All across UW Medicine, our employees collaborate to perform the highest quality work with integrity and compassion and to create a respectful, welcoming environment where every patient, family, student and colleague is valued and honored.
UW Medicine’s IT Services department has an outstanding opportunity for an Enterprise Information Security Manager to join the team!
UW Medicine’s Information Technology Services (ITS) department is a shared services organization that supports all of UW Medicine. UW Medicine is comprised of Harborview Medical Center (HMC), UW Medical Center-Montlake Campus (UWMC-Montlake), UW Medical Center-Northwest Campus (UWMC-NW), Valley Medical Center (VMC), UW Neighborhood Clinics (UWNC), UW Physicians (UWP), UW School of Medicine (SOM) and Airlift Northwest (ALNW). In addition, UW Medicine shares in the ownership and governance of Children’s University Medical Group and Seattle Cancer Care Alliance (a partnership between UW Medicine, Fred Hutchinson Cancer Research and Seattle Children’s). ITS is responsible for the ongoing support and maintenance of the infrastructure and applications which support all of these institutions, along with the implementation of new services and applications that are used to support and further the UW Medicine mission.
In collaboration with UW Medicine IT Services (‘ITS’) and under the general guidance of the Director of Information Security Program, the primary focus of the Manager, Enterprise Information Security (‘Manager’) is to define, manage, and mature information security services, controls, reporting, and related activities. The Enterprise Information Security Manager provides management and technical leadership to matrixed resources and dedicated teams of Cybersecurity Analysts and Engineers across the enterprise, with a focus on ensuring the confidentiality, integrity, and availability of information and systems.
Areas of responsibility include, but are not limited to:
Lead (direct incident response for all internal and external reports of information security events.
Provide forensic incident response services for all of UW Medicine and partner entities.
Facilitate enterprise compliance requirements through collaborative governance and consulting activities; address specific information assurance, risk management, and related compliance issues including management of enterprise policy/standards, information security risk assessment, and audits.
Grow and mentor a diverse team of professionals through responsible hiring, management, and development activities.
Manage 3rd party relationships and maintain an operational budget for information security vendors, tools, and services.
Manage, report on, and proactively mature a portfolio to include vulnerability management, threat assessment and management, awareness and training, risk management, and incident response/forensics.
Optimize new and existing resource opportunities for building and sustaining effective information security activities, including establishing and maintaining partnerships with key professionals.
The individual is expected to demonstrate comprehensive knowledge and experience with:
vulnerability assessment methodologies and related tools;
risk assessment methodologies and related tools;
digital forensic investigations using industry standard software tools;
technical implications of compromised systems and network services especially associated with potential information security breaches;
security awareness and training approaches and tools; and
metrics and reporting methods and KRIs/KPIs for operational, tactical, and strategic audiences.
Program Management and Operations (30%)
Implement, manage, and mature the information security program and service portfolio in accordance with UW Medicine’s information risk and asset protection needs, including risk management, governance, threat management, vulnerability management, awareness and training and incident response.
Direct information security projects, balancing internal and external dependencies and timelines to meet objectives.
Manage the remediation process, create reports, and provides oversight of IT Services efforts to address and mitigate risks.
Ensures that UW Medicine’s assets (i.e. business activities, key services, key people, business partners, applications, and data) are identified and reports on specific information security risks and threats related to the assets.
Collaborate with external stakeholders to facilitate access to relevant and timely information security threat information.
Monitor the broad "threat landscape" and experiences in the field for potential threat information relevant to the UW Medicine’s risk exposures.
Manage and ensure adequate institutional coverage for automated vulnerability scanning, customized vulnerability assessment, and penetration testing.
Directs the timely response and investigation efforts for security incidents, breaches, and forensics to meet all regulatory and business requirements and minimize their impact.
Cooperate with and assure the timely response to UW CISO and UW Medicine Compliance investigations of security incidents involving confidential electronic information.
Ensure that information security strategies and processes meet all regulatory and business requirements so that the impacts of incidents are minimized.
Develop procedures for incident response to meet regulatory needs. Manage and expand the digital forensic services.
Evaluate new tools and external services, recommends purchases and subscriptions, stays current on latest technologies, and collaborates with external subject matter experts on digital forensics methodologies and best practices.
Leadership and Strategy (25%)
Participate in groups and committees to represent risk and security both as an enterprise shared service and critical partner for other enterprise initiatives.
Serve as a liaison for healthcare IT risk and security with UW campuses, UW Medicine business stakeholders, research affiliates, Privacy, Compliance, and Audit groups.
Act as an expert resource for engineers and analysts working on complex technical issues spanning all ITS technologies.
Manage, monitor, and sustain vendor/supplier relationships and contracts for hardware, software, connectivity, and services relevant to the enterprise information security program.
Facilitate the development and execution of roadmaps for enterprise security services and distributed security architecture.
Conduct reporting to ensure visibility for leadership, institutional affiliates, stakeholders, and customers. Regularly review and evaluate data to provide awareness, analysis, planning, set service expectations, and improve performance.
Personnel Management (20%)
Lead, organize, and motivate multiple teams of information security professionals, including Leads, cybersecurity engineers and analysts (7-9 staff), matrix resources, and student workers.
Instill UW Medicine and ITS vision and guiding principles to all staff; implement mission-oriented HR practices.
Promote an environment that is attractive to the employee and that facilitates the recruitment and retention of professional, technical, and support staff. This includes, but is not limited to, staff development, recognition, motivation, and communications.
Make hiring decisions and recommendations for separations, reclassification recommendations, salary adjustment recommendations, handle complaints and grievances as well as generally planning, assigning, and approving the work of these positions.
Recruit, hire, train, coach, motivate, and manage performance of permanent, temporary, and contract staff.
Conduct performance evaluations and measuring on a regular basis, and other standard practices, consistent with all ITS teams.
Identifies and puts remediation plans in place to ensure optimal performance of staff and consultant resources.
Monitor resource requirements across operational and project activities and proactively adjust as appropriate and in alignment with UW Medicine priorities.
Creates processes and programs that encourage creativity, teamwork, collaboration, diversity, and value delivery.
Develop, mentor, and grow people, build skill sets, and establish career paths and succession plans.
Provide functional and technical expertise to staff.
Establish and enforce technical and functional standards.
Ensure compliance with security and confidentiality requirements.
Promote, monitor, and support UW Medicine HIPAA policy and procedures.
Support a framework to be the employer of choice.
Develop a service-oriented work force with exceptional technical talent, create plans for career progression and succession planning.
Ensure all employees understand the linkage to the mission and vision of UW Medicine and to the UW Medicine Patients Are First principles and adhere to the professional conduct policy of UW Medicine.
Develop the necessary staff to implement, enhance, and support ITS goals, projects, and programs.
Foster staff engagement.
Governance and Communications (10%)
Facilitate development, publication, and maintenance of UW Medicine information security standards and policies.
Provide audit strategy, response management, and ongoing guidance on solutions to achieve and maintain security compliance, to mitigate information security risks and to correct compliance exposures and gaps.
Perform and manage any IT-specific activities or remediation required to meet applicable federal and state regulations.
Partner with UW Medicine Compliance, UW CISO and UW Medicine IT units in assessing education and outreach needs, developing related strategies, developing training content, and participating in outreach activities.
Budget Management (10%)
Manage operational, capital, and project budgets including FTE, software licensing, vendor contracts, and other expenditures.
Participate in and provide advice for annual budget development process and major purchase planning.
Routinely monitor actual expenditures against budgets to ensure alignment with IT Services accounting standards.
Participate in all aspects of improving the team, including education/training of other team members, and contributing to process/communication improvement initiatives.
Work with manager to set professional goals for career development.
Act as back-up for other team members and functions, as needed.
Perform other duties as assigned.
Bachelor's degree in Computer Science, Information Technology, Business Administration, or related field or equivalent combination of education/experience.
Current industry recognized security certification (e.g., CISSP, GIAC, CISM, CISA, CEH).
8+ years technology experience must include:
8+ years' progressive technology, security, and professional services experience to include one or more of the following: risk management, incident response, threat management, vulnerability management, governance, audit, and computer forensics.
4+ years’ experience managing, coaching, and developing high performing teams of security professionals in complex environments to meet operations, enterprise, and strategic objectives.
Demonstrated management and leadership capabilities with proven ability to influence in matrix environment.
Proven ability to make administrative/procedural decisions and provide guidance and leadership to staff.
Extensive experience and background with on-premise and cloud technology, operating systems, and applications, preferably including clinical and healthcare solutions.
Extensive experience with project and program management in technical environments with diverse stakeholder groups.
Expert experience conducting information security risk assessment, control analysis, and vulnerability assessments.
Demonstrated work experience conducting investigations and managing information security incidents.
Expert understanding of information security threat modeling and vulnerabilities in large scale business technology environments
Expert understanding of and experience with security related technologies, systems, and tools.
Previous experience in and knowledge of academic healthcare systems and/or operational environments.
Advanced degree (e.g., Master’s, PhD, etc.).
Demonstrated work experience in digital forensics analysis and/or threat intelligence using a variety of open source or commercial tools.
Curiosity and ability to write in at least one programming language and effectively code in a scripting language.
Working knowledge of security tools and best practices with large cloud providers
IAM experience with common vendors and tools.
Familiarity with IAM authentication and authorization concepts, services, and best practices.
Founded in 1861, the University of Washington is one of the oldest public institutions in the west coast and one of the preeminent research universities in the world. The University of Washington is a multi-campus university comprised of three different campuses: Seattle, Tacoma, and Bothell. The Seattle campus is made up of sixteen schools and colleges that serve students ranging from an undergraduate level to a doctoral level. The university is home to world-class libraries, arts, music, drama, and sports, as well as the highest quality medical care in Washington State and a world-class academic medical center. The teaching and research of the University’s many professional schools provide undergraduate and graduate students the education necessary toward achieving an excellence that will serve the state, the region, and the nation. As part of a large and diverse community, the University of Washington serves more students than any other institution in the Northwest.