• Chief Information Security Officer (0933 Manager…

    City and County of San Francisco (San Francisco, CA)


    The Department of Public Health prioritizes equitable and inclusive access to quality healthcare for its community and values the importance of diversity in its workforce. All employees at the Department of Public Health work to advance equity, inclusion, and diversity with a specific lens and focus on race, ethnicity, gender, sex, sexuality, disability, and immigration status.

     

    This is a Position-Based Test conducted in accordance with CSC Rule 111A. Learn more about the City’s hiring process here: https://careers.sf.gov/knowledge/process/

     

    + Application Opening: Friday, November 21, 2025

    + Application Deadline: Application filing will close on or after Friday, December 19, 2025.

    + Salary: $180,440 - $230,308 Annually (Range A) (https://careers.sf.gov/classifications/?classCode=0933&setId=COMMN)

    + Appointment Type: Permanent Civil Service (https://careers.sf.gov/knowledge/role-types/)

    + Recruitment ID: PBT-0933-160818

     

    Becoming a City employee means being a part of a team that cares about making a difference. Your work will shape both the present and future of San Francisco. When you work for the City, you’re choosing a job with purpose.

     

    The mission of the San Francisco Department of Public Health (SFDPH) is to protect and promote the health of all San Franciscans. SFDPH strives to achieve its mission through the work of several divisions - the San Francisco Health Network, Population Health Division, Behavioral Health Services, and Central Administration. The San Francisco Health Network is the City’s only complete system of care and has locations throughout the City, including Zuckerberg San Francisco General Hospital and Trauma Center, Laguna Honda Hospital and Rehabilitation Center, and over 15 primary care health centers. The Population Health Division (PHD) provides core public health services for the City and County of San Francisco: health protection, health promotion, disease and injury prevention, disease surveillance, and disaster preparedness and response. Behavioral Health Services operates in conjunction with SFHN and provides a range of mental health and substance use treatment services. Central Administration houses core support organizations, including Finance, Information Technology (IT), Human Resources, Privacy and Compliance, Business Office, Facilities Management, and Security Services.

     

    The San Francisco Department of Public Health is seeking a dynamic and experienced cybersecurity professional to join its IT leadership team. As a key strategic leader, the Chief Information Security Officer (CISO) (0933 Manager V) will be responsible for developing and executing a comprehensive information security strategy that safeguards the department’s systems, data, and services.

     

    This role leads the implementation of an enterprise-wide security program that promotes collaboration, strengthens governance, and aligns cybersecurity initiatives with organizational goals. The CISO serves as a trusted advisor to senior leadership, providing expert guidance on risk management, security investments, and policy development. The CISO oversees a team of cybersecurity professionals within the SFDPH IT division and collaborates extensively with the CISO for the City and County of San Francisco.

     

    We are looking for a visionary and collaborative leader who can balance innovation with risk mitigation, and who thrives in a complex, mission-driven environment. The CISO reports directly to the Chief Information Officer (CIO).

    The Chief Information Security Officer (0933 Manager V) performs the following essential job functions:

    + Provides strategic leadership in evaluating and mitigating information security threats across the organization using a structured, risk-based methodology. Advises executive leadership on identified risks and ensures timely execution of mitigation and remediation plans with integrity and discretion

    + Directs the ongoing development of the department’s information security program, including project portfolio management, incident response, policy frameworks, compliance activities, threat and vulnerability management, and third-party risk management

    + Allocates and manages resources to support a robust security strategy. Identifies and advocates for strategic investments, oversees capital and operating budgets, and delivers ROI analyses and budget recommendations

    + Partners with the Office of Compliance and Privacy Affairs to assess data security risks related to contracts, projects, artificial intelligence solutions, and other initiatives. Develops tools and interventions to mitigate risks, establishes performance metrics, and monitors compliance through audits and assessments

    + Builds alignment and support for security goals and initiatives across internal and external stakeholders. Communicates effectively with leadership at all levels on trends, risks, and the overall effectiveness of the security program

    + Promotes awareness and understanding of regulatory requirements across the organization. Leads or collaborates on testing and auditing activities to ensure ongoing compliance and successful certifications

    + Analyzes security requirements and ensures compliance with industry standards such as HIPAA, NIST, and PCI-DSS

    + Establishes and maintains comprehensive policies and procedures to support effective and sustainable security operations

    + Serves as the department’s representative in security-related matters with City agencies and partners

    + Continuously monitors emerging trends, technologies, and best practices in cybersecurity to ensure the department’s security posture remains current and effective

     

    The Chief Information Security Officer (0933 Manager V) may perform other duties as assigned/required.

     

    1. Education: Bachelor’s degree from an accredited college or university; AND

    ​2. Experience: Five (5) years of professional healthcare information systems security experience, of which three (3) years must include supervising IT professionals.

     

    Education Substitution: Additional experience as described above may be substituted for the required degree on a year-for-year basis. One (1) year is equivalent to thirty (30) semester units / forty-five (45) quarter units.

     

    Applicants must meet the minimum qualification requirements by the final filing date unless otherwise noted.

     

    One-year full-time employment is equivalent to 2,000 hours (2,000 hours of qualifying work experience is based on a 40-hour work week).

    Desirable Qualifications:

    The stated desirable qualifications may be considered at the end of the selection process when candidates are referred for hiring:

    + Possession of a Certified Information Systems Security Professional (CISSP) and/or Certified Information Security Manager (CISM) certification

    Verification of Education and Experience:

    Every application is reviewed to ensure that you meet the minimum qualifications as listed in the job ad. Review SF Careers Employment Applications (https://careers.sf.gov/knowledge/#:~:text=Employment%20Applications%20and%20Minimum%20Qualifications) for considerations taken when reviewing applications.

     

    Applicants may be required to submit verification of qualifying education and experience at any point during the recruitment and selection process. If education verification is required, information on how to verify education requirements, including verifying foreign education credits or degree equivalency, can be found at https://careers.sf.gov/knowledge/experience-education/.

     

    Note: Falsifying one’s education, training, or work experience or attempted deception on the application may result in disqualification for this and future job opportunities with the City and County of San Francisco.

    Selection Procedures:

    After application submission, candidates deemed qualified must complete all subsequent steps to advance in this selection process, which includes the following:

    Supplemental Questionnaire (SQ) Examination (Weight: 100%)

    Candidates that meet the minimum qualifications will be invited to participate in a Supplemental Questionnaire (SQ) examination that is designed to measure the knowledge, skills, and abilities in job related areas which may include but not be limited to: Knowledge of local, State and Federals laws and regulations relating to information security, including but not limited to HIPAA and HITECH; Knowledge of information security technology frameworks and standards, including but not limited to NIST, HITRUST, COBIT, ISO 27001, PCI-DSS or similar cyber security frameworks; Knowledge of technology relating to enterprise wide information security protection; Knowledge of structured systems analysis and design practices and techniques; common operating systems software and relational database systems; hospitals or community health network environments; Ability to apply principles and practices of management, administration, budgeting, training, and personnel management; Ability to manage, supervise, train and coordinate complex functional area of responsibility and groups of employees; Ability to analyze and report on activities, issues and problems and recommend appropriate solutions; Ability to communicate effectively orally; Ability to communicate effectively in writing; Ability to exercise judgement, decisiveness and creativity required in situations involving the direction, control and planning of a program(s); manage critical timelines effectively; Ability to establish and maintain good working relationships with department personnel, staff, vendors, peers, and management, and engage and influence a broad range of stakeholders (e.g. HR, IT, Legal, Compliance, senior management, etc.)

     

    Candidates must achieve a passing score on the Supplemental Questionnaire exam in order to continue in the selection process and will be placed on the confidential eligible list in rank order according to their final score.

     

    Additional selection processes may be conducted by the hiring department prior to making final hiring decisions.

     

    Certification

     

    The certification rule for the eligible list resulting from this examination will be the Rule of the List.

    Eligible List/Score Report:

    A confidential eligible list of applicant names that have passed the civil service examination process will be created and used for certification purposes only. An examination score report will be established, so applicants can view the ranks, final scores, and number of eligible candidates. Applicant information, including names of applicants on the eligible list, shall not be made public unless required by law. However, an eligible list shall be made available for public inspection, upon request, once the eligible list is exhausted or expired and referrals resolved. The eligible list/score report resulting from this civil service examination process is subject to change after adoption (e.g., as a result of appeals), as directed by the Human Resources Director or the Civil Service Commission.

     

    The duration of the eligible list resulting from this examination process will be of six months and may be extended with the approval of the Human Resources Director.

     

    To find Departments which use this classification, please see the city’s Position Counts by Job Codes and Departments. (https://sfdhr.org/sites/default/files/documents/Forms-Documents/Position-Counts-by-Job-Codes-and-Department-FY-2023-24.pdf)

    Terms of Announcement and Appeal Rights:

    Applicants must be guided solely by the provisions of this announcement, including requirements, time periods and other particulars, except when superseded by federal, state or local laws, rules, or regulations. Clerical errors may be corrected by the posting the correction on the Department of Human Resources website at https://careers.sf.gov/.

     

    The terms of this announcement may be appealed under Civil Service Rule 111A.35.1. The standard for the review of such appeals is ‘abuse of discretion’ or ‘no rational basis’ for establishing the position description, the minimum qualifications and/or the certification rule. Appeals must include a written statement of the item(s) being contested and the specific reason(s) why the cited item(s) constitute(s) abuse of discretion by the Human Resources Director. Appeals must be submitted directly to the Executive Officer of the Civil Service Commission within five business days of the announcement issuance date.

    Additional information regarding Employment with the City and County of San Francisco:

    + Information about the Hiring Process (https://careers.sf.gov/knowledge/process/)

    + Conviction History

    + Employee Benefits Overview (https://sfdhr.org/benefits-overview)

    + Equal Employment Opportunity

    + Disaster Service Workers (https://careers.sf.gov/knowledge/#:~:text=a%20later%20date.-,Disaster%20Service%20Workers,-By%20State%20law)

    + ADA Accommodation

    + Right to Work (https://careers.sf.gov/knowledge/#:~:text=Identification/Right%20to%20Work)

    + Copies of Application Documents

    + Diversity Statement (https://sfdhr.org/recruitment-details#diversitystatement)

    + Veterans Preference

    + Seniority Credit in Promotional Exams

    Where to Apply

    All job applications for the City and County of San Francisco must be submitted through our online portal. Please visit https://careers.sf.gov/ to begin your application process.

     

    Applicants may be contacted by email about this recruitment. Please consider using a personal email address that you check regularly rather than a work or school account.

     

    Computers are available for the public (9:00 a.m. to 4:00 p.m. Monday through Friday) to file online applications in the lobby of the Dept. of Human Resources at 1 South Van Ness Avenue, 4th Floor and at the City Career Center at City Hall (https://www.sf.gov/city-career-center) , 1 Dr. Carlton B. Goodlett Place, Room 110.

     

    Ensure your application information is accurate, as changes may not be possible after submission. Your first and last name must match your legal ID for verification, and preferred names can be included in parentheses. Use your personal email address, not a shared or work email, to avoid unfixable issues.

     

    Applicants will receive a confirmation email from [email protected] that their online application has been received in response to every announcement for which they file. Applicants should retain this confirmation email for their records. Failure to receive this email means that the online application was not submitted or received.

     

    If you have any questions regarding this recruitment or application process, please contact the analyst, Marielle Saldajeno at [email protected] or (628) 271-6820.

     

    We may use text messaging to communicate with you on the phone number provided in your application. The first message will ask you to opt in to text messaging.

     

    The City and County of San Francisco encourages women, minorities and persons with disabilities to apply. Applicants will be considered regardless of their sex, race, age, religion, color, national origin, ancestry, physical disability, mental disability, medical condition (associated with cancer, a history of cancer, or genetic characteristics), HIV/AIDS status, genetic information, marital status, sexual orientation, gender, gender identity, gender expression, military and veteran status, or other protected category under the law.