Back to search
Position Summary:
Reporting to the Senior Vice President and Chief Digital Officer, the Vice President, Cybersecurity and Chief Information Security Officer (CISO) is a key member of the Information Services Leadership Team and serves as the strategic leader responsible for the vision, development, and execution of The Guthrie Clinic’s (TGC) enterprise cybersecurity program. The CISO partners with senior executives, clinical and operational leaders, and key stakeholders to ensure the confidentiality, integrity, and availability of information systems across the health system.
This role oversees the system-wide information security strategy, cyber risk management functions, AI related cyber risk governance, medical device security, third party risk management (TPRM), and compliance with regulatory requirements and frameworks including HIPAA Security Rule, NY State Department of Health (NY DOH) Cybersecurity Regulations, HITRUST CSF, and Payment Card Industry (PCI) standards.
The CISO leads information security policy development, cybersecurity operations, incident response, vulnerability management, and security awareness education. The role provides cybersecurity reporting to the Guthrie Clinic’s Audit Committee and annual reporting to the full Guthrie Clinic Board of Directors.
The CISO manages, leads, and mentors a high performing multidisciplinary technology team; additionally, the CISO actively participates in and contributes to healthcare industry organizations to advance cybersecurity best practices, threat‑intelligence collaboration, and sector‑wide resilience.
________________________________________
Education & Certifications
• Bachelor’s degree in information technology, Computer Science, Information Security, or related field required.
• Master’s degree preferred in Cybersecurity, Information Systems, Business Administration, Healthcare Administration, or a related discipline.
• At least one active professional information security certification that requires CPEs such as CISSP, CISM, CISA, or similar required.
• GIAC Certifications (SANS Institute), FAIR, ITIL, PMI, or technical certifications (Microsoft, Cisco, Epic, etc.) preferred.
________________________________________
Experience Requirements
• 10+ years of combined experience in cybersecurity, risk management, and information technology, with at least four years in a senior leadership role.
• Demonstrated experience and measurable outcomes in:
o Healthcare cybersecurity leadership.
o Cyber threat and risk frameworks and executive level risk reporting.
o NIST CSF and or HITRUST CSF implementation and maturity progression.
o Incident response, threat detection, digital forensics, SOC operations, and vulnerability management.
o Third party risk management (TPRM) and vendor cybersecurity due diligence.
o HIPAA and NY DOH cybersecurity regulatory compliance.
o AI governance and AI threat related risk mitigation.
o Medical device and IoT security programs.
• Ability to concisely communicate complex cybersecurity and risk concepts to executive, clinical, and non technical audiences.
• Proven success building and maturing enterprise security programs in dynamic healthcare environments.
• Strong analytical and problem solving skills; proven calm, composed leadership under pressure.
• Experience negotiating contracts, managing budgets, and leading cross functional and interdisciplinary teams.
Industry Memberships, Active Engagement & Professional Contributions
To ensure alignment with healthcare cybersecurity best practices, threat intelligence collaboration, and sector-wide resilience, a history of active membership and engagement in healthcare industry cybersecurity organizations is strongly preferred:
• Health ISAC (Health Information Sharing and Analysis Center)
• HSCC (Health Sector Coordinating Council) Cybersecurity Working Group
• CHIME/AEHIS (Association for Executives in Healthcare Information Security)
________________________________________
Essential Functions
The CISO is a strategic thought leader, consensus builder, and integrator who balances cybersecurity with organizational agility and mission needs. Responsibilities include, but are not limited to:
Leadership, Governance & Strategy
1. Develop, maintain, and oversee a comprehensive enterprise information security and IT risk management program, grounded in HITRUST CSF, NIST CSF, and leading industry frameworks.
2. Lead all cybersecurity and infrastructure operations teams, including hiring, development, and performance management.
3. Establish and chair an Information Security Steering Committee.
4. Provide cybersecurity program reporting to The Guthrie Clinic Audit Committee and annual program reporting to the full Guthrie Clinic Board of Directors, and other leadership and Guthrie hospital board meetings as requested.
Policy, Compliance & Regulatory Oversight
5. Develop, publish, and maintain security policies, standards, and guidelines.
6. Ensure compliance with the HIPAA Security Rule, NY DOH cybersecurity regulations, PCI DSS, and other applicable federal and state healthcare cybersecurity regulations.
7. Work with enterprise business units to define acceptable residual risk levels and manage risk remediation plans.
Risk Management & Cyber Risk Quantification
8. Lead formal risk assessment processes, including cyber risk quantification to inform executive decision making.
9. Create and maintain a robust program for information classification, ownership, accountability, and protection.
10. Monitor external threats and emerging technologies, including AI related risks, and advise on appropriate mitigation strategies.
11. Support annual cyber insurance renewal process
Third Party & Medical Device Security
11. Lead a comprehensive TPRM program, including evaluation, onboarding, monitoring, and continuous assessment of vendor cybersecurity and cloud service providers.
12. Oversee medical device cybersecurity programs, coordinating with clinical engineering and biomedical teams to protect connected clinical technologies.
Operational Security & Incident Response
13. Oversee security operations center (SOC) functions and SIEM, SOAR, and DLP technologies.
14. Lead incident response and investigation processes, including post incident analysis and continuous improvement.
15. Oversee vulnerability management, penetration testing, and configuration hardening programs.
Architecture, Technology & Innovation
16. Partner with enterprise architecture teams to ensure alignment between security principles and system design.
17. Provide security guidance for IT projects, cloud adoption, AI initiatives, and new clinical technology implementations.
18. Ensure the secure design, implementation, and continuous cyber governance of the organization’s Epic electronic health record (EHR) environment, spanning access controls, third‑party risk, and SEER compliance.
Awareness, Training & Culture
18. Develop and deliver cybersecurity training programs for all employees, contractors, and system users.
19. Drive a culture of security awareness and shared accountability across the organization.
Metrics, Reporting & Continuous Improvement
20. Create a metrics and reporting framework to measure program maturity, operational performance, and risk exposure.
21. Manage internal and external cybersecurity resources, contracts, and consulting partnerships.
Additional Responsibilities
22. Perform other duties as required in support of The Guthrie Clinic’s mission and objectives.
#LI-RS1
Joining the Guthrie team allows you to become a part of a tradition of excellence in health care. In all areas and at all levels of Guthrie, you’ll find staff members who have committed themselves to serving the community.
The Guthrie Clinic is an Equal Opportunity Employer.
The Guthrie Clinic is a non-profit, integrated, practicing physician-led organization in the Twin Tiers of New York and Pennsylvania. Our multi-specialty group practice of more than 500 physicians and 302 advanced practice providers offers 47 specialties through a regional office network providing primary and specialty care in 22 communities. Guthrie Medical Education Programs include General Surgery, Internal Medicine, Emergency Medicine, Family Medicine, Anesthesiology and Orthopedic Surgery Residency, as well as Cardiovascular, Gastroenterology and Pulmonary Critical Care Fellowship programs. Guthrie is also a clinical campus for the Geisinger Commonwealth School of Medicine.
Learn more about this Employer on their Career Site
