Chief Information Security Officer

Schedule:
Monday - Friday (40 hrs/wk)
8:00 AM - 5:00 PM

Department: IT General - 210

Primary Purpose:

The Chief Information Security Officer (CISO) is a senior leader responsible for establishing and maintaining the enterprise information security vision, strategy, and operations to ensure information assets and technologies are adequately protected. The CISO will lead the development and implementation of the information security program to safeguard the company’s data, systems, and infrastructure. This role requires a strategic thinker with a deep understanding of cybersecurity, risk management, and regulatory compliance, particularly in the healthcare and laboratory sectors. The CISO relies on extensive technical expertise, business acumen, and leadership skills to plan and accomplish the goals of the information security program. The CISO projects the mission, vision, and values of ARUP.

About ARUP:

ARUP Laboratories is a national clinical and anatomic pathology reference laboratory and an enterprise of the University of Utah and its Department of Pathology. Based in Salt Lake City, Utah.

ARUP proudly hires top talent to create a work environment of diversity, professional growth and continuous development. Our workforce is committed to the important service we provide to over one million patients each month. We always strive for excellence and have a strong desire to have involvement with the advances in medicine and the role laboratory services plays within each patient’s life. We never forget that there is a patient behind every specimen we receive.

We are looking for individuals who want to contribute to ARUP's culture of accountability, integrity, service, and excellence. Consider joining our dynamic team.

Essential Functions:

Develop and implement an enterprise-wide information security strategy that aligns with corporate goals and objectives.

Provide regular updates to the CIO, executive team, and board of directors on the status of the information security program; provide counsel on information security matters, emerging threats, and best practices.

Collaborate with IT, legal, compliance, privacy, Technical Operations, and other departments to foster a shared responsibility for information security and to integrate security into all aspects of the organization’s operations.

Partner with the business and other IT functions to ensure security architecture is seamlessly integrated into all aspects of the organization's operations, providing robust protection against threats while enabling business agility and innovation.

Verify the implementation and management of security technologies and controls, including computer and network security, security system administration, virus protection, intrusion detection and prevention, identity and access management, application security patching, and vulnerability scanning systems.

Verify the operation of security controls to ensure they are functioning effectively and efficiently, identifying and mitigating any vulnerabilities promptly to maintain the integrity and confidentiality of the organization's information assets.

Maintain a security operations center to monitor, hunt, and detect threats.

Stay current with emerging technologies, cybersecurity threats, and trends.

Ensure compliance with relevant laws, regulations, and industry standards (e.g., HIPAA, GDPR, NIST).

Establish and enforce information security policies, standards, and procedures.

Oversee the development and implementation of security awareness and training programs for employees.

Develop and implement a comprehensive training program to enhance the skills and knowledge of the security staff, fostering a culture of continuous improvement and ensuring the team is well-equipped to handle emerging threats and challenges.

Identify, assess, and prioritize security risks to the organization's information assets.

Develop and implement risk mitigation strategies and controls.

Conduct regular risk assessments and audits to ensure compliance with industry standards and regulations.

Oversee regular security audits, risk assessments, and penetration tests to identify vulnerabilities and track remediation efforts.

Participate in regulatory, client, and corporate audits to ensure compliance with industry standards and internal policies.

Manage security vendor relationships, evaluate their offerings, negotiate contracts, and monitor performance to ensure compliance and enhance security posture.

Negotiate, recommend, and/or approve contractual agreements and service contracts.

Develop and regularly evaluate incident response and disaster recovery plans to address potential security breaches, minimize the impact of incidents, and ensure business continuity.

Lead the response to security incidents, including detection, containment, investigation, remediation, and recovery.

Coordinate with external partners and law enforcement as necessary.

Build and lead a high-performing information security team. Define and maintain an organizational structure that provides appropriate levels of service with appropriate managerial span of control.

Establish key performance indicators to monitor performance.

Define and defend operational and capital plans for the area of responsibility and manage expenditures against those plans. Prepare resource requests with appropriate justification.

Translate technical issues or risks into business implications that are meaningful to executive leadership.

Other duties as assigned.

Physical and Other Requirements:

Stooping: Bending body downward and forward by bending spine at the waist.

Reaching: Extending hand(s) and arm(s) in any direction.

Mobility: The person in this position needs to occasionally move between work sites and inside the office to access file cabinets, office machinery, etc.

Communicate: Frequently communicate with others.

PPE: Biohazard laboratory environment that requires use of personal protective equipment in accordance with CDC and OSHA regulations and company policies.

ARUP Policies and Procedures: To conduct self in compliance with all ARUP Policies and Procedures.

Sedentary Work: Exerting up to 10 pounds of force occasionally and/or negligible amount of force frequently or constantly to lift, carry, push, pull or otherwise move objects.

Vision: Having close, far, and peripheral visual acuity to perform a variety of tasks such as make general observations of depth and distance.

Color Vision: Perception of and ability to distinguish colors

Fine Motor Control: Picking, pinching, typing or otherwise working, primarily with fingers rather than with the whole hand as in handling.

Experience

• Bachelor’s degree in Information Technology, Engineering, or a related field, or equivalent education and experience and 10 years of experience in information security, including a minimum of 5 years in progressively responsible leadership positions
• Relevant certifications such as CISSP, CISM, CISA, or CIPP
• Experience in the healthcare or laboratory sector
• Expert knowledge of cybersecurity frameworks and standards (e.g., NIST, ISO/IEC 27001, HITRUST)
• Demonstrated understanding of the healthcare industry and its unique regulatory, operational, and technical challenges

• Master’s degree in related field
• Multiple information security-related certifications such as CISSP, CISM, CISA, or CIPP

Education

• Bachelor's Degree or better in Information Systems or related field

• Master's Degree or better in Information Systems or related field

Equal Opportunity Employer/Protected Veterans/Individuals with Disabilities
This employer is required to notify all applicants of their rights pursuant to federal employment laws. For further information, please review the Know Your Rights notice from the Department of Labor.