VP Chief Information Security Officer


Job Description

The Chief Information Security Officer (CISO) is responsible for all aspects of information security, business continuity, information privacy, governance, risk and compliance activities at Company. The CISO has the added responsibility of coordinating our system wide information security policies, procedures and compliance activities across the Blue system nationally, spanning 35 BCBS Licensees (Plans) and additional Non-Plan Entities (NPE’s). This is a senior executive level role with significant responsibility for protecting the privacy of our members but also the operational integrity of our coordinated Blues system.

  • Responsible for leading the Information Security team within Company. This includes the Security Architecture, Application Security, Governance Risk & Compliance, Business Continuity, Security Engineering, and Cyberdefense functions. These teams manage policies, processes and operational information security activities, protecting the significant application and data assets of the Association.
  • Responsible for advancing Cybersecurity maturity across the 35 Plans and various NPEs that comprise the BCBS system by constructing, collaborating on, sharing, and implementing system-wide protections that ensure appropriate ability to defend and respond in place in the event of a security incident. This includes the development and enforcement of system-wide policies and the development of shared services which serve to increase systemwide cybersecurity capability.
  • Serve as the lead security executive for BCBSA, responsible for leading an effective corporate-wide initiative and instilling a culture of security throughout the company, leveraging close relationships with the executive leadership team.
  • Serve as the primary security leader for the systemwide security, owning and leading key governance committees and working groups that support Blues system goal setting and collective action. This includes the Cybersecurity Sub-Committee, a board-reporting sub-committee with the charter to advance systemwide cybersecurity; and the CISO Working Group, a group of the 40+ Chief Information Security Officers that comprise systemwide security leadership.
  • Responsible for maintaining knowledge of contemporary security threats, including but not limited to data theft or breaches, espionage, ransomware, hacking, or attacks that could compromise availability of sensitive data, operational, administrative or clinical business processes and systems.
  • Provides technical oversight and is responsible for establishing, leading, and managing the security and privacy of all personally sensitive and propriety data, securing and ensuring the ongoing continuous operation of all manner of Association data systems, networks, databases, source code, and confidential health data against internal or external threats.
  • Serves as a thought leader, partner, collaborator and advocate of the CISO community across the Blues system and externally, bringing together our Plan information security leaders and aligning objectives, outcomes and improvements to strengthen the system as a whole.


Responsibilities include but are not limited to:

  • Accountable to the CEO and Board of Directors for strategic planning, development, implementation and ongoing management of business continuity, global security services, and related information privacy solutions. Identify related goals, objectives and metrics consistent with the corporate strategic plan. Identify, define, and implement a national set of business continuity and security policies and standards.
  • Responsible for developing and implementing a response strategy and action plan for addressing any disruption related to the continuous operation of business, data breaches, and security incidents. This includes developing response plans, the testing of those plans, and leading the recovery efforts as required. Responsible for all aspects of this plan for the Association and National Program assets as well as the training of internal resources and engagement of external alliance partners who have any role in our operations.
  • Maintain current knowledge of the continuous operation of systems and security of information amidst the changing threat landscape; must track new developments in rapidly changing information technologies and implements improvements related to continuous operation, intrusion detection/prevention, data loss detection/ prevention, remote access forensics, malware detection/ prevention, security event management, authentication, access control, secure software scanning, audit logs, external/ internal web host scanning, disaster recovery preparedness, business continuity assurance, vulnerability management, and risk reporting.
  • Develop, maintain, and publish all corporate-level of operational standards, procedures, and guidelines, including compliance monitoring procedures – business continuity, privacy, and security; assist in resolving business disruptions, security policy issues, and in ongoing maintenance of all associated procedures. Responsible for setting business continuity and information security strategic objectives and direction for all technology platforms across all business units.
  • Act as the liaison with key interest groups, customers, regulators, and stakeholders at the CIO/ CISO level to communicate and negotiate security requirements and compliance. Partnering with all departments, including Supplier Alliance, to define standards, processes and provide subject-matter expertise to oversee all 3rd party business continuity, information security risk, assessment, and guidelines.
  • In conjunction with internal, and external, audit performs regularly scheduled audits of third-party service providers business continuity, information security, and privacy controls.
  • Budget: Responsible for developing and managing information security budgets and monitoring them for variances for the enterprise. Create executive level reporting to communicate a portfolio view of all security budgets.
  • Participate in planning and execution of other Operations initiatives as part of the Operations Leadership team.
  • Must stay informed of all business continuity, security, and privacy threats and be able to address any related issues quickly and decisively. Proactively assesses all security weaknesses and collaborates, develops, and implements risk remediation plans amidst a rapidly changing work environment.
  • Create a data classification framework for roles and responsibilities, including: information ownership, classification, accountability and protection.
  • Team development and management - build upon current talent that leverages existing skill sets and strategize to develop future talent needs.
  • Create, manage and implement training programs across the organization to ensure staff compliance and following appropriate degree of compliance to established protocols.


Required Basic Qualifications:

  • 10 years of experience in managing business continuity, information security, and privacy initiatives
  • Must be familiar with a variety of IT Security concepts, practices, and procedures
  • Must have a thorough knowledge of PHI data, HITECH enforcement, and Office of Civil Rights compliance obligations
  • 4-year College Degree

Preferred Basic Qualifications:

  • Thorough understanding of the concepts and considerations required to prepare for and lead a business recovery and/ or security, or privacy breach incident response
  • Master's Degree

Job Requirements