Planned Parenthood Federation of America (PPFA) and Planned Parenthood Action Fund (PPAF) seek a strategic Deputy Chief Information Security Officer who will report to the Chief Information Officer. This leadership role will oversee the Information Security (InfoSec) department, includes core capabilities for InfoSec Architecture & Engineering, InfoSec Operations, and HIPAA, Risk & Compliance. The Deputy CISO is responsible for managing the end-to-end information security management program to ensure that PPFA  information assets are adequately protected. 

●To continuously improve our information security practices based on the evolving threat landscape, focused on protecting the organization from active direct threats as well as compliance and regulatory risk. The Planned Parenthood information security program is based on a  philosophy that is not only focused on today’s needs, but will continue to be relevant in meeting the needs of the future. It is about developing a mode for us to safely and securely interact and protect our patients' and constituents’ information anywhere and at any time.

●The Deputy CISO position requires a leader with an operational excellence mindset while strategically staying on top of the latest tech security trends.

●Must have a sound business acumen to help identify, evaluate and report information security risks in a manner that supports the risk posture of the organization. 

●The Deputy CISO will partner with Affiliate Tech Services and proactively work with affiliated entities across the Planned  Parenthood family to implement practices that meet defined policies and standards for information security. 

●This role will collaborate to share program best practices with peer nonprofits with an eye on further strengthening and evolving the program for Planned  Parenthood. 

●The Deputy CISO serves as the process owner of all assurance activities related to the availability,  integrity and confidentiality of customer, business partner, employee, and business information in compliance with the organization's information security policies. 

●The Deputy CISO must be highly knowledgeable about the business environment and ensure that information systems are maintained in a fully functional, secure mode. 

The ideal candidate is a senior leader and subject matter expert in information security, possessing outstanding strategic and operational skills to successfully deliver all InfoSec accountabilities. This leader is a consensus builder and an integrator of people, platforms, and processes aligned with the customer and business needs. While the Deputy CISO is the leader of the security program, he or she must also be able to coordinate disparate drivers,  constraints, and personalities, while maintaining objectivity and a strong understanding that security is just one of many critical strategic needs for the organization. Ultimately, the Deputy CISO is a business leader and should have a track record of competency in the field of information security or risk management, with eight to 10 years of relevant experience, including four years in a significant leadership role. The Deputy CISO will:  

●Oversee and mature Cybersecurity Centers of Excellence: Network Protection, Data Protection, Endpoint Protection, SOC  Monitoring, Incident Response, Threat and Vulnerability Management, Secure System Development Lifecycle, Security Engineering, Information Security Architecture, Insider Threat Management, and Security Awareness. 

●Provide direction and leadership to InfoSec LT to enhance and maintain the Capability Maturity Model and Direct Risk Model based on the above-mentioned Centers of Excellence. 

●Mature the Security Architecture & Engineering capability through a multi-year strategic planning and roadmaps to support the CIO and business priorities. 

●Oversee the designated HIPAA Security Officer. 

●Oversee the Affiliate and Ancillary organization accreditation assessment process related to select risk & compliance and information security/technology indicators and elements of performance.

●Grow and monitor a comprehensive enterprise information security and IT risk management program to ensure that the integrity, confidentiality, and availability of information is owned, controlled, or processed by the organization. 

●Manage the enterprise's information security organization, consisting of direct reports and indirect reports (such as individuals in business continuity and IT operations). This includes hiring, training, staff development, performance management and annual performance reviews. 

●Facilitate information security governance through the implementation of a collaborative governance program based on direction from CIO and overall tech governance. 

●Develop, maintain, and publish up-to-date information security policies, standards, and guidelines. Oversee the approval, training, and dissemination of security policies and practices. 

●Oversees periodic enterprise-wide security risk assessments and internal audit processes.

●Create, communicate, and implement a risk-based process for vendor risk management,  including the assessment and treatment for risks that may result from partners,  consultants, and other service providers. 

●Develop and manage information security budgets and monitor them for variances.

●Create and manage information security and risk management awareness training programs for all employees, contractors, and approved system users. 

●Provide regular reporting on the status of the information security program to enterprise risk teams, senior business leaders and the board of directors as part of a strategic enterprise risk management program. 

●Oversee cyber opposition research activities and reporting; collaborate with the opposition research planning & infrastructure workgroup

●Maintain a framework for roles and responsibilities about information ownership,  classification, accountability, and protection; collaborate with the PPFA Data Governance Committee.

●Manage an information security management framework based on the following: NIST CSF, 405(d) HICP and SANS 

●Provide strategic risk guidance for IT projects, including the evaluation and recommendation of technical controls. 

●Coordinate information security and risk management projects with resources from the  IT organization and business unit teams. 

●Create and manage a unified and flexible control framework to integrate and normalize the wide variety and ever-changing requirements resulting from state laws, standards,  and regulations. 

●Ensure that security programs are in compliance with relevant Federal and State laws, regulations, and policies to minimize or eliminate risk and audit findings. 

●Liaise among the information security team and corporate compliance, audit, legal and  HR management teams as required. 

●Define and facilitate the information security risk assessment process, including reporting and overseeing treatment efforts to address negative findings. 

●Manage security incidents and events to protect corporate IT assets, including intellectual property, regulated data and the company's reputation. 

●Monitor the external threat environment for emerging threats (both direct and indirect), and advise relevant stakeholders on the appropriate courses of action. 

●Develop and oversee effective cyber security disaster recovery policies and standards to align with PPFA’s business continuity management program goals. Coordinate the development of implementation plans and procedures to ensure that business-critical services are recovered in the event of a security event. Provide direction, support, and in-house consulting in these areas. 

●Oversee the development of cyber security policy templates for Affiliates in collaboration with the Technology Service section.

●Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of InfoSec capabilities, facilitate appropriate resource allocation, and increase the maturity of the security. 

●Perform related duties and fulfill responsibilities as required.

●Partner with the CIO Leadership Team (CIO LT) to ensure InfoSec capabilities are effectively embedded into our tech foundation and future capabilities. 

●Active member of the Technology Advisory Committee (TAC), chaired by the CIO, with Affiliate tech leadership members.

●Engage federation-wide with business and tech stakeholders to ensure InfoSec capabilities are operationalized according to standards and compliance. 

●Work directly with the business units to facilitate IT risk assessment and risk management processes, and work with stakeholders throughout the enterprise on identifying acceptable levels of direct and residual risk.

●Liaise with external agencies, such as law enforcement and other advisory bodies as necessary, to ensure that the organization maintains a strong security posture.

●Coordinate the use of external resources involved in the information security program,  including, but not limited to, interviewing, negotiating contracts and fees, and managing external resources.

●Understand and interact with related disciplines through committees to ensure the consistent application of policies and standards across all technology projects, systems,  and services, including, but not limited to, privacy, risk management, compliance, and business continuity management.

Knowledge, Skills and Abilities (KSAs):  

The Deputy CISO will demonstrate the following: 

●At least ten years of experience in information security 

●Bachelor’s degree required; Masters in relevant field preferred

●Diplomatic style and high emotional intelligence 

●Collaborative work style; able to facilitate amongst diverse communities and individuals;  can inspire top performance in others; willingness to pitch in/jump in

●Comfortable in ambiguity; able to create clarity and understanding

●Experienced in getting to “yes” in a collaborative, consensus-driven style

●Enjoys operating in a fast-paced and demanding environment; a nimble and flexible style

●A direct and open style; creative, out-of-the-box thinker who can translate concepts and ideas to a broader audience 

●A smart and confident leader with a clear and informed opinion who has experience leading teams while prioritizing and managing conflicting priorities for self and others

●Integrity, independent thinking, and personal courage 

●Preference given to SANs and/or GIAC certification; at least one IT security certification (CISM, CISSP, or similar certification preferred

●Experienced in modern technology security solutions in cloud-based environments 

●Must have rapid response and incident response experience

●Experience working in a highly matrix or federation environment 

●Organized with attention to detail; proven ability to conceptualize, plan and execute ideas while providing training and skills transfer to others

●Previous experience with at least one of the following information security frameworks: HIPAA, NIST, 405(d) HICP, ISO 27001, PCI DSS, SANS 20 

Travel:  This position is a NYC office-based position, DC office-based is an option. Up to 20% travel on occasion. 

$255,000 - $265,000 a year

Total offer package to include generous vacation + sick leave + paid holidays, individual/family provided medical, dental and vision benefits effective day 1, life insurance, short/long term disability, paid family leave and 401k. We also offer voluntary opt-in for Flexible Spending Account (FSA) and Transportation/Commuter accounts.   

We value a truly diverse workforce and a culture of inclusivity and belonging. Our goal is to attract qualified candidates and encourage applications from all individuals without regard to race, color, religion, sex, national origin, age, disability, veteran status, marital status, sexual orientation, gender identity, or any other characteristic protected by applicable law.  We're committed to creating a dynamic work environment that values diversity and inclusion, respect and integrity, customer focus, and innovation.

#LI-SY1

*PDN-HR

Roles that are denoted as NYC, DC, or both will work a hybrid schedule, requiring 2-3 days per week in the office unless the role is denoted as onsite, which requires working onsite full time or 5 days per week.