• Cybersecurity Director (Remote)

    CareFirst (Baltimore, MD)


    Resp & Qualifications

    PURPOSE:

    Responsible for strategic direction of cybersecurity programs and monitoring of programs to ensure that risks associated with corporate systems and processes are anticipated, recognized, and appropriately managed and mitigated. This role requires the ability to work cross-functionally with IT teams, and key stakeholders delivering clear recommendations to improve results. Responsible for planning, developing, mentoring, leading and monitoring work of the department and its management.

    ESSENTIAL FUNCTIONS:

    + Partner with internal and external groups that periodically assess control effectiveness to ensure that these assessments are conducted in a smooth and efficient manner and that any issues and exceptions identified in the operation of controls are promptly and enduringly corrected.

    + Develop and maintain strategy and approach for improving efficiency and value add of the team. Ensures organizational procedures are aligned to maintain compliance with industry standards and contractual and regulatory requirements. Act as a trusted advisor to business and technology leadership on the design and effective operation of controls.

    + Works with senior and executive leadership to determine long-range goals and develop action plans for implementation. Determines and pursues courses of action essential in obtaining desired organizational results. Takes calculated risks.

    + Represents the organization as the primary contact. Interacts with management and senior value-chain partners on matters requiring coordination across organizational lines. Achievement of objectives requires ability to influence others both internally and potentially externally. Holds internal and external stakeholders accountable for cybersecurity effectiveness and makes recommendations for improvement as appropriate.

    + Directs managers and other subordinate staff members in the day-to-day operations of cybersecurity.

    SUPERVISORY RESPONSIBILITY:

    This position manages people.

    QUALIFICATIONS:

    **Education Level:** Bachelor's Degree in Computer Science, Information Technology, or related field OR in lieu of a Bachelor's degree, an additional 4 years of relevant work experience is required in addition to the required work experience.

    **Experience:** 8 years Related professional experience. 3 years Management experience.

    Preferred Qualifications:

    + Master's degree

    + Knowledge and work experience managing resources using several of the following frameworks/regulations: NIST Special Publication 800-53 Rev. 4 /5 Security and Privacy Controls for Information Systems and Organizations, HIPAA Security and Privacy Final Rule (45 CFR Part 164), NIST 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, HITRUST, FedRAMP, SOC Reports, NIST CSF, NIST RMF, FedRAMP, HITRUST, CIS benchmarks, CIS Top 20, Cloud Controls Matrix (CCM), COBIT, CMMC, CMMI, ISO 27001

    + Various privacy frameworks: GDPR, CCPA, others

    + Knowledge of System Security Plans based on NIST 800-171, 800-53, and FedRAMP.

    + Experience in managing staff responsible for cybersecurity and privacy risk assessments, risk exception and acceptance requests.

    + Familiarity with SIG, SOC2 Type 2, and other security attestation documents and software systems to support vendor assessments and third-party risk management.

    + Skilled at working with a variety of stakeholders (internal and external to the organization) to influence change, understand and assess cybersecurity strengths, weaknesses, and gaps in adherence to controls with the ability to deliver solutions addressing identified security coverage gaps with a proven ability to deliver desired results.

    + Disciplined and seasoned in change management practices,

    + Cyber security business and systems subject matter management expertise especially in Application Security, Data Security, Data Governance, and Network Security domains.

    + Experience with responding to internal and external audit requests, working with, and communicating to auditors and assessors, understanding the extent of appropriate evidence needed to satisfy audit and assessment requests.

    + Experience with working with cybersecurity specific risk registers and analyzing risks to the organization on a cost / benefit basis.

    + Experience with GRC (Governance, Risk, and Compliance) systems or ITRM (Information Technology Risk Management) systems.

    + Excellent written skills to develop, review, and refine cybersecurity standards, SOPs, and policies with communication skills (verbal and written) to communicate to all levels of the organization.

    + Excellent interpersonal skills including the ability to build consensus and agreement and bring resolution to contentious issues and entrenched interests.

    + Proven experience supporting cybersecurity risk and governance teams and peer management with demonstrated business process, workflow, task analysis, and metrics/results measurement.

    + Excellent organizational, analytic, and problem-solving skills with the ability to set staff and direct line management priorities and handle multiple projects concurrently with attention to detail.

    + Ability to anticipate cybersecurity governance needs and enact action plans before they become organizational problems

    + Knowledge of AGILE and/or other SDLC methodologies.

    + Knowledge of cloud security controls (AWS / Azure)

    + Experience in reviewing and performing / supervising risk analysis for AI based projects, applications, and models to discover and design or usage issues that may expose the organization to undue risk.

    Knowledge, Skills and Abilities (KSAs)

    + Ability to multitask and manage multiple IT vendor relationships.

    + Ability to lead and work as part of a team.

    + Ability to execute technology and tool automation processes.

    + Deep knowledge of risk treatment and mitigation strategies.

    + Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity.

    + Thorough understanding of cyber threats and vulnerabilities.

    + Must be able to meet established deadlines and handle multiple customer service demands from internal and external customers, within set expectations for service excellence. Must be able to effectively communicate and provide positive customer service to every internal and external customer, including customers who may be demanding or otherwise challenging.

    **Salary Range:** $164,240 - $304,871

     

    Salary Range Disclaimer

     

    The disclosed range estimate has not been adjusted for the applicable geographic differential associated with the location at which the work is being performed. This compensation range is specific and considers factors such as (but not limited to) the scope and responsibilities of the position, the candidate's work experience, education/training, internal peer equity, and market and business consideration. It is not typical for an individual to be hired at the top of the range, as compensation decisions depend on each case's facts and circumstances, including but not limited to experience, internal equity, and location. In addition to your compensation, CareFirst offers a comprehensive benefits package, various incentive programs/plans, and 401k contribution programs/plans (all benefits/incentives are subject to eligibility requirements).

     

    Department

     

    Governance, Risk & Compliance

     

    Equal Employment Opportunity

     

    CareFirst BlueCross BlueShield is an Equal Opportunity (EEO) employer. It is the policy of the Company to provide equal employment opportunities to all qualified applicants without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, protected veteran or disabled status, or genetic information.

     

    Where To Apply

     

    Please visit our website to apply: www.carefirst.com/careers

     

    Federal Disc/Physical Demand

     

    Note: The incumbent is required to immediately disclose any debarment, exclusion, or other event that makes him/her ineligible to perform work directly or indirectly on Federal health care programs.

    PHYSICAL DEMANDS:

    The associate is primarily seated while performing the duties of the position. Occasional walking or standing is required. The hands are regularly used to write, type, key and handle or feel small controls and objects. The associate must frequently talk and hear. Weights up to 25 pounds are occasionally lifted.

     

    Sponsorship in US

     

    Must be eligible to work in the U.S. without Sponsorship

    \#LI-MK1

    REQNUMBER: 21555