Advertised Summary Job Description: As a member of the Columbia University Medical Center (CUMC) Information Security Office leadership team, the Information Security Risk Manager will report to the Chief Information Security Officer and will manage the Risk Analysis team at CUMC. The Risk Analysis team is a critical component of the Information Security Office (ISO) and Columbia University's overall information security program.
In this hands-on position, you will manage and also directly participate in the risk analysis process, to ensure information systems, platforms, and processes operate in accordance with established regulations and organizational standards. You will evaluate IT infrastructure in terms of risk to the organization and establish controls to protect CUMC data while aligning those initiatives to CUMC's core organizational mission of Research, Care and Education. You will be expected to determine and recommend improvements in the risk management program.
Additionally, as a member of the leadership team, you will assist the CISO with strategic security planning, enterprise security risk management, and maintenance of security standards and processes for CUMC.
You will be expected to work independently with minimal supervision. You must be creative and innovative at conducting a high volume of risk analyses while reporting accurate and relevant risks to the appropriate constituents.
The ideal candidate will be detail-oriented with a strong background in security risk management and risk assessment (preferably with quantitative risk assessment experience), a good understanding of HIPAA and related regulation, and experience operating in a Healthcare or HIPAA-compliant entity, or a research heavy higher-education institution.
General Minimum Qualifications: BA or BS in Computer Science, Engineering, or related field, and a minimum of seven years of experience.
Additional Specific Minimum Qualifications: To be considered a candidate should meet most, or all, of these criteria.
? Solid information security risk assessment and risk management experience.
? Proven success developing and managing a collaborative team of information security professionals; experience delegating and managing workflow.
? Experience in hiring, evaluating, and training security professionals; good understanding of information security career paths and appropriate professional development activities for information security risk professionals.
? Ability to clearly articulate and report on risk to technical, non-technical, and executive stakeholders.
? Solid understanding of threat landscape, and a regulatory and compliance environment -(HIPAA/HITECH/Omnibus, etc.) a plus.
? Excellent critical and lateral thinking skills; experience with, and preference for, data-driven decision-making.
? Solid oral and written communication skills.
? Ability to manage multiple projects, objectives, and tasks simultaneously.
? Ability to set your and your team's goals and objectives to achieve a shared vision in line with the strategy, principles, and overall goals of the information security office.
Preferred Qualifications: While none of these qualifications are required, the more a candidate has under their belt the higher priority their application will be given. ? Experience working in a HIPAA/HITECH/OMNIBUS-regulated environment. Functional knowledge of other relevant compliance regulations (PCI, FERPA, Data Breach Acts, FISMA) and security standards (HITRUST, PCI-DSS, ISO 27001/2, NIST). Experience working in an academic medical center or hospital environment a plus.
? In depth knowledge of IT GRC technology; specific experience with RSAM a plus.
? Demonstrated success executing risk assessments at scale.
? Understanding of ? and strong opinions regarding - strengths and weaknesses of current practices in information security risk management, including quantitative and qualitative approaches to risk assessment. Knowledge of FAIR risk assessment methodology a plus.
? General understanding of probability and statistics; experience using statistical methods in risk assessment (e.g., Monte Carlo simulations) a plus.
? General understanding of one or more other relevant disciplines (e.g., Actuarial Science, Decision Theory, Measurement Theory, Economics, Psychology).
? Understanding of information security assessment methodologies and tools (port scanners, network scanners, web application scanners, etc.); experience performing vulnerability assessments or penetration tests a plus.
? Experience with wikis or other workflow and documentation systems; specific experience with Sharepoint and ServiceNow a plus.
? Experience with public speaking and group training.
? Experience with budgeting, financing, and resource management.
? Relevant advanced degree (MS, PhD, JD).
? Security specific industry certification; preference for GIAC (any certification) or CISSP.
? Experience in an academic medical center.
As a member of the National Collegiate Athletic Association (NCAA) and the Council of Ivy Group Presidents (Ivy League), it is imperative that members of the Columbia University community, in all matters related to the intercollegiate athletics program, exhibit the highest professional standards and ethical behavior with regard to adherence to NCAA, Conference, University, and Department of Intercollegiate Athletics and Physical Education rules and regulations.
Columbia University is an Equal Opportunity/Affirmative Action employer.
Columbia University is one of the world's most important centers of research and at the same time a distinctive and distinguished learning environment for undergraduates and graduate students in many scholarly and professional fields. The University recognizes the importance of its location in New York City and seeks to link its research and teaching to the vast resources of a great metropolis. It... seeks to attract a diverse and international faculty and student body, to support research and teaching on global issues, and to create academic relationships with many countries and regions. It expects all areas of the university to advance knowledge and learning at the highest level and to convey the products of its efforts to the world.