically monitor and communicate to Boards and senior University leadership about relevant security trends, threats, vulnerabilities, and potential impacts in the academic, medical, and research environments.
-Collaborate with Academic Center, Research, and Medical Center (including Affiliates) leadership regarding the cybersecurity posture, vision, and strategy as well as articulating risk implications in light of changes within technology or cybersecurity.
-Assess the current state of the information security program and develop a long-term security road map with strategic solutions designed to evolve and continue to mature the cyber capability across the enterprise with an emphasis on iterative progress and change as opposed to “big bang” transformation.
-Identify information security priorities, potential threats, and system vulnerabilities while conducting regular and ongoing monitoring of organizational compliance with standards and policies, and recommend courses of action to key stakeholders.
-Lead efforts to identify technical, operational, or policy-related gap areas across the University environment and recommend and implement remediation measures in close partnership with technology and key stakeholders.
-Regularly evaluate short- and long-term goals and objectives to ensure compliance, support UR’s overall mission, and uphold a leading cybersecurity posture.
-Collaborate with key stakeholders including staff, faculty, and student populations to uphold the University’s information security culture, where the importance of security is understood and embraced across the organization.
-Incorporate aspects of AI governance to be effective across research, clinical, administration, and education, as well as provide security updates to the University system AI council.
-Evaluate cybersecurity frameworks to determine the best-fit protocol for the organization. Implement cyber protocol while educating stakeholders on the criticality of broad adoption of a cybersecurity program.
-Develop and manage operating and capital budgets for security programs that align with overall technology planning.
-Articulate for management risk and compliance committees (in collaboration with the University’s Enterprise Risk Management (ERM) Program) the latest risk trends and mitigation strategies across the broader information security industry and their potential impact on university systems, both as operational assets or liabilities and how leadership should evaluate them.
-Manage overall HIPAA security compliance, including annual risk analysis, tracking, and remediation, working closely with the Chief Privacy Officer (CPO), with additional oversight of aspects of PCI, GDPR, FERPA, FDA, FISMA, and other applicable compliance requirements compliance.
-Recruit, lead, and mentor a diverse and highly inclusive cybersecurity team.

DESIRED OUTCOMES
-A security posture that successfully and flexibly supports the diverse needs of UR’s stakeholders, each with their own appetite for information security.
-Ensure compliance with all applicable information security state, federal, and international compliance requirements.
-A collaborative and transparent relationship with the University, Medical Center and Affiliates, clinical, research, staff/faculty, students, and Boards, whereby the CISO keeps stakeholders abreast with regular, clear communication on the status of cybersecurity.
-Education programs that support an engaged and cyber-aware population.
-Resiliency supported by processes, technology, and policies that keep the University and affiliates secure, but more importantly allow the University to quickly recover and restore any affected program in the event of cyberattack.
-The delivery of a proactive and forward-looking strategy and road map to continuously mature the cybersecurity program, with metrics to measure progress over time.

Salary Range
-The base salary range for this position is $300,000-375,000, with final determination of compensation made after consideration of qualifications and experience.

For Candidates:
-The University of Rochester is being assisted in this process by Spencer Stuart and welcomes nominations or expressions of interest. If you wish to submit your own application materials or nominate someone to serve as the next Associate Vice President, Chief Information Security Officer for the University of Rochester, please send an email message with supporting materials to: UR_CISO@SpencerStuart.com.

The University of Rochester is committed to fostering, cultivating, and preserving a culture of equity, diversity, and inclusion to advance the University’s mission to Learn, Discover, Heal, Create – and Make the World Ever Better.

In support of our values and those of our society, the University is committed to not discriminating on the basis of age, color, disability, ethnicity, gender identity or expression, genetic information, marital status, military/veteran status, national origin, race, religion/creed, sex, sexual orientation, citizenship status, or any other status protected by law. This commitment extends to non-discrimination in the administration of our policies, admissions, employment, access, and recruitment of candidates from underrepresented populations, veterans, and persons with disabilities consistent with these values and government contractor Affirmative Action obligations.