VP Information Security

Job Summary

Reporting to the SVP, Chief Information Officer, the VP Information Security is Baylor Scott & White Health's (BSWH) senior executive responsible for cybersecurity strategy, risk reduction, and enterprise resilience across hospitals, clinics, ambulatory sites, enterprise systems (including EHR), clinical environments, and cloud platforms. Within IS's Agile delivery model, the VP embeds 'security by design' into backlogs, sprints, and release trains to translate strategy into day to day execution for product and platform teams.

The VP owns the NIST Cybersecurity Framework (CSF) adoption roadmap (Identify-Protect-Detect-Respond-Recover), ensures HIPAA/HITECH and healthcare specific compliance (e.g., 405(d) HICP; HITRUST mappings), and delivers measurable risk reduction via prioritized, evidence based investments. The CISO partners with Internal Audit, Risk, Compliance/Privacy, Legal, HR, Supply Chain/VMO, Clinical leadership, and IS Governance to align cyber risk decisions with patient safety, business goals, and financial stewardship.

The role operates with multiple Managed Service Providers (MSPs), governing cross provider standards, SLAs, joint playbooks, and unified metrics so BSWH presents one security posture.

Essential Functions Cybersecurity Roadmap

• Developing a Cybersecurity Road Map that could be used at both an Executive/Board Level and is also "translatable" to operational level teams.
• Cascade the road map deliverables throughout the team, trackable as weekly, monthly, and yearly activities for the teams.

Cyber Program & Governance

• Set the enterprise cybersecurity strategy and multi year roadmap aligned to NIST CSF 2.0; convert into budgets, OKRs, and measurable KRIs/KPIs.
• Run executive security governance (e.g., Security Steering, Board/ISLC updates) with concise risk narratives and decision options.
• Lead integration across MSPs (cyber, apps, infra, PMO): shared standards, SLAs, joint runbooks, cross tower escalations, and performance scorecards.
• Embed Agile processes in daily operations
• Own security policy/standards/baselines; drive "design time security" via enterprise architecture and Zero Trust.

Governance, Risk & Controls (GRC) / Cyber Program

• Maintain enterprise risk register; quantify risk and prioritize remediation by business impact + exploitability + asset criticality.
• Ensure regulatory, legal, and framework alignment (HIPAA/HITECH, 405(d) HICP, HITRUST mappings); coordinate internal/external audits and control testing.
• Lead third party risk with Supply Chain/VMO (security schedules, right to audit, breach notification, continuous monitoring); track remediation to closure.
• Operate a Cyber Risk & Performance dashboard mapped to NIST CSF and governance exhibits; present trends, heat maps, and decision asks.

Cyber Operations (SOC / Incident Response / Resilience)

• Oversee 24×7 SOC, SIEM, EDR/XDR, threat hunting, phishing defense, use case engineering; drive MTTD/MTTR improvements and alert quality.
• Own Incident Response and Crisis Management: tested playbooks, ransomware readiness, forensics, breach notification with Privacy/Legal, executive and Board communications.
• Lead cyber requirements for BC/DR (backup/restore integrity, cyber recovery, segmentation) including clinical technology; run joint tabletop exercises with MSPs.

Cyber Defense (Vulnerability/Exposure/Patch; Email/Network/Endpoint defense)

• Run an exposure management program that continuously measures risk and sequences remediation to eliminate the riskiest 20% that drive ~80% of exposure.
• Align vulnerability SLAs by asset tier; orchestrate patching across internal teams and MSPs with defined maintenance windows and change governance.
• Oversee platform defenses with domain leaders (e.g., Proofpoint for email, Firewall policy/governance, Endpoint protection standards).

Identity & Access Management (IAM)

• Own IAM/IGA, SSO/MFA, PAM, privileged session monitoring; enforce least privilege, JIT access, and high assurance controls for high risk workflows (e.g., EHR admin, OT).
• Conduct periodic access reviews and certs; integrate identity guardrails into Agile CI/CD and change processes.

Data Protection

• Lead data classification, DLP, encryption (at rest/in transit/in use), key management, tokenization, and de identification for research/analytics; partner with Privacy.
• Establish guardrails for data use in cloud/SaaS and with third parties; monitor and remediate data handling risks.

Cyber Architecture & Engineering

• Define Zero Trust architecture; secure reference architectures for cloud (IaaS/PaaS/SaaS) and on prem; operate CSPM/CWPP posture management.
• Embed secure SDLC / Dev Sec Ops  (threat modeling, SAST/DAST/IAST, SBOM, software supply chain security); provide reusable patterns and hardened baselines.
• Partner with platform teams on secure build pipelines; codify controls as policy as code.

Platform Security Domains

• Endpoint Management: OS/app hardening baselines, EDR policy, device compliance; integrate with patch/change windows.
• Firewall: Network…