Who We Are Point32Health is a leading health and wellbeing organization, delivering an ever-better personalized health care experience to everyone in our communities. At Point32Health, we are building on the quality, nonprofit heritage of our founding organizations, Tufts Health Plan and Harvard Pilgrim Health Care, where we leverage our experience and expertise to help people find their version of healthier living through a broad range of health plans and tools that make navigating health and wellbeing easier. We enjoy the important work we do every day in service to our members, partners, colleagues and communities. To learn more about who we are at Point32Health, click here. Job Summary As a Business Information Security Officer (BISO), you will play a critical role in bridging the gap between Cyber & Information Security and business objectives within the Harvard Pilgrim Health Care Institute (“HPHCI”). The Harvard Pilgrim Health Care Institute is a research and teaching collaboration between Harvard Pilgrim Health Care and Harvard Medical School. The Harvard Pilgrim Health Care Institute is a limited liability corporation of Harvard Pilgrim Health Care and part of Point32Health. Your primary responsibility will be to ensure that the HPHCI business receives the necessary support, guidance, and security oversight to support its research mission. You will collaborate closely with both technical and business leaders to integrate Cyber & Information Security services into the HPHCI business’ operations. This role is pivotal in ensuring that the Harvard Pilgrim Health Care Institute operates securely while meeting its unique business requirements Key Responsibilities/Duties – what you will be doing Risk Assessment Services: Evaluate the security posture of third-party vendors and partners that interact with the HPHCI organization. Collaborate with business, Legal, and Privacy representatives to ensure that third-party contracts include appropriate security clauses and compliance requirements Assist in the coordination of system and application updates needed to address security vulnerabilities and threats as to ensure timely remediation and to limit business impact Conduct risk assessments for the HPHCI business, identifying potential vulnerabilities, threats, and areas of concern Collaborate with the Institute to develop and manage an Institute risk management plan that supports the Institute’s research mission to prioritize risks and develop mitigation strategies tailored to the HPHCI organization’s unique protocols Responding to RFPs (Request for Proposals): Assist in crafting security-related responses to RFPs, demonstrating our commitment to safeguarding information assets Collaborate with business and technology teams to position the HPHCI organization as a secure and reliable partner Security Guidance: Provide expert guidance regarding security requirements, best practices, policies, and procedures to HPHCI’s leadership and staff, Institutional Review Board and Point32Health Privacy and Compliance offices in support of research activities Translate complex technical concepts into business-friendly language, ensuring clear communication Manage the security awareness and training between the teams from Point32Health Security and HPHCI that are required to access different systems Oversight and Governance: Serve as the primary security contact for HPHCI’s leadership, including its Board of Trustee Oversee the implementation of applicable security policies and standards Support HPHCI’s compliance with security regulations and industry standards Provide expert guidance, and manage contractual, regulatory and other business requirements of HPHCI related to data and technology compliance Provide input and recommendations to the budget supporting HPHCI Is provided delegated authority to process (support/challenge) exceptions for various types of access that have been requested and approved by appropriate HPHCI management Incident Management: Collaborate with business, technology, and security SMEs to development specific security event/incident procedures (“playbooks”) Represent the HPHCI organization during periodic security incident tabletop and simulation exercises to ensure that HPHCI’s systems, resources, and unique business practices are considered In case of a security incident, participate as the HPHCI organization’s primary security expert to ensure consistent communication, prioritization, and escalations are addressed Qualifications – what you need to perform the job EDUCATION, CERTIFICATION AND LICENSURE: Bachelor’s degree in Cyber Security, Computer Science, Risk Management, or related field preferred or equivalent experience EXPERIENCE (minimum years required): 10 years combined IT, cyber/information security, risk, audit, compliance, with increasing responsibility 5 years in cybersecurity or field(s) related to the programs for which the role is responsible for 5 years in a leadership role, preferably with at least 2 of those years overseeing other managers Experience in leading or sponsoring implementation of technical security solutions within large organizations Experience developing and implementing process-based security controls, processes, and capabilities Experience in engaging with and managing vendors responsible for implementing processes and/or IT solutions Experience creating and maintaining security requirements, guidelines, and procedure documents Extensive knowledge and experience in security and compliance frameworks such as NIST, ISO, etc SKILL REQUIREMENTS: Strong Business Acumen: Ability to articulate the importance of security requirements to business leaders Understand and speak the language of the HPHCI business Technical Expertise: Deep understanding of cybersecurity technologies and their application Familiarity with a wide range of IT systems and applications Effective Communication: Ability to communicate with both technical and non-technical stakeholders Translate complex technical concepts into plain language Risk Management Skills: Identify, assess, and prioritize risks Apply cyber-risk management principles to the HPHCI business Project Management: Represent the HPHCI’s business needs and impacts within the scoping, planning, and implementation of Point32Health’s Cyber & Information Security program enhancements WORKING CONDITIONS AND ADDITIONAL REQUIREMENTS (include special requirements, e.g., lifting, travel): Must be able to work under normal office conditions and work from home as required Work may require simultaneous use of a telephone/headset and PC/keyboard and sitting for extended durations May be required to work additional hours beyond standard work schedule DISCLAIMER The above statements are intended to describe the general nature and level of work being performed by employees assigned to this classification. They are not intended to be construed as an exhaustive list of all responsibilities, duties and skills required of employees assigned to this position. Management retains the discretion to add to or change the duties of the position at any time. Compensation & Total Rewards Overview As part of our comprehensive total rewards program, colleagues are also eligible for variable pay. Eligibility for any bonus, commission, benefits, or any other form of compensation and benefits remains in the Company's sole discretion and may be modified at the Company’s sole discretion, consistent with the law. Point32Health offers their Colleagues a competitive and comprehensive total rewards package which currently includes: Medical, dental and vision coverage Retirement plans Paid time off Employer-paid life and disability insurance with additional buy-up coverage options Tuition program Well-being benefits Full suite of benefits to support career development, individual & family health, and financial health For more details on our total rewards programs, visit https://www.point32health.org/careers/benefits/ Commitment to Diversity, Equity, Inclusion, Accessibility (DEIA) and Health Equity Point32Health is committed to making diversity, equity, inclusion, accessibility and health equity part of everything we do—from product design to the workforce driving that innovation. Our Diversity, Equity, Inclusion, Accessibility (DEIA) and Health Equity team's strategy is deeply connected to our core values and will evolve as the changing nature of work shifts. Programming, events, and an inclusion infrastructure play a role in how we spread cultural awareness, train people leaders on engaging with their teams and provide parameters on how to recruit and retain talented and dynamic talent. We welcome all applicants and qualified individuals, who will receive consideration for employment without regard to race, color, religion, gender, gender identity or expression, sexual orientation, national origin, genetics, disability, age, or veteran status. At Point32Health, we strive to be a different kind of nonprofit health and well-being company, with a broad range of health plans, and innovative tools that make navigating health and well-being easier, guiding our members at every step of their health care journey to better health outcomes. We are committed to providing high-quality and affordable health care, improving the health and wellness of our members, and creating healthier communities across the country. The Point32Health name is inspired by the 32 points on a compass. It speaks to the critical role we play in guiding and empowering the people we serve to achieve healthier lives. Our employees are hard-working, innovative, and collaborative. They look for opportunities to grow and make a difference, and they help make us strive to be one of the Top Places to work in New England.