AVP, Information Security (GRC) at Bright Health
Back to Career Site
Our Mission is to Make Healthcare Right. Together. Built upon the belief that by connecting and aligning the best local resources in healthcare delivery with the financing of care, we can deliver a superior consumer experience, lower costs, and optimized clinical outcomes.
What drives our mission? The company values we live and breathe every day. We keep it simple: Be Brave. Be Brilliant. Be Accountable. Be Inclusive. Be Collaborative.
If you share our passion for changing healthcare so all people can live healthy, brighter lives – apply to join our team.
SCOPE OF ROLE
The Associate Vice President, Cyber Security Governance, Risk, and Compliance (GRC) will be responsible for the management and daily operations of the GRC team. The team is responsible for assessing security risk, establishing security standards, and ensuring compliance against those standards across all disciplines of the information security domain. We are looking for a strategic leader who will be responsible for driving transformation in the way that the team manages work; driving shifts in the maturity of the control environment; and establishing best practices. You will be primarily responsible for enhancing and driving the security and resiliency risk management strategy, framework, tools, and processes. Reporting to the CISO, you will act as a trusted business advisor to engage leadership at all levels of the organization and build/manage relationships across other departments and businesses.
The AVP, Governance, Risk, and Compliance is someone that has experience building and leading cyber security teams and is someone who is proactive, inclusive, and accountable for developing, maintaining, and carrying out the Risk Management strategic plan. This person will be delivering policy, processes, tools, technology, and human resources to a broad section of collaborators in the organization.
- Recruit, manage, mentor, and lead a team responsible for the implementation of risk management strategy, High Value Asset protection and governance reporting.
- Oversee and ensure an effective internal controls and regulatory compliance across the enterprise is being met following a risk-based approach in accordance with established company policies and procedures.
- Establish cross-functional governance and develop executive and management-level reporting materials and GRC dashboards that report routinely the organization's security and resiliency risk posture, including risk reduction trends and risk mitigation status; develop Key Risk Indicators (KRI) processes to inform management and executives of the changing risk landscape.
- Define and implement a security and resiliency risk management framework that includes alignment with business strategies and adoption of a common risk methodology, processes, and taxonomy; own reporting that drives risk buy-down, and GRC strategy in support of annual planning cycles.
- Coordinate audit-related tasks to ensure the readiness of managers and their teams for audit testing and facilitating the timely resolution of any audit findings.
- Improve methods of capturing and presenting status of key compliance requirements in order to provide leadership with clear, concise data to enable appropriate decision making. Coordinate audit-related tasks to ensure the readiness of managers and their teams for audit testing and facilitating the timely resolution of any audit findings.
EDUCATION, TRAINING, EXPERIENCE
- Bachelor’s degree in computer science, engineering, or business administration, or related field, or equivalent combination of education and experience.
- 10+ years of relevant work experience, including substantial work in information strategy, governance, risk, and compliance
- 5+ years’ experience running a security GRC department in a fast-changing environment where new services and technologies constantly being on boarded and matured.
- Experience with AuditBoard a plus
- Expert knowledge of at least one scripting language is essential
- Deep understanding and practical experience working with Sarbanes-Oxley (SOX HITRUST, MARS-E, FedRAMP, HIPAA, NIST-CSF, frameworks, and risk assessment activities.
- Experience supporting security controls, compliance, and audit activity within a service provider organization with multiple technologies and architectures; Windows, Unix/Linux, VMWare, Oracle, SQL, IPS/IDS, DLP, and other security technologies.
- Expert level knowledge regarding the implementation, deployment, and usage of security tools and programs
- Strong knowledge of Windows, Linux and OSX operating systems.
- Experience in large scale compliance or auditing environments
- Experience performing vulnerability assessments, QA testing, Implementations & Validations
- Strategic leader with experience leading change and delivering high quality results.
- Demonstrable experience operating in a complex, federated global organization with a geographically dispersed team.
- Successful track record of partnership across organizations to build trust and achieve shared goals.
- Ability to take unpopular positions, when necessary, influence others to support these decisions, and maintain trust and credibility.
- Excellent communications and presentation skills. Able to communicate sophisticated and technical issues effectively and concisely to executives.
- Experience in facilitating Executive Leadership meetings.
- High professional standards and expectations for self and others.
- Professional stature and gravitas to collaborate with and influence team members with credibility and confidence.
LICENSES AND CERTIFICATIONS
- Certified Information System Security Professional (CISSP)
- Health Care Information Security Privacy Practitioner (HCISPP)
- Certified Information Security Manager (CISM)
- Certified Information Systems Auditor (CISA)
- Certified in Risk and Information Systems Control
We understand patient pain points, eliminating complexity while increasing transparency, for greater access and easier navigation.
We integrate and align individual incentives at all levels, from financing to optimization to delivery of care.