"Alerted.org

Job Summary

Reporting to the SVP, Chief Information Officer, the VP Information Security is Baylor Scott & White Health’s (BSWH) senior executive responsible for cybersecurity strategy, risk reduction, and enterprise resilience across hospitals, clinics, ambulatory sites, enterprise systems (including EHR), clinical environments, and cloud platforms. Within IS’s Agile delivery model, the VP embeds “security by design” into backlogs, sprints, and release trains to translate strategy into day to day execution for product and platform teams.

The VP owns the NIST Cybersecurity Framework (CSF) adoption roadmap (Identify–Protect–Detect–Respond–Recover), ensures HIPAA/HITECH and healthcare specific compliance (e.g., 405(d) HICP; HITRUST mappings), and delivers measurable risk reduction via prioritized, evidence based investments. The CISO partners with Internal Audit, Risk, Compliance/Privacy, Legal, HR, Supply Chain/VMO, Clinical leadership, and IS Governance to align cyber risk decisions with patient safety, business goals, and financial stewardship.

The role operates with multiple Managed Service Providers (MSPs), governing cross provider standards, SLAs, joint playbooks, and unified metrics so BSWH presents one security posture.

Essential Functions

_Cybersecurity Roadmap_

- Developing a Cybersecurity Road Map that could be used at both an Executive/Board Level and is also "translatable" to operational level teams.

- Cascade the road map deliverables throughout the team, trackable as weekly, monthly, and yearly activities for the teams.

_Cyber Program & Governance_

- Set the enterprise cybersecurity strategy and multi year roadmap aligned to NIST CSF 2.0; convert into budgets, OKRs, and measurable KRIs/KPIs.

- Run executive security governance (e.g., Security Steering, Board/ISLC updates) with concise risk narratives and decision options.

- Lead integration across MSPs (cyber, apps, infra, PMO): shared standards, SLAs, joint runbooks, cross tower escalations, and performance scorecards.

- Embed Agile processes in daily operations

- Own security policy/standards/baselines; drive “design time security” via enterprise architecture and Zero Trust.

_Governance, Risk & Controls (GRC) / Cyber Program_

- Maintain enterprise risk register; quantify risk and prioritize remediation by business impact + exploitability + asset criticality.

- Ensure regulatory, legal, and framework alignment (HIPAA/HITECH, 405(d) HICP, HITRUST mappings); coordinate internal/external audits and control testing.

- Lead third party risk with Supply Chain/VMO (security schedules, right to audit, breach notification, continuous monitoring); track remediation to closure.

- Operate a Cyber Risk & Performance dashboard mapped to NIST CSF and governance exhibits; present trends, heat maps, and decision asks.

_Cyber Operations (SOC / Incident Response / Resilience)_

- Oversee 24×7 SOC, SIEM, EDR/XDR, threat hunting, phishing defense, use case engineering; drive MTTD/MTTR improvements and alert quality.

- Own Incident Response and Crisis Management: tested playbooks, ransomware readiness, forensics, breach notification with Privacy/Legal, executive and Board communications.

- Lead cyber requirements for BC/DR (backup/restore integrity, cyber recovery, segmentation) including clinical technology; run joint tabletop exercises with MSPs.

_Cyber Defense (Vulnerability/Exposure/Patch; Email/Network/Endpoint defense)_

- Run an exposure management program that continuously measures risk and sequences remediation to eliminate the riskiest 20% that drive ~80% of exposure.

- Align vulnerability SLAs by asset tier; orchestrate patching across internal teams and MSPs with defined maintenance windows and change governance.

- Oversee platform defenses with domain leaders (e.g., Proofpoint for email, Firewall policy/governance, Endpoint protection standards).

Identity & Access Management (IAM)

- Own IAM/IGA, SSO/MFA, PAM, privileged session monitoring; enforce least privilege, JIT access, and high assurance controls for high risk workflows (e.g., EHR admin, OT).

- Conduct periodic access reviews and certs; integrate identity guardrails into Agile CI/CD and change processes.

Data Protection

- Lead data classification, DLP, encryption (at rest/in transit/in use), key management, tokenization, and de identification for research/analytics; partner with Privacy.

- Establish guardrails for data use in cloud/SaaS and with third parties; monitor and remediate data handling risks.

_Cyber Architecture & Engineering_

- Define Zero Trust architecture; secure reference architectures for cloud (IaaS/PaaS/SaaS) and on prem; operate CSPM/CWPP posture management.

- Embed secure SDLC / DevSecOps (threat modeling, SAST/DAST/IAST, SBOM, software supply chain security); provide reusable patterns and hardened baselines.

- Partner with platform teams on secure build pipelines; codify controls as policy as code.

_Platform Security Domains_

- **Endpoint Management:** OS/app hardening baselines, EDR policy, device compliance; integrate with patch/change windows.

- **Firewall:** Network segmentation strategy, rule lifecycle governance, change control; coordinate with MSP network teams.

- **Cloud Security:** Guardrails, identity boundaries, key/cert management, workload posture; integrate with product teams’ Agile delivery.

- **Email Security (Proofpoint):** Advanced threat protection, impersonation/BEC defenses, policy tuning; measure catch/allow rates and false positives.

- **SOC Integration:** Use case roadmap, tuning, detection engineering, purple teaming; multi MSP handoffs tested and measured.

Key Success Factors

- **Education/Credentials:** Bachelor’s in Cybersecurity/CS/IS or related field; Master’s preferred. Executive level security certification(s) (e.g., CISSP, CISM, CISA, CCISO or comparable).

- **Experience:** 15-20 years relevant experience with 10+ years progressive IT/security leadership in large, complex, regulated settings; 5+ years leading enterprise security portfolios. Health system experience preferred.

- **Strategy → Execution:** Demonstrated ability to prioritize highest impact risks and convert strategy into an executable, Agile aligned cascade (daily→annual) with measurable outcomes.

- **MSP Leadership:** Multi provider integration expertise; establishing common standards, OLAs/XLAs, joint playbooks, action oriented governance and commercial levers with VMO/Supply Chain.

- **NIST & Regulatory Mastery:** NIST CSF/800 53, HIPAA/HITECH, 405(d) HICP, HITRUST mappings, PCI (as applicable), FDA/medical device guidance, privacy/security interplay.

- **Architecture & Ops:** Zero Trust, IAM/IGA/PAM/MFA, cloud security, secure SDLC & software supply chain, EDR/XDR/SIEM, exposure mgmt, IR/crisis comms.

- **Executive Communication:** Storytelling for Board/executives; operational translation for engineers and clinicians; calm leadership under pressure. Ability to handle sensitive information and collaborate across clinical, administrative, and technical teams.

- **People & Culture:** Team builder and coach; cultivates a learning, high trust, high accountability culture; scales capability via MSPs and internal talent.

Minimum Requirements

- Bachelor’s Degree (Information Security, IT, Computer Science, or related preferred).

- 10 years of experience

As a health care system committed to improving the health of those we serve, we are asking our employees to model the same behaviours that we promote to our patients. As of January 1, 2012, Baylor Scott & White Health no longer hires individuals who use nicotine products. We are an equal opportunity employer committed to ensuring a diverse workforce. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, disability status, protected veteran status, or any other characteristic protected by law.