The American Hospital Association (AHA) is a national organization that represents and serves all types of hospitals, health care networks, and their patients and communities. The AHA has two main offices, located in Washington, D.C., and Chicago. The AHA offers a flexible hybrid work schedule of three days in the office and two days working remotely.

This role is located in our downtown Chicago office. Responsible for establishing and maintaining the enterprise cybersecurity vision, strategy, and program to ensure information assets and technologies are adequately protected. Directs staff in identifying, developing, implementing, and maintaining processes across the enterprise to reduce information technology (IT) risks. Respond to incidents, establish appropriate standards and controls, manage security technologies and direct the establishment and implementation of policies and procedures.

Essential Functions

• Establish and maintain a comprehensive company-wide information security program aligned with the AHA risk management strategy that encompasses foundational, operational, and tactical security and compliance elements. Ensure the protection of information assets against current and future threats, both internal and external.
• Develop and maintain a security roadmap with an emphasis on continuous improvement.
• Communicate cybersecurity risks, initiatives, and performance to senior leadership and the AHA audit and compliance operations committee.
• Manage the development and implementation of enterprise IT security standards and best practices aligned with organization’s risk management plan. Establish and oversee processes to monitor compliance, conduct technical and procedural security audits across IT and business units and coordinate with external auditors and vendors on audit activities and remediation efforts. Develop necessary IT security policies and guidelines.
• Develop plans for the implementation of new products and capabilities based on the AHA strategic plan. Provide well-defined plans, including procedures, deadlines, and accountability. Direct business functions, including approval of project plans, budgets, and work breakdown structure. Provide assistance and support to IT Operations and Development teams and work collaboratively to deliver desired outcomes.
• Work directly with key stakeholders and senior members of AHA’s management team on cybersecurity risk management, compliance, and audit procedures. Provide direction and oversight for security awareness education activities.
• Collaborate with the compliance officer and legal counsel to develop and maintain required IT policies, standards and controls that comply with regulatory requirements. Provide guidance on data protection for sensitive information and stay informed of emerging regulations and industry standards impacting security practices.
• Lead and develop future leaders within the department. Set clear goals, define roles, conduct performance reviews and take appropriate action to achieve operational results. Foster talent, promote diversity and ensure effective coordination across cross functional teams.

Minimum Qualifications: Education

• Bachelor's Degree Information Systems, Technology Management, Network Operations Management Required
• Master's Degree Preferred

Minimum Qualifications: Work Experience

• 10+ years IT security experience Required
• 5+ years Management experience leading a team Required
• Experience leading and implementing at least one major cybersecurity and compliance program Required
• Experience managing enterprise-wide security awareness, risk management, and third-party governance programs Required

Minimum Qualifications: Knowledge, Skills and Abilities

• Deep understanding of information security principles, best practices, standards (such NIST Cybersecurity Framework), and emerging threats - Required
• Awareness of relevant laws, regulations, and industry standards related to data protection and privacy (such as GDPR, HIPAA, CCPA) is necessary for ensuring organizational compliance and avoiding legal issues - Required
• Proficiency in risk assessment methodologies, risk mitigation strategies, and risk management frameworks - Required
• Familiarity with security architectures, technologies, and tools used for safeguarding networks, systems, and data i.e., firewalls, intrusion detection/prevention systems, encryption technologies, and security event monitoring systems. Deep understanding of IT from an infrastructure and network perspective. - Required
• Thorough understanding of incident response processes, including detection, containment, eradication, and recovery from security incidents and breaches. - Required
• Knowledge of disaster recovery planning and business continuity management as it relates to security - Required
• Working knowledge of developing security policies and procedures for establishing security roles and responsibilities, defining security objectives, and ensuring accountability across the organization - Required
• Working knowledge of managing security awareness programs to educate employees about security risks and best practices - Required
• Understanding of vendor risk management practices, including evaluating third-party security controls, assessing vendor security posture, and ensuring compliance with security requirements in vendor contracts - Required
• Strong leadership, communication, and interpersonal skills are vital for effectively communicating security risks and requirements to senior leadership, board members, employees, and external stakeholders - Required
• Professional knowledge with a Security Operations Center and optimizing the resolution of investigations and incidents - Required
• Deep understanding of managing IT technical projects and technical teams - Required
• Ability to think strategically and develop long-term cybersecurity strategies that support the AHA’s objectives to effectively manage risks and drive meaningful change. Understanding of how security impacts day to day operations and workloads and collaborates to maximize productivity and risk management. - Required
• Ability to assess, prioritize, and mitigate cybersecurity risks/vulnerabilities while aligning security efforts with business objectives - Required
• Capacity to analyze complex cybersecurity issues, identify root causes, and develop innovative and/or cost-effective solutions - Required
• Vendor management skills including relationship management, contract reviews and negotiations, and vendor performance monitoring - Required
• Effective budget management skills including managing spend against budget targets, identifying possible cost reduction opportunities, and forecasting budget spend rate and resource utilization - Required
• Effective communication skills including written and verbal, and presentation skills including virtual and in person - Required
• Proficiency with MS O365 office and collaboration applications including Teams, SharePoint, OneDrive, etc., which are essential for various daily tasks and responsibilities in this role - Required

Salary Information:

Commensurate with related experience. The AHA is committed to fair and equitable compensation practices. A candidate's salary is determined by various factors including, but not limited to, relevant work experience, skills, certifications, and location.

Salary Range - Minimum:

190000

Salary Range - Midpoint:

237000

Salary Range - Maximum:

284000

We offer an excellent total compensation package, which includes medical/dental coverage (PPO/HMO), vision care, life insurance, short- and long-term disability plans, 401(k), tuition reimbursement, PTO/holidays/health days, wellness programs, and more!

The American Hospital Association (AHA) is an Equal Opportunity Employer. We evaluate qualified applicants without regard to race, color, religion, sex, national origin, disability, veteran status, and other legally protected characteristics. We will provide reasonable accommodation for individuals protected by Section 503 of the Rehabilitation Act of 1973, the Vietnam Era Veterans' Readjustment Assistance Act of 1974, and Title I of the Americans with Disabilities Act of 1990. If, because of a medical condition or disability, you need a reasonable accommodation for any part of the employment process, please call (312) 422-3000 and ask for the Vice President, Human Resources, and let us know the nature of your request and your contact information.

The AHA participates in the E-Verify Program. #LI-Hybrid

PDN-a1619aee-4637-45c5-9715-2d71942c0c77