Vice President, ACM Information Security, CISO

Position Summary  The Vice President, ACM Information Security; CISO leads the enterprise-wide information security and cyber risk management program for ACM. This role ensures that all information assets—technology, applications, systems, infrastructure, and processes—are protected across the digital ecosystem, and identifies, evaluates, and reports on legal, regulatory, IT, and cybersecurity risks while enabling business objectives.  The position safeguards the confidentiality, integrity, and availability of data and systems supporting R&D, clinical trials, manufacturing, supply chain, regulatory submissions, and commercial operations. It protects high‑value research assets, clinical development systems, proprietary algorithms, and sensitive partner data, while enabling rapid innovation, collaboration, and compliance.  Operating in a highly regulated environment, the VP, ACM Information Security; CISO balances cybersecurity with clinical trial needs, innovation, speed to market, and patient safety.  Key Responsibilities  Strategic Leadership & Governance  Facilitate an ACM information security governance structure through the implementation of a hierarchical governance program, including the formation of an information security steering committee or advisory board.  Define and execute the enterprise information security strategy and roadmap aligned with business objectives and regulatory obligations  Provide regular reporting on the current status of the information security program to enterprise risk teams, senior business leaders and the board of directors as part of a strategic enterprise risk management program, thus supporting business outcomes.  Ensure that IT security requirements are included in vendor contracts by liaising with vendor management and procurement organizations.  Create and manage a targeted information security awareness training program for all employees, contractors and approved system users, and establish metrics to measure the effectiveness of this security training program for the different audiences.  Understand and interact with related disciplines through committees to ensure the consistent application of policies and standards across all technology projects, systems and services, including privacy, risk management, compliance and business continuity management.  Serve as executive advisor on cyber risk to ACM’s Executive Leadership Team (ELT)  Establish security governance, policies, standards, and metrics across global operations  Lead security investment planning and budgeting  IT Security Strategy / Framework Development, Execution and Reporting  Develop an information security vision and strategy that is aligned to organizational priorities and enables and facilitates the organization's business objectives, and ensure senior stakeholder buy-in and mandate.  Develop, implement and monitor a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy and recovery of information assets owned, controlled or/and processed by the organization.  Develop and enhance an up-to-date information security management framework based on ISO 27001.   Create and manage a unified and flexible control framework to integrate and normalize the wide variety and ever-changing requirements resulting from global laws, standards and regulations.  Develop and maintain a document framework of continuously up-to-date information security policies, standards and guidelines. Oversee the approval and publication of these information security policies and practices.  Create a framework for roles and responsibilities with regard to information ownership, classification, accountability and protection of information assets.  Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increase the maturity of the information security, and review it with stakeholders at the executive and board levels.  Regulatory & Compliance Leadership  Ensure compliance with regulations and standards, including;  ISO 27001  NIST, HIPAA, SOC 2, PCI  FDA (21 CFR Part 11)  GxP (GMP, GLP, GCP)  HIPAA / HITECH  GDPR and global privacy laws  Partner with Quality, Regulatory Affairs, and Legal to support audits and inspections  Oversee data integrity and validation controls for regulated systems  Protection of Intellectual Property & Sensitive Data  Safeguard research data, clinical trial data, patient data, software development, manufacturing IP, and trade secrets  Implement data classification, encryption, and access control strategies  Oversee secure collaboration with CROs, CMOs, research partners, and academia  Cyber Risk Management & Operations (Partnering with RRH IT as needed)   Identify, assess, and mitigate cyber risks across IT, OT, cloud, and laboratory environments  Oversee and provide continuous status updates regarding ACM’s vulnerability management, penetration testing, and threat intelligence and related remediation efforts  Oversee ACM’s vulnerability management, penetration testing, and threat intelligence efforts  Work collaboratively with RRH IT to establish and oversee incident response, breach management, and cyber resilience programs  Work collaboratively with RRH IT to coordinate with law enforcement and regulators in the event of security incidents  Develop cyber resilience and business continuity capabilities  Technology & Architecture Oversight   Guide secure implementation of cloud platforms, AI/ML, digital labs, IoT/OT, and data platforms  Ensure security-by-design across system development and validation lifecycles  Oversee identity and access management, zero trust architecture, endpoint security, network security, and SOC operations  Embed security into SDLC and system validation processes  Third-Party & Supply Chain Security  Develop and enforce third-party risk management programs for vendors, CROs, CMOs, and SaaS providers  Assess cyber risks in manufacturing, logistics, and distribution partners  Support secure onboarding and continuous monitoring of partners  Operate the Function  Create a risk-based process for the assessment and mitigation of any information security risk in your ecosystem consisting of supply chain partners, vendors, consumers and any other third parties  Work with the ACM QA staff to ensure that all information owned, collected or controlled by or on behalf of the company is processed and stored in accordance with applicable laws and other global regulatory requirements, such as data privacy  Collaborate and liaise with the ACM’s data privacy officer and RRH IT security to ensure that data privacy requirements are included where applicable  Define and facilitate the processes for information security risk and for legal and regulatory assessments, including the reporting and oversight of treatment efforts to address negative findings  Ensure that security is embedded in the project delivery process by providing the appropriate information security policies, practices and guidelines  Oversee technology dependencies outside of direct organizational control. This includes reviewing contracts and the creation of alternatives for managing risk  Working collaboratively with RRH IT Security leadership, coordinate the management and containment of information security incidents and events to protect corporate IT assets, intellectual property, regulated data and the company's reputation  Working with RRH IT, monitor the external threat environment for emerging threats, and advise relevant stakeholders on the appropriate courses of action  Working with the RRH CISO, coordinate the development of implementation of incident response plans and procedures to ensure that business-critical services are recovered in the event of a security event; provide direction, support and in-house consulting in these areas  Facilitate and support the development of asset inventories, including information assets in cloud services (manage by ACM, RRH or 3rd parties)  Leadership & Team Development  Build and lead a high-performing global information security organization  Develop talent, succession planning, and security culture across the enterprise  Promote security awareness training tailored to scientists, engineers, and business users  Working closely with the RRH IT CISO and IT security leaders, develop a collaborative, virtual expanded IT security team best support the ACM organization   Create the necessary internal networks among the information security team and line-of-business executives, corporate compliance, audit, physical security, legal and HR management teams to ensure alignment as required.  Build and nurture external networks consisting of industry peers, ecosystem partners, vendors and other relevant parties to address common trends, findings, incidents and cybersecurity risks.  Liaise with external agencies/regulators and clients, as necessary, to ensure that the organization maintains a strong security posture and is kept well-abreast of the relevant threats identified by these agencies and clients.  Desired Qualifications:   Related Master’s degree in related field or MBA preferred  Demonstrated success managing global security programs in complex, regulated environments  Demonstrated experience managing / ensuring IT cloud security  ISO 27001 Lead Implementer/Auditor  Proven experience (5+ years) in global life sciences, biotech industries   Proven experience developing / managing ISO 27001 compliant IT security framework   Cloud security certifications (AWS, Azure, GCP)  Deep understanding of life sciences / biotech regulatory environments (global environments)  Proven ability to partner with and manage service providers to ensure compliance with organizational expectations   Significant experience /knowledge building IT security frameworks compliant with the following regulations / standards:  FDA (21 CFR Part 11)  GxP (GMP, GLP, GCP)  ISO 27001, NIST  HIPAA / HITECH  GDPR and global privacy laws  SOC 2, PCI  Advanced troubleshooting and analytical skills  Strong communication and cross-functional collaboration abilities  High attention to detail and commitment to system reliability  Ability to manage multiple complex initiatives simultaneously  Strong communication skills / strong executive communication and board-level presentation skills  Risk-based decision-making and business acumen  Experience balancing innovation with compliance and patient safety  Up-to-date knowledge of IT security methodologies and trends in both business and IT  Proven track record and experience in developing information security policies and procedures, as well as successfully executing programs that meet the objectives of excellence in a dynamic business environment  Project management skills: financial/budget management, scheduling and resource management  Engagement and collaboration with service providers  Minimum Qualifications:   Bachelor’s degree in Computer Science, Information Security, Engineering, or related field  10 years in information security, with 5 years in senior IT security leadership roles  5 years of experience in global life sciences, biotech industries   Required Licensure/Certifications:   CISSP or CISM or CISA EDUCATION: LICENSES / CERTIFICATIONS:  PHYSICAL REQUIREMENTS: L - Light Work - Exerting up to 20 pounds of force occasionally, and/or up to 10 pounds of force frequently, and/or a negligible amount of force constantly; requires occasional walking, standing or squatting. For disease specific care programs refer to the program specific requirements of the department for further specifications on experience and educational expectations, including continuing education requirements. Any physical requirements reported by a prospective employee and/or employee’s physician or delegate will be considered for accommodations. PAY RANGE: $220,000.00 - $250,000.00 CITY: Rochester POSTAL CODE: 14624 The listed base pay range is a good faith representation of current potential base pay for a successful full time applicant. It may be modified in the future and eligible for additional pay components. Pay is determined by factors including experience, relevant qualifications, specialty, internal equity, location, and contracts. Rochester Regional Health is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, creed, religion, sex (including pregnancy, childbirth, and related medical conditions), sexual orientation, gender identity or expression, national origin, age, disability, predisposing genetic characteristics, marital or familial status, military or veteran status, citizenship or immigration status, or any other characteristic protected by federal, state, or local law.