Executive/C-Suite (CxO), IT Compliance, Information Security
4 Year Degree/Bachelor Degree
Job Description: Information technology plays a vital and ever-expanding role at the San Francisco Department of Public Health. The San Francisco Department of Public Health’s information technology environment is a highly diverse and complex set of components that require strong leadership. We are seeking a strong, knowledgeable leader to provide vision, strategy, broad-based planning, and hands-on responsibility as the Chief Information Security Officer (CISO). The CISO directly reports to the Chief Information Officer (CIO) and also reports dotted line to the DPH Compliance and Privacy Affairs Chief Integrity Officer. The DPH CISO also supports and consults the City CISO in city-wide cybersecurity efforts and participated in the Citywide Cybersecurity Forum. The CISO is a member of the DPH IT leadership team and serves a key role in leadership.
The CISO is an advocate for DPH's total information security needs and is responsible for the development and delivery of a comprehensive information security strategy to optimize the security posture of DPH within the cybersecurity framework established by the City Cybersecurity Policy. The CISO leads the development and implementation of a departmental security program that leverages collaboration, facilitates information security governance, advises DPH senior leadership on security direction and resource investments to capitalize on Citywide cybersecurity investments, and designs appropriate policies to manage information security risk in alignment with the Citywide Cybersecurity requirements. The complexity of this position requires a leadership approach that is engaging, imaginative, and collaborative, with a sophisticated ability to work with other leaders to set the best balance between security strategies and other priorities at the organization level.
Important and Essential Duties:
Use a risk-based approach to provide leadership, direction and prioritization in assessing and evaluating information security risks across the organization with a high level of integrity and discretion, advising and consulting with executives on identified risks and ensuring the execution of agreed upon mitigation/remediation steps.
Oversee the ongoing strategic development of the information security project portfolio, departmental incident response and security policy frameworks in alignment with Citywide Cybersecurity policies, security compliance activities, departmental threat and vulnerability management, departmental information security training and awareness program, including specialized triaging in areas of high criticality in close partnership with IT Security Operations and Citywide Cybersecurity Team.
Direct and allocate resources that achieve a robust security strategy by identifying and advocating for investments, capitalizing on Citywide cybersecurity investments, aggressively managing capital and operating budgets, and providing thorough Return on Investment (ROI) analysis and IT budget recommendations.
Collaborate with DPH’s Office of Compliance and Privacy Affairs to assess data security risks as it relates to agreements, projects and initiatives and develop tools and interventions to mitigate risks; develop key performance criteria and metrics; perform audits and monitor security compliance activities.
Create alignment and support for the DPH security program goals, initiatives and strategies, effectively balancing the needs of internal and external stakeholders and informing leadership at all levels on efforts and trends impacting the overall effectiveness of the information security programs.
Promote understanding of regulatory requirements across the organization, leading and/or collaborating with cross functional teams and senior business leaders to ensure execution of required testing and auditing activities by internal and external parties leading to the successful certification and/or compliance of the organization on an on-going basis.
Develop departmental cybersecurity requirements in alignment with the Citywide cybersecurity requirements and in regulatory requirements to ensure enterprise and product compliance with industry standards including HIPAA, HITRUST, ISO 27001, NIST, PCI-DSS and other security standards.
Partner with the Citywide Cybersecurity team to monitor external and emerging threats and take the appropriate course of action and communication.
Oversee business continuity and disaster recovery policy management to support departmental compliance with Citywide Disaster Recovery policy, training, testing and coordination with agencies and staff for disaster planning and preparation.
Develop and coordinate plans for DPH incident response within the City cybersecurity incident response framework to ensure that business critical services can be maintained.
Participate and support data assets on premises, in coordination with third parties and in the cloud.
Ensure project management includes processes to manage security risks.
Manage contract and vendor negotiations ensuring ongoing contract security standards and close coordination with legal and risk management.
Develop, implement and maintain departmental policies (on a routine cadence) to support Citywide Cybersecurity policies and departmental procedures in order to ensure effective security program operations.
Actively represent DPH in security-related matters with the Citywide CISO and in the Citywide Cybersecurity Forum City partners, internal and external customers, and industry groups; be visible and enhance the organization’s external standing in the information security space.
Provide regular reporting on the current status of the information security program to risk teams and senior DPH leaders as part to support ongoing security strategy and management.
Stay current with industry trends and the latest information security practices and standards to ensure solutions incorporate effective use of technology.
Minimum Qualifications: (Must Meet to be Considered)
Education: Bachelor's in business, computer engineering, computer science or any related field.
Experience: A minimum of eight (8) years in information technology security, including:
Five (5) years of Healthcare IT security experience.
Three (3) years of experience supervising Healthcare IT security professionals.
Substitution: Additional experience as described above may substitute for the required degree on a year-for-year basis. One (1) year is equivalent to thirty (30) semester units / forty-five (45) quarter units.
A graduate degree in business, engineering, or any related field may substitute for one (1) year of the required non-supervisory experience.
Desirable Qualifications: The following desirable qualifications may be used to identify job finalists at the end of the selection process when candidates are referred for hiring.
Project management experience.
Financial and budget management experience.
Executive leadership training or Graduate degree.
Professional security management certification is desirable (CISSP, CISM, CISA).
Additional Salary Information: Compensation and Benefits:
The normal annual salary range is $139,620.00 - $178,230.00/year. Appointment above the maximum of the normal range may be considered based on documented and substantiated recruitment and retention issues or exceptional skills at $178,256 $206,284. A special approval process is necessary for appointment above the normal salary range.
In addition to a competitive salary, the City and County of San Francisco offers flexible benefit plans with pre-tax elections which include: medical and dental insurance; retirement plan; deferred compensation plan; Social Security; long-term disability plan; life insurance; management training program; eleven (11) paid holidays annually; five (5) floating holidays; depending on years of service, ten (10), fifteen (15), or twenty (20) vacation days annually; and may earn up to 100 hours paid administrative leave annually.
http://sfdhr.org/sites/default/files/MEA%20Executive%20Benefit%20Summary%20%28FY16-17%29.pdf Employer does not assist with relocation costs.
About San Francisco Department of Public Health
The Mission of the San Francisco Department of Public Health (SFDPH) is to protect and promote the health of all San Franciscans. SFDPH strives to achieve its mission through the work of two main Divisions – the San Francisco Health Network and Population Health.
The San Francisco Health Network is the City’s only complete system of care and has locations throughout the City, including Zuckerberg San Francisco General Hospital and Trauma Center, Laguna Honda Hospital and Rehabilitation Center, and over 15 primary care health centers.
With a broad community focus, the ultimate goal of the Population Health Division is to ensure that San Franciscans have optimal health and wellness at every stage of life, and to achieve this, the Division is comprised of various branches dedicated to core public health services for the City and County of San Francisco, such as health protection and promotion, disease and injury prevention, disaster preparedness and response, and environmental health services.