Cybersecurity Manager

Governance, Risk & Compliance (GRC) Lead the enterprise security program aligned to HIPAA Security Rule, SOC 2 Type II, HITRUST CSF, and internal policies. Own risk assessments, risk register, treatment plans, and executive reporting. Maintain security policies and standards (access control, encryption, vendor risk, vulnerability management, incident response, acceptable use, AI/GenAI usage). Coordinate audits, evidence collection, corrective actions, and ongoing compliance monitoring. Security Operations Oversee daily security operations: SIEM monitoring, EDR, vulnerability scanning, patch management, and email security/anti-phishing. Implement and tune detection rules, playbooks, and escalation paths; manage MDR/SOC vendors as applicable. Ensure Azure security posture through Defender for Cloud, Sentinel, and RBAC enforcement. Validate security configurations for .NET APIs, Blazor WASM, MAUI apps, and PostgreSQL—working with engineering to confirm adherence to secure coding guidelines. Collaborate with third-party penetration testing vendors: schedule tests, review findings, and track remediation. DevSecOps Guidance Define and enforce secure coding standards for .NET, Blazor, and MAUI applications. Ensure CI/CD pipelines include security checks (SAST, DAST, dependency scanning). Provide oversight for infrastructure-as-code security (ARM/Bicep templates) and zero-trust principles. Advise engineering on OWASP best practices and secure API design. Incident Response & Business Continuity Lead incident response lifecycle (prepare, detect, contain, eradicate, recover, lessons learned) with documented runbooks. Coordinate with Privacy/Legal on reportable events; align to HIPAA breach requirements and internal incident procedures. Maintain and test Business Continuity and Disaster Recovery plans; run tabletop exercises at least twice annually. Identity, Access & Data Protection Enforce least-privilege, role-based access control (RBAC), and periodic access reviews for PHI/PII and critical systems. Manage Entra ID, privileged access management (PAM). Implement data loss prevention (DLP) and encryption standards (in transit and at rest), including key management in Azure Key Vault. Vendor Management Responsibilities Oversee third-party risk management for all vendors handling PHI, PII, or critical systems. Conduct security due diligence, including reviewing SOC 2/ISO certifications, penetration test results, and security questionnaires. Ensure Business Associate Agreements (BAAs) are in place for vendors processing PHI and verify compliance with HIPAA Security Rule. Maintain a vendor risk register and track remediation of identified gaps. Monitor vendor adherence to contractual security obligations, including data residency, retention, and model training restrictions for AI tools. Collaborate with Procurement and Legal to include security requirements in contracts and enforce breach notification timelines. Periodically reassess vendor security posture and update risk ratings based on audits or incidents.

A strong candidate will demonstrate the following: Bachelor’s degree in Information Security, Computer Science, or related field—or equivalent experience. 5–8+ years in security roles with 2–3+ years leading security operations or GRC initiatives. Hands-on experience with cloud security Working knowledge of HIPAA Security Rule, PHI/PII handling, SOC 2 Type II, and incident response practices. Hands-on experience with Azure security services (Defender for Cloud, Sentinel, Key Vault, RBAC). Familiarity with secure development practices for .NET, Blazor WASM, MAUI, and PostgreSQL (oversight, not coding). Proven ability to run risk assessments, develop policies, and manage audits. Strong communication skills; ability to influence cross-functional leaders and train non-technical audiences.