Senior Director –Identity & Access Management

Role Description:

The Senior Director – Identity & Access Management will be the senior leader and architect of a unified identity ecosystem for Sentara Health. You will lead a "Total Identity" strategy that bridges clinical, corporate, and consumer realms. Own the "Digital Front Door," ensuring patients have a single secure login that traverses across the Sentara ecosystem.

Unique to this role is the ownership of the Epic Security Team and the governance of Non-Human Identities (NHI). You will optimize a multi-million-dollar identity stack including Entra, Ping, ForgeRock, Saviynt, and CyberArk/Beyond Trust, etc. to deliver secure, frictionless care.

Key Responsibilities:

Strategic Leadership & Vision

• Unified Strategy: Define and execute a multi-year roadmap for “Total Identity” across Enterprise and Consumer identity, aligning with broader cyber security and digital transformation goals.

• Executive Alignment: Serve as the primary advocate for identity at the executive level, managing budgets, vendor relationships, and large-scale change management initiatives.

• Product Ownership: Treat identity as a product, ensuring high availability, scalability, and superior user experience for “Total Identity”.

Enterprise IAM (Workforce & Partners)

• Lead the lifecycle management (Joiner/Mover/Leaver) for employees, vendors, and partners.

• Oversee SSO, MFA, and Privileged Access Management (PAM) to enforce Zero Trust and Least Privilege principles.

• Ensure seamless integration of identity services across the internal application landscape.

Consumer IAM (CIAM)

• Own the customer journey for registration, login, and profile management, prioritizing a low-friction "security-first" user experience.

• Drive the implementation of social logins, self-service recovery, and personalization features.

• Collaborate with Marketing and Product teams to ensure identity data enhances customer insights while maintaining trust.

Identity Platform & Engineering

• Direct the development of the core tech stack, including APIs, microservices, and identity data lakes.

• Ensure the reliability and performance of identity products (e.g., Saviynt, Ping ForgeRock, CyberArk/Beyond Trust, etc.).

• Standardize identity patterns across the organization to enable developer self-service.

Epic Security Development/Administration

• Lead the Epic Security Development/Administration team, overseeing the design of security records (EMP), provider records (SER), and sub-templates.

• Clinical Alignment: Partner with CMIO, Clinical Operations, and IT to ensure Epic security profiles (Hyperdrive/Canto/Haiku) enable "tap-and-go" provider workflows without compromising HIPAA standards.

• Security Matrix Governance: Maintain the enterprise Epic Security Matrix, ensuring clinical role-based access (RBAC) is synchronized with enterprise governance (IGA) systems.

Governance & Compliance

• IGA: Establish robust Identity Governance and Administration (IGA) for automated access reviews and role-based access control (RBAC).

• Privacy: Ensure strict adherence to global regulations, including specifically regarding consent management and data residency.

• SecOps Integration: Partner with the Cyber Threat Operations Center (CTOC) to monitor identity-based threats, credential stuffing, and account takeovers.

Non-Human Identity (NHI) & Machine Governance

• Machine Inventory: Establish a comprehensive inventory and ownership model for all non-human identities, including service accounts, API keys, RPA bots, and secrets.

• Secrets Management: Direct the lifecycle—discovery, vaulting, and automated rotation—of credentials used by applications and automated workflows to prevent static "shadow credentials".

• IoMT Security: Extend IAM principles to the Internet of Medical Things (IoMT). Ensure medical devices (infusion pumps, monitors) are authenticated via unique machine identities before accessing clinical networks.

• Workload Identities: Oversee Entra Workload ID or similar tools to secure machine-to-machine (M2M) communications across cloud-native and legacy hospital systems.

Qualifications:

• Bachelor’s or master’s degree in computer science, Information Security, or a related field.

• Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), or equivalent certifications preferred.

• Extensive experience (15 years) in technology and cyber security, with 5 years in a senior leadership role at a Healthcare IDN or Health Plan preferred.

• Proven leadership experience managing teams and driving cross-functional collaboration.

• Strong understanding of regulatory requirements, industry standards, and best practices related to cyber security.

• Deep understanding of identity protocols (SAML, OIDC, OAuth 2.0, FIDO2) and experience managing both cloud-native and hybrid identity environments.

• Excellent communication skills, with the ability to articulate complex security concepts to technical and non-technical audiences.

• Strategic thinker with the ability to translate business needs into effective security solutions.

• Demonstrated ability to thrive in a fast-paced, dynamic environment and adapt to evolving threats and challenges.

• Strong leadership and management skills, with the ability to build and lead high-performing security teams.

• Excellent communication and interpersonal skills, with the ability to effectively interact with stakeholders at all levels of the organization.

• Proven track record of driving security initiatives and achieving measurable results.

• Ability to work effectively in a fast-paced and dynamic environment, with a strong sense of urgency and attention to detail.

• Agile, LEAN or Six Sigma experience.