CISM - Certified Information Security Manager
CSX-P - Cybersecurity Practitioner Certification
The Lead Cyber Risk Management Analyst is an integral part of the Information Security team and helps improve the maturity level of technology risk practices across the enterprise, as the organization continues to grow at a rapid pace. The Analyst is responsible for adhering with regulatory guidance for identifying, managing, and reporting on risks impacting the organization’s strategy and operations, consistent with a commitment to maintain a high standard of compliance with all applicable laws and regulations, as well as overall sound risk management. Works collaboratively with various stakeholders and levels across the organization to execute a risk-based methodology for identifying, measuring, and managing the various types of third-party and information risk to the organization. The Lead Cyber Risk Management Analyst is responsible for providing guidance to business decision-makers on issues and development of risk mitigation strategies. May develop or assist with evaluating policies, processes and standards to reduce risk, and ensure information confidentiality, integrity and availability.
Perform and oversee quantitative security reviews on new applications and devices, assessing technologies, processes, risks and controls; monitor evolving risks and threats maintained within the risk register, including third party risks, and collaborate with business owners on threat mitigation strategies. Recommend enhancements and improvements to the security review process. Mentor and train lower level staff on performing comprehensive and in-depth security reviews.
Coordinate and perform information security risk assessments to ensure that controls surrounding data protection, privacy, and access (among other areas) are compliant with corporate standards and risk appetite, as well as regulatory requirements. Decompose complex risk issues and work with security, technology, and application teams to recommend, develop and track remediation plans to address the identified vulnerabilities.
Develop, coordinate, plan and execute risk-based security assessments of third parties to ensure ongoing compliance with regulations, legislation, contractual obligations, company policies, and internal controls. Develop risk mitigation plans and strategy in conjunction with the relevant third parties and track to timely remediation.
Perform in-depth reviews and analysis of contracts and agreements to support the business when selecting vendors in order to proactively identify information security risks prior to contracting with a third party. Collaborate with the Legal and Supply Chain teams to negotiate third-party contracts in accordance with the policies, goals, and objectives of the security program.
Contribute to the development of operational data quality standards, metrics, and supporting processes. Prepare and develop executive-level metrics reports and periodic communication to leadership and governing committees. Analyze the risk-based metrics, scorecards and dashboards to track performance and monitor trends.
Support the execution and continual enhancement of an information security risk assessment program, with emphasis on compliance with the HIPAA Security Rule, NIST 800-53 and Cybersecurity Framework. Recommend and implement process and control improvements (e.g., preventative/detective and automated/manual) to mature the risk management program.
Act as Technology and Cybersecurity Risk Subject Matter Expert on assigned projects and working groups, developing a positive working relationship with internal clients, staff, peers, and management. Prepare reports, presentations and communication to leadership, stakeholders, and governing committees.
Proactively work with technology and business unit professionals to identify and assess technology and cybersecurity risks associated with business activities, ensuring alignment with information security risk and privacy frameworks. Provide guidance and support initiatives leading to the adoption and execution of new and existing information protection policy requirements. Proactively work with technology and business unit professionals to identify and assess technology and cybersecurity risks associated with business activities, ensuring alignment with information security risk and privacy frameworks. Serve as an advisor to process owners, providing expertise with respect to risks and controls, analyzing the impact of process changes on the control structure, and bringing forth opportunities to better the business and influence decisions regarding IT governance and compliance.
Develop, maintain and perform testing of the security risk register, supporting tooling and automation. Research, recommend and coordinate the implementation of new tools as well as the corresponding workflows, processes and procedures.
Maintain a high level of technical knowledge through ongoing research and development activities; maintain a deep understanding and advanced knowledge of commonly used IT governance, risk and compliance frameworks.
Responds to emergency situations when they arise and will assist to resolve problems as required.
Assist in special projects or assignments within other areas of Information Security or possibly outside of Information Security.
Occasional travel required
Minimum 10 years experience in an information security risk management role.
Bachelor’s degree in technology or information security related field or 11 years related work experience required.
Requires a solid understanding and demonstrated experience working with information security legal and regulatory requirements such as HIPAA, FIPA, and PCI-DSS as well as advanced knowledge and several years experience working with frameworks such as NIST, ISO, COBIT, or HITRUST.
The position requires an advanced level of technical knowledge in the areas of network, operating, system, database, identity management, Internet/web, cloud and endpoint security. Experience with industry standard enterprise risk assessment and management solutions is required.
Ability to partner with, and influence others to build consensus utilizing strong analytical skills and demonstrated aptitude for identifying and interpreting enterprise risks and mitigating controls including evolving risks, threats, vulnerabilities, impact, and emerging technologies.
Excellent written, oral and presentation skills and an ability to synthesize information to assist in making clear, concise recommendations on courses of action or mitigation.
Ability to effectively prioritize and maintain focus on multiple tasks while working in an agile environment with a diverse set of stakeholders as well as an ability to work both independently and as part of a team.
Certifications such as CISSP, CRISC, CISM, CISA, CSX-P, CAP are desirable.
Baptist Health South Florida is once again one of the 2021 Fortune 100 Best Companies to Work For! This is the 21st time Baptist Health has been recognized on the list. We have also been recognized for being among the best healthcare providers in the nation by U.S. News & World Reports in its 2020-2021 Best Hospitals and have been honored as one of PEOPLE's 2020 50 Companies that Care by PEOPLE magazine and Great Place to Work. Baptist Health South Florida is the region's largest not-for-profit healthcare organization with more than 23,000 employees working across 11 hospital campuses and more than 100 outpatient facilities throughout Miami-Dade, Monroe, Broward, and Palm Beach counties. In 2016 we welcomed the newest weapon in the fight against cancer, the world-class Miami Cancer Institute, and proton therapy center. Everything we do at Baptist Health, we do to the best of our ability. That includes supporting our team with extensive training programs, millions of dollars in tuition assistance, comprehensive benefits, and more. Working within our award-winning culture means getting the respect and support you need to do your best work ever. Find out why this is the best place to be your best!