Information Security Architect, HCA Corporate - Nashville, TN JOB SUMMARY: The Information Security Architect is a technical leadership position potentially without reports. Their main role is to be the primary lead, representative and advocate for balanced and reasonable risk management of IT and Information Compliance for a line of business (e.g. Clinical, Shared Services) or specific technology domain (e.g. foundational infrastructure). Their role is to lead and facilitate discovery of the information and IT-related risks, apply critical thinking to the assumptions and developing the right security position/priorities that: first, attain compliance; second, address the material risks to the company while allowing for the business to attain its objectives. They are expected to have a working understanding of most domains of Information Security knowledge have a functional knowledge of most IT domains of knowledge. They must have the ability to compare and contract risks from different domains and weight relative impact of differing risk factors so that the material risks can be determined. They are expected to be able to identity complex systemic vulnerabilities that often elude SMEs of specific areas. Lastly, they must be able must be able to deal with complex compliance requirements and turn them into attainable requirements and architectures. They are required to function as a solution leader like role for a given "line of business" for Information Security related needs on new business initiatives, address existing risks that require non-trivial mitigation and provide operational guidance. In some cases they are required to assume more of the solution leader role for new project needs that fall into their area of expertise. So, they could have to do research, learn new business areas, develop business cases and submit new projects. They are required to accomplish many of the work goals through others. This position is also expected to be able to provide general compliance, risk management and technical over-sight for security work done by others to ensure effective results and manage major initiatives. They are expected to be a true expert in two or more Information Security related subject areas (e.g. web application security, penetration testing, virtualization, cloud security, network security, secure code development, data loss protection, encryption, mobile application security, Unix platform security, Windows platform security, etc.) They are able to operate with little day-to-day supervision after their goals and requirements have been discovered or provided. They are in highly effective at dealing with conflict and issues and require little day-to-day support and management. They are able to accept high-level goals from management without complete facts and drive them to completion in many cases. Lastly, they are expected to know when to communicate back to their management to keep them informed. GENERAL RESPONSIBILITIES: The Information Security Architect will each have the following job responsibilities: ï‚§ The IS Architect will provide balanced risk analysis, risk resolution and mitigation recommendations on projects and initiatives. They will facilitate with the proper project management, business owners and technical team members to implement such needed changes when possible and will ensure proper risk acceptance is done otherwise. ï‚§ The architect will focus on network architecture, system integration, application development, regulatory & business risk management, and technical threat and vulnerability management; and be the leader for the review, development, and approval of the security design and functionality of current and new IT projects, software products, new technologies, and network security. ï‚§ Strategic direction setting for HCA's information security group. The Sr. IS Architects has the responsibility for setting the direction for HCA information security policy, technology architecture, information security projects and other initiatives, and information security group role in other IT&S and business programs. ï‚§ Leading information security teams-providing direction for the team members on information security and other IT&S projects. ï‚§ Internal leadership in information security. Speaking for, and making decisions for the Information Security group at meetings with business leaders, DISOs, HDISs, IT&S leadership, and other executives at HCA ï‚§ External leadership in information security. The architects will have a key role in developing relationships and working with vendors and other outside entities and individuals to identify promising new technologies, qualify their application to HCA business requirements, determine which new technologies should be piloted or tested, and drive the development of new initiatives to purchase and implement, as appropriate. ï‚§ Leading or Attending SARC Gate Reviews (Security Gate Reviews) ï‚§ Attending ARC Gate Reviews as Requested (IT Gate Reviews) ï‚§ The security architect is responsible for develop architectures and designs of information technology (IT) systems that are generally resilient and provide protection against attack proportional to the risk vectors that relate. ï‚§ It is the individual's duty to detect the weaknesses in the systems and develop ways in which to rectify them. ï‚§ Improves quality results by evaluating, suggesting upgrades and directing changes. ï‚§ Provides information by collecting, analyzing, and summarizing data and trends in new technologies for security purposes. ï‚§ Updates job knowledge by participating in educational opportunities; reading professional publications; maintaining personal networks; participating in professional organizations. ï‚§ Negotiation of Information Security Agreements with high-profile vendors as needed. ï‚§ Developing new standards, platform standards or architectural standards as needed. ï‚§ Mentoring of junior staff and engineers in the information security group. ï‚§ In addition to their role on projects, the Consulting Information Security Architect is often expected to be able to not only contribute to the development of Information Security policy, standards, long term strategic planning and development, but they are expected to be able to lead such efforts. The Architect positions serve as key leaders of the information security team. They will set the direction and agenda on risk management strategy, project approaches, and technology issues; and will lead multiple "virtual teams" that will implement new security architecture or components and integrate security in other IT projects. The Architects will work closely with various business units and interface on a regular basis with technical and non-technical members of the organization and senior business and IT&S leaders. The Architects will have a key role in communicating complex technical issues to technical staff as well as non-technical business stakeholders. Examples of specific Information Security Architect responsibilities include: ï‚§ Developing new security architecture and controls as needed by actual or expected business change ï‚§ Setting the level of assessment on projects based on general risk ï‚§ Setting security requirements ï‚§ SARC Gate Reviews ï‚§ Leading the security work on projects ï‚§ Direct vendor relations for IT&S, including the architecture for all connectivity, the set up of vendor accounts on the HCA network, and the development of contract security terms and language for all national IT agreements. ï‚§ Direct the integration of information security requirements into new projects from the Product Development group for the development of IT applications. ï‚§ Direct the integration of information security technologies and architectures to manage risks in HCA's nation-wide network Infrastructure. DIRECTION RECEIVED/RESPONSIBILITY FOR OTHERS: The Information Security Architect provides direction to an assigned lines of business in the following areas: ï‚§ Clinical (Acute Care, Physician Practices, Ambulatory Services, etc.) ï‚§ Shared Services (Revenue Cycle, Staffing Services, Group Purchasing Services, Supply Chain Services) ï‚§ Foundational Infrastructure and Partners (Foundational Security Architect Role) ï‚§ Research Groups (Clinical Trials) ï‚§ Joint Ventures (e.g. Software Product JVs) ï‚§ Corporate Groups ï‚§ Information Technology EXPERIENCE: Successful applicant will have 10+ years of applicable experience CISSP or equivalent experience in Information Security is preferred EDUCATION: College Graduate BA Preferred Security Technical Training a Plus (e.g. SANS, CISSP, OWASP, BLACKHAT) SPECIAL QUALIFICATIONS (Required licenses, certificates, specific skills, personal traits,; e.g., RN, CPA, able to type 90 wpm, detail orientation.) To fulfill the responsibilities of this position, the security architect should have the following attributes, expertise, training, and knowledge: InfoSec Related: * Must be able to perform security architectural assessment, large system analysis, functional gap analysis, edge condition analysis. * Ability to develop and drive integration of security requirements for new technologies and systems * They need the ability to connect legal, regulatory, and organizational requirements to identify, architect & design solutions that reduce the risk to the company. * A functional knowledge of various Information Security domains of knowledge (some examples): Network Security, Firewall, Wireless Security, IDS/IPS, Identity Management, Audit Log Controls and Management, Risk Management, Compliance Regulation (HIPAA, PCI, etc). * Knowledge of security specific technologies (preferred): Encryption, PKI, Authentication Protocols, Authorization Protocols, Directory Services, ID Federation, SSO Technologies, Strong Authentication, etc. * A functional knowledge of many emerging technical domains (a plus): Cloud Computing, Virtualization, Mobile Computing, APT Attacks, Botnets, Client-Side Attacks, etc. * They must be an articulate and persuasive technical leader who is able to communicate complex security-related concepts to a broad range of technical and non-technical staff. * Proactively evolve the information security capabilities needed to reduce risk & protect the company. * Knowledge of and experience with security engineering, risk assessment and risk management tasks, techniques and tools (preferred). * Knowledge of and experience with threat modeling, vulnerability testing and penetration testing (a plus). * Develop procedural and automated solutions to improve compliance with security policies and standards. Technical Related: * Demonstrated record as a strong, collaborative technical leader with the ability to think analytically and creatively to solve complex problems. * Provide technical leadership and contribute to departments' strategic planning and roadmap development * A functional knowledge of all core IT domains of knowledge: Network Switching/Routing, Wireless Networking, Network Protocols (TCP/IP, HTTP, FTP, LDAP, etc), Windows Operating Systems, UNIX/Linux Operating Systems, Applications Architectures, Web technologies and protocols. * Able to analyze new technologies and determine how they will impact the company and recommend a suitable course of action. * Extensive and varied experience in Information Technology and Infrastructure Design and Implementation (preferred) * Functional knowledge of programming and software development (a plus) * Application Development Experience (a plus) Leadership Related: * Strong Logic and Critical Thinking Skills * Proven and fast decision making ability * Strong conflict management skills * Strong discussion and facilitation skills in meetings * Excellent multi-tasking, prioritization and time management skills * Strong communication and public speaking skills, can present to large audiences or upper management effectively * Able to do long term planning, long term strategy creation, roadmap creation, etc. * They must have business acumen, communication skills, and process-oriented thinking in addition to very strong technical background. * Good Executive Presence The security architect candidate should possess: * 7+ years of experience in a focused technical information security role; or 10+ years of experience in IT * Advanced Technical Security and/or related education/experience. PHYSICAL DEMANDS/WORKING CONDITIONS (Specific statements of physical effort required and description of work environment; e.g., prolonged sitting at CRT.) Position may require periodic after hours work and moderate travel at times with little notice. Candidates are expected to work most days at the Nashville, TN corporate office during normal business hours. Candidates are expected to live near (100 miles) of Nashville, TN. Relocation packages are available for qualified candidates selected.