Vice President, Information Security
San Francisco, CA

Job Description

Blue Shield of California (BSC) is the hardest working, not-for-profit health plan in California working to deliver our mission to ensure all Californians have access to high-quality health care at an affordable price. Blue Shield of California was founded in 1939 by a group of physicians who believed that everyone should be able to afford a visit to their doctor. More than 70 years later, Blue Shield now serves 3.3 million members, and is the first health plan in the nation to limit our annual net income to 2 percent of revenue and pledge to return the difference to our customers and the community with the board of directors' approval. We returned more than $475 million in 2011. We also believe that a healthier California begins with our employees, so we provide them with resources to develop and maintain a healthy lifestyle through our award-winning wellness program, Wellvolution. In 2012, we were named one of the World's Most Ethical Companies. Since 2005, the company has contributed more than $170 million to the Blue Shield of California Foundation, one of BusinessWeek's most generous corporate foundations.

Opportunity

* Drive overall security program at BSCA
* Develop and Maintain Reference Architecture documentation for information security services.
* Lead the assessment of existing and proposed technology infrastructure to identify key risk areas, and ensure security control objectives are met.
* Research general and healthcare-specific security trends and assess the applicability and capability of security vendor solutions.

Specific Responsibilities Include:

Develops and nurtures Information Security as a strategic imperative and vital ingredient to protecting BSC's

brand, revenue and reputation. Communicate the Information Security mission, vision, and strategic and

operational direction. Proactively identifies threats to business, devices strategies to mitigate threats and

maintains relationship with business to educate and promote safe Information management practices.

Strategy

* Develop, manage and set the vision for Information Security
* Establish goals and priorities for Information Security

Direction

* Direct initiatives related to Information Security strategic planning;
* Set and manage budget for Information Security
* Promote awareness of Information Security throughout BSCA
* Ensure that Information Security is adequately represented across lines of businesses
* Prioritize and delegate risk assessment activities and ensure completion
* Oversee newly implemented technologies and coordinate internal/external audits

Relationship Management

* Consult with business units regarding changing Information Security needs
* Consult with senior management in times of an Information Security crisis
* Advise senior management of changes in the technical, legal, and regulatory arenas
* Improve security awareness and instill a risk-aware culture in the organization
* Involve 3rd party security vendors in assessing solutions against current or future needs

Information Risk Management

* Certify and attest to technology compliance with company-wide Information Security policies
* Define Information Security metrics and report them to the oversight committee
* Approve architecture, policies, standards, guidelines, and any exceptions
* Specify conditions for risk acceptance
* Signs-off on risk acceptance for technology implementations
* Recruit and manage the security staff

Architectural and Operational

* Ensure security architecture deliverables reflect and support BSCA business, technical, operational, and compliance objectives
* Develop and maintain detailed security state architectures
* Review threat and vulnerability reports and aid in security control selection to address risks.
* Maintain awareness of IT/Security industry trends, new solutions and techniques, as well as emerging threats
* Participate in project Architectural Review process: ensure that proposed designs conform to architectural patterns and identify needs for new architectural pattern development
* Updates job knowledge by participating in educational opportunities; reading professional publications, participating in professional organizations.
* Ensure, and create, as needed, security processes, practices and operations to ensure repeatable results.
* Collaborate with EA teams to define the high-level roadmap and architecture.
* Lead efforts to create security standards and hardening procedures.
* Participate in developing designs for the enterprise network security environment.
* Lead teams in development of security requirements
* Work closely with project and engineering teams to ensure that projects meet or exceed security requirements. This includes ensuring that the security architecture is well documented and communicated.
* Interface with external vendors, partners, and customers, as well as other internal teams including hardware and software engineering, product marketing, and systems engineering.
* Work with and influence project teams and business contacts in regards to security controls, risk mitigation techniques related to information security.
* Collaborates with the information risk management and compliance groups to identify, prioritize and respond to risk components, developing security architecture in support of business strategy.

Candidate Profile and Requirements:

* 10 years IT experience with 5 Years security architecture and engineering.
* One or more appropriate security certifications, such as CISSP-ISSAP, CISA, CRISC, and CISM
* Hands-on technical experience with Telecommunications and network security, Access control systems, Cryptography, and Physical security systems,
* Experience with standards and best practices such as NIST, ISO 27000, HITRUST, Common Criteria, and FIPS a big plus
* Required demonstrated knowledge of information technology security, trends, leading practices, and regulatory and industry standard compliance issues such as, Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Standard (PCI), and FIPS-140.
* Experience with Open Security Architecture (OSA) and The Open Group Architecture Framework (TOGAF).
* Understanding security protocols including MACsec, IPSec, KEYsec, SSL/TLS, PKCS, DTLS, WSS and SAML,

Education/Credentials: Bachelor's degree in IT Security (cyber), Information Systems, or Computer Science or equivalent experience; MS preferred.