Key duties & responsibilities
Cybersecurity Risk Governance
- Lead the third-party cybersecurity risk management program with a focus on PHI/PII protection, HIPAA compliance, and critical vendor oversight.
- Drive assessments aligned with NIST CSF and ISO framework to evaluate and mature cybersecurity program
- Establish and maintain exception management, approval management and periodic monitoring
- Collaborate with global cybersecurity and IT teams for implementing automation through GRC tools.
- Oversee onboarding and offboarding processes to ensure alignment with security policies, BAAs (Business Associate Agreements), and regulatory requirements.
- Monitor and govern third-party relationships, conducting periodic risk assessments and ensuring timely remediation of findings.
Security awareness and culture
- Design and oversee India and Philippines cybersecurity awareness and training program for employees, contractors and vendors
- Develop and communicate governance dashboards and awareness campaigns to foster a culture of shared cybersecurity responsibility
- Evaluate effectiveness of training program and tailor it based on organizational requirements
Audit & Compliance Leadership:
- Serve as key POC for client, regulatory, and third-party cybersecurity audits.
- Ensure readiness and timely response for HIPAA, SOC 2, CERT-IN assessments, and client cybersecurity reviews and audits
- Lead audit coordination across departments, track findings, and drive remediation activities to closure.
- Represent the organization during client cybersecurity audits and on-site reviews.
Governance Frameworks, Metrics & Reporting:
- Establish and maintain standard operating procedures for the organization, client onboarding/offboarding, and evidence handling.
- Define and report on KPIs and KRIs for cybersecurity governance.
- Develop executive dashboards and actionable insights for leadership, audit committees, and compliance teams.
Cross-Functional Collaboration & Risk Advisory:
- Work closely with Legal, Procurement, Compliance, and Privacy teams to embed cybersecurity controls into contracts, RFPs, and vendor due diligence.
- Advise internal business owners on security risks, remediation plans, and vendor-related compliance obligations.
Qualification
- Bachelors or Masters degree in Technology, Cybersecurity, Risk Management, or a related field.
Experience, Skills and Knowledge
- 12+ years of cybersecurity or GRC experience, with at least 5 years in a leadership role, ideally in a healthcare organization or health-tech environment.
- Good understanding of HIPAA, HITECH, HITRUST, ISO 27001, CERT-IN and regulatory frameworks.
- Proven experience managing cybersecurity risk and audit programs at scale.
- Excellent communication skills, with ability to interface with clients, vendors, operational, legal, and IT leadership.
Key competency profile
- Certified Information Security Manager (CISM)
- Certified Information Systems Auditor (CISA)
- Certified in Risk and Information Systems Control (CRISC)
- HITRUST CCSFP or ISO 27001 Lead Implementer
