The Executive Director, IT Security is responsible for establishing and maintaining
an Enterprise wide information security program to ensure that Information
Technology and information assets are adequately protected. This position is
responsible for identifying, evaluating and reporting on information security
risks in a manner that meets compliance and regulatory requirements. The Executive
Director, IT Security proactively works with the business to implement
practices that meet defined policies and standards for information security and
oversees all IT risk management activities. This role serves as the process
owner of all ongoing activities related to the availability, integrity and
confidentiality of customers, business partners, employees and business
information, in compliance with the organization's information security
policies. A key element of this role is to work with executive management to
determine acceptable levels of risk for the organization.
The Executive Director, IT Security position requires a visionary leader with strong
skills in technology and business management. This role requires an integrator
of people and processes, a thought leader, a problem solver, an effective
consultant and solid domain competency in the field of information security. This
role must be highly knowledgeable about the business environment and must
ensure that information systems are maintained in a fully functional, secure
mode. The position acts as Chief Information Security Officer (CISO) and
reports to the VP, Infrastructure, Operations & Security.
Duties and Responsibilities:
Develop,implement and monitor a strategic, comprehensive enterprise wide Information
Technology security and risk management program to ensure the integrity, confidentiality and availability of information owned, controlled or processed by the organization.
Develop,maintain and execute a proactive Information Security Strategy that evolves
with the business needs. Provide expert leadership in the development,
implementation, and maintenance of an information security program and
associated infrastructure which entails the monitoring of information security
trends internal and external to the organization and keeping senior management
informed about information security-related issues that could affect the organization.
Manage the enterprise's IT Security organization, consisting of direct
reports and indirect reports (such as individuals in other areas of IT)
including providing security guidance, hiring, training, staff development,
performance management and annual compensation review.
Develop, communicate and ensure compliance with organizational security policies,
standards, and guidelines.
Provide guidance and advocacy regarding prioritization of IT investments that impact
information security and risk including the management of the information
security budget and monitor for variances.
Create and manage information security/ risk management awareness and training
programs for all employees, contractors and approved system users.
Work directly with IT and business entities to facilitate IT risk analysis and risk
management processes, identify acceptable levels of risk, while balancing with
business needs, and establish roles and responsibilities regarding information
classification and protection.
Responsible for presenting overall IT risk, specifically in the ERM corporate process to
include the IT areas of: compliance, security, performance, and availability.
Monitor information security trends internal and external to Quest Diagnostics and keep
Quest Diagnostics senior management informed about information security-related
issues and activities affecting the organization.
Provide subject matter expertise to executive management on a broad range of
information security standards and best practices, such as PCI, HIPAA, NIST,
Provide strategic and tactical security guidance for all IT projects, including the
evaluation and recommendation of technical security and contractual controls.
Liaison with the enterprise architecture team to ensure alignment between the security
and enterprise architectures, thus coordinating the strategic planning implicit
in these architectures.
Coordinate information security and risk management projects with staff from the IT
organization and business teams.
Ensure that security programs are following applicable laws, regulations and policies
to minimize or eliminate risk and audit findings.
Facilitate the conduction and responses to various internal and external security related
Create and facilitate the information security risk assessment and threat and
vulnerability processes, including reporting and oversight of remediation
efforts to address negative findings.
Ensure the Corporation maintains an effective Cybersecurity program to protect
critical IT assets and customer and corporate data.
Assist various teams in the investigation of security incidents and events to protect
corporate IT assets, including intellectual property, confidential data, and
other IT fixed assets while protecting the company's reputation.
Coordinate the use of external resources involved in the information security program,
including, but not limited to, interviewing, negotiating contracts and fees,
and managing external resources.
Develop operational and strategic relevant metrics to measure the efficiency and
effectiveness of the program, facilitate appropriate resource allocation and
increase the maturity of the security program.
Facilitate business alignment and communications by forming an information security
steering committee or advisory board such as a Security Council.
Conduct security vendor risk assessments for those external suppliers that have
possession of organizational confidential/sensitive data
Develop and manage information security budgets and monitor them for variances.
Liaise between the information security team and corporate compliance, physical
security, internal audit, legal and HR management teams as required.
Understand potential threats, vulnerabilities, and control techniques and communicate this
information to departmental system administrators.
Director, IT Security Sr. (Grade 53) – 4 direct reports + Tech Center staff in
Director, IT Security (Grade 52) – 6 direct reports + Tech Center staff in
Manager, IT Security (Grade 51) – 10 direct reports + Tech Center staff in
(2) Spec, IT Security - Lead
degree preferably in computer science/information systems
to 15 years in information and IT security
five years' experience in a security-related thought leadership or management
ability to operate within a healthcare business environment.
and Mental Requirements:
duties with frequent interruptions or distractions
Adjust priorities quickly as circumstances
Ability to interact professionally with colleagues and/or customers for different
purposes in different contexts.
Ability to collaborate across the
Maintain composure under pressure
Performs a variety of duties, often changing
from one task to another
Ability to comprehend and follow verbal or
Effective verbal communication
Effective written communication
Concentrate on tasks
Ability to making decisions
Leadership and strategy
and Risk Management
capabilities: Digital Dexterity, Focus on the Customer, Knowing the Business,
Collaborate with Others, Promote Strategic Alignment, Adaptability.