Chief Information Security Officer

Navajo Preference Employment Act : In accordance with Navajo Nation and federal law, TCRHCC has implemented an Affirmative Action Plan pursuant to the Navajo Preference in Employment Act. Pursuant to this Plan and corresponding TCRHCC Policy, applicants who meet the necessary qualifications for this position and (1) are enrolled members of the Navajo Nation, Hopi Tribe, or San Juan Southern Paiute Tribe will be given preference in hiring and employment for this position, (2) are legally married to enrolled members of the Navajo Nation, Hopi Tribe, or San Juan Southern Paiute Tribe and meet residency requirements will be given secondary preference, and (3) are enrolled members of other federally-recognized American Indian Tribes will be given tertiary preference. Overview:

POSITION SUMMARY

Reporting to the Chief Information Officer (CIO) and collaborating closely with the Chief Compliance Officer (CCO), the Chief Information Security Officer (CISO) is the senior executive responsible for the organization’s entire information security posture. This role involves the strategic development, implementation, and management of a comprehensive enterprise-wide information security program. The CISO ensures that information assets and technologies are adequately protected across the healthcare network, mitigating risks from unauthorized access, cyber-attacks, and data breaches while ensuring strict adherence to HIPAA, AHCCCS, and other regulatory standards.

Qualifications:

NECESSARY QUALIFICATIONSEducation:

Bachelor’s Degree in Information Systems, Computer Science, Cybersecurity, or a related field

Certification:

Certified Information Systems Security Professional (CISSP)

Experience:

• A minimum of seven (7) to ten (10) years of experience in IT infrastructure, with at least five (5) years specifically in information security leadership.
• Proven experience in healthcare IT security, including risk analysis and management within HIPAA/HITECH frameworks.
• Expertise in modern infrastructure security: Cloud Security (Azure/AWS), SD-WAN security, and Citrix VDI environment hardening.
• In-depth knowledge of NIST Cybersecurity Framework, ISO 27001, and Zero Trust architectures.
• Familiarity with AI/ML security governance, including risk assessment of clinical AI tools and vendor AI solutions.

Other Skills and Abilities:

A record of satisfactory performance in all prior and current employment as evidenced by positive employment references from previous and current employers. All employment references must address and indicate success in each one of the following areas:

• Positive working relationships with others
• Reliable and dependable; reports to work as scheduled without excessive absences
• Possession of high ethical standards and no history of complaints
• Ability to prioritize and execute tasks in high-pressure environment
• Strong organizational skills and ability to multi task in a business environment
• Ability to communicate ideas in both technical and user-friendly language; at times simultaneously
• Proven analytical and creative problem-solving abilities using good project management skills
• Highly self-motivated and keen attention to detail
• Completion of and, above-satisfactory scores on all job interviews, demonstrating to the satisfaction of the interviewees and TCRHCC that the applicant can perform the essential functions of the job
• Successful completion of and positive results from all background and reference checks, including positive employment references from authorized representatives of past and current employers demonstrating to the satisfaction of TCRHCC a record of satisfactory performance and that the applicant can perform the essential functions of the job
• Successful completion of fingerprint clearance requirements, physical examinations, and other screenings indicating that the applicant is qualified to be employed by TCRHCC and demonstrating to the satisfaction of TCRHCC that the applicant can perform the essential functions of the job
• Submission of all required employment-related documents, applications, resumes, references, and other required information free of false, misleading, or incomplete information, as determined by TCRHCC.

Responsibilities:

• Strategy \& Governance: Establish and maintain the enterprise vision and strategy to ensure information assets and technologies are adequately protected.
• Risk Management: Lead comprehensive enterprise risk assessments; develop and oversee the Information System Security Plan (ISSP) and Cybersecurity Governance Charter.
• Incident Response: Lead the Cybersecurity Incident Response Team (CSIRT). Direct investigations into security-related incidents and coordinate corrective measures.
• Technical Oversight: Partner with IT staff to ensure security-by-design in firewalls, SD-WAN, and cloud migration projects.
• Policy Development: Create and enforce IT security policies, standards, and procedures in alignment with clinical and financial operational requirements.
• Access Control: Oversee Identity and Access Management (IAM), ensuring all users have requisite authorization and 'need-to-know' access.
• Vendor Management: Conduct third-party risk assessments (TPRM) to ensure vendor compliance with organizational security standards.
• Compliance: Act as a liaison for privacy and security audits; ensure systems are maintained and disposed of in accordance with internal policies and federal law.
• Training: Develop and manage a cybersecurity awareness program for all end-users regarding potential threats and safe data handling.
• Business Continuity: Monitor system recovery processes to ensure security features and procedures are properly restored post-incident.
• Board \& Executive Reporting: Present security posture, risk metrics, and program maturity to the Board and executive leadership regularly.
• Security Budget Ownership: Develop and manage the information security budget, aligning investments with organizational risk appetite.
• Medical Device Security: Oversight of IoMT (Internet of Medical Things) security, which is unique to healthcare and increasingly important.
• Cyber Insurance: Liaison with risk management on cyber liability coverage and requirements.
• Third-Party \& Supply Chain Risk — Vendor risk management beyond basic BAAs (Business Associate Agreements).
• Establish and enforce an AI Security Governance framework, ensuring clinical and operational AI tools are evaluated for bias, data privacy, and security risks prior to deployment.
• Ensure proper PPE is worn at all times while on duty including but not limited to, face mask, gloves, gown, isolation gown, NIOSH-approved N95 filtering facepiece respirator or higher, if available), and eye or face shield.
• Complete all donning and doffing tasks in a safe acceptable method and discard of used PPE accordingly. (see CDC website for most current updates)
• Complete task training for all routine cleaning and decontamination processes for all surfaces contaminated by a communicable disease to ensure a high level of patient, visitor, employee, and external customer satisfaction.