Job Description
Employment Type:
Full time
Shift:
The Manager, Information Security Risk and Consulting, operating under the direction of the Director of Information Security Strategy and Planning, plays a critical role in executing and maturing the organization’s third-party and integrated risk management program. This includes oversight of enterprise risk assessments across commercial off-the-shelf (COTS), open source, and internally developed applications, as well as associated system integrations. The role is responsible for identifying, assessing, and prioritizing security risks, ensuring appropriate controls are implemented, and driving continuous monitoring and risk-informed decision-making across the organization.
This position leads the development and reporting of key risk indicators (KRIs) and key performance indicators (KPIs) to provide actionable insights to leadership and support effective governance. Additionally, the role oversees the design and execution of scalable risk management processes, leveraging GRC tools and automation to enhance efficiency and consistency.
As a people leader, the Manager builds, develops, and leads a highly engaged, high-performing team of security risk professionals, fostering a culture of accountability, collaboration, and continuous improvement within a complex and evolving security environment.
Essential Functions
Our Trinity Health Culture: Knows, understands, incorporates & demonstrates our Trinity Health Mission, Values, Vision, Actions & Promise in behaviors, practices & decisions.
Program and Regulatory Compliance
- Develops and leads Trinity Health’s Information Security Third Party Risk and Integrated Risk Management Program, with direct responsibility for defining team goals, scope of work, and deliverables aligned to Enterprise Information Security (EIS) priorities.
- Partners with stakeholders to ensure initiatives support the organization’s mission, values, and operational goals, while maintaining compliance with regulatory, legal, and contractual obligations.
- Leads the team’s engagement in regulatory audit and investigation activities, including the coordination and production of evidence.
People Leadership
- Responsible for developing and leading a high-performing team of security risk professionals focused on third-party and integrated risk management, risk-based prioritization, and enterprise risk remediation coordination.
- Provides hands-on leadership and direct supervision of team members, ensuring effective recruitment, performance management, training, and clear accountability for individual and team productivity.
- Designs and maintains a structured leadership development framework with clear competencies, promotion criteria, and aligned role expectations.
- Provides ongoing coaching, mentorship, and development planning to prepare employees for advancement while actively promoting psychological safety and open communication.
- Ensures fair, data-driven evaluations and fosters a collaborative, inclusive leadership culture.
- Exhibits courageous, authentic leadership—building trust through vulnerability, empathy, and clear, human-centered communication with executives and stakeholders through both formal and informal channels.
Information Security Governance, Risk & Compliance (GRC)
- Oversees and actively contributes to third-party and integrated risk management activities within Trinity Health GRC platforms, driving continuous process improvement and proactively planning for changes to control frameworks and risk questionnaires.
- Actively perform and review vendor tiering and risk assessments alongside the team, taking ownership of and/or supporting senior team members through ownership of complex or high-risk cases, as appropriate
- Define and maintain the third-party cyber risk lifecycle, including intake, inherent risk scoring, due diligence, control assessment, remediation, risk acceptance, ongoing monitoring, renewal review, material change review, and offboarding.
- Evaluate vendor controls across identity and access management, network security, cloud security, application security, data protection, encryption, vulnerability management, endpoint protection, logging and monitoring, incident response, disaster recovery, secure SDLC, privacy, and governance
- Review and advise on contractual clauses related to security controls, breach notification, incident cooperation, right to audit, data protection, encryption, access control, regulatory compliance, cyber insurance, subcontractors, business continuity, data retention, and secure data destruction
- Facilitate and lead offshore security risk compliance program.
- Translate technical findings into business risk language that enables informed decisions by senior leaders and business owners
- Prepare materials for audit, regulatory inquiries, board reporting, and internal governance reviews as needed
- Track deviations from security procedures and standards, document risk implications, drive risk remediation, and route risk acceptance (security policy exceptions) for appropriate approvals.
- Maintain hands-on involvement in day-to-day assessments to ensure quality, consistency, and timely delivery.
- Escalate overdue or unacceptable vendor risks through leadership as appropriate.
Metrics and Reporting
- Works with Strategy and Planning and Enterprise Information Security Leadership to define and report on key risk indicators (KRIs) and key performance indicators (KPIs) to provide actionable insights to leadership and support effective governance.
Information Security Risk Management
- Responsible for assigning, managing, and actively overseeing team assessment work, ensuring alignment with standards through coordinated intake and stakeholder engagement.
- Validates team members’ risk assessments to ensure new and existing solutions comply with Trinity Health information security requirements.
- Accountable for balancing workload and ensuring the team is trained and skilled to effectively deliver department services.
Executive & Stakeholder Engagement
- Builds and sustains effective relationships with executives and key stakeholders through clear, authentic, risk-informed communication; enables alignment, drives informed decision-making, and fosters shared accountability for managing security risk.
Enterprise Risk Communication & Decision Support
- Synthesizes and communicates enterprise security risk insights to executives and stakeholders in a clear, actionable manner; translates complex risk data into meaningful narratives that support informed decision-making, drive prioritization, and strengthen governance and alignment with organizational objectives.
Information Security Leadership Support
- Serves as a representative of the Director of Strategy and Planning as directed. Supports Information Security leadership by providing risk-informed insights, actionable recommendations, and clear communication to enable strategic decision-making, program prioritization, and alignment with organizational objectives.
Security Leadership & Coordination
- Leads and coordinates engagement with Enterprise Information Security leadership to ensure aligned execution of security and risk management activities, including policy and standards development, control assessments, and risk management education; drives collaboration, consistency, and integration of security practices across the organization.
Regulatory & Standards Monitoring
- Maintains a working knowledge of applicable Federal, State, and local laws and regulations, the Trinity Health Integrity and Compliance Program and Code of Conduct, and relevant policies and procedures, while staying current with industry developments and regulatory changes to ensure updates are reflected and adherence is upheld with honest, ethical, and professional behavior.
Project Management
- Provides leadership and oversight of security risk initiatives, ensuring successful delivery and alignment with organizational standards and risk management objectives.
- Leads and develops team members managing projects, ensuring consistent execution, accountability, and high-quality outcomes.
- Partners with stakeholders and senior leadership to align priorities, communicate status, and drive strategic outcomes.
- Proactively identifies risks and ensures effective mitigation to keep initiatives on track and meet organizational expectations.
Relationship Management
- Develops and manages relationships to ensure stakeholders are actively engaged throughout the project, program, or initiative life cycle.
- Works with stakeholders to ensure business process workflows; training and communication plans are completed.
- Provides appropriate tools, training, guidance, and necessary resources to resolve problems, avert potential risks and maintain engagement to support risk avoidance, risk remediation and empower champions of information security best practices throughout the organization.
Minimum Qualifications
- Bachelor’s degree in Information Security or an equivalent combination of education and experience.
- One or more security certifications: Certified Information Systems Security Professional (CISSP), International Social Security Association (ISSA), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC) Certified in Governance, Risk and Compliance (GRCP) or equivalent.
- Minimum of seven (7) years of progressive experience in information services including three (3) years working in cybersecurity governance, risk, and compliance (GRC).
- Minimum of three (3) years of management experience with demonstrated leadership effectiveness and emotional intelligence. Proven ability to lead, develop, and retain high-performing, highly engaged teams in complex security environments, including managing diverse talent and implementing tailored development strategies to drive individual and team success.
- Minimum of three (3) years of progressively responsible experience in healthcare and/or other regulated industries. Preferred candidates will have experience in complex healthcare environments with a strong understanding of operational workflows, information practices, and information systems.
- Strong knowledge of the HIPAA Security Rule and applicable industry security regulations, with the ability to rapidly build and sustain expertise; working understanding of broader HIPAA requirements, including Privacy and Breach Notification Rules.
- Proven knowledge of enterprise security principles and practices, with hands-on experience or demonstrated capability in implementing, integrating, and managing security solutions across enterprise environments.
- Working knowledge of one or more information security regulations and/or frameworks - HIPAA, ISO 27001/2, FISMA, FIPS, HITRUST and NIST security.
- Experience with GRC platforms (e.g., ServiceNow GRC, RSA Archer, OneTrust, or similar) supporting risk and compliance programs. Demonstrated ability to leverage tooling to improve process efficiency, enable reporting, and support scalable risk management practices.
- Ability to serve as a leadership representative of the Strategy and Planning Director and interface with a variety of Health Ministry and System Office Executive leaders, team members and end users, exercising effective facilitation skills, judgment, and decision-making in providing problem resolution and in meeting established goals and expectations. Ability to shape results, garner support and successfully manage complex relationships.
- Demonstrated courageous, authentic leadership through clear, human-centered communication with senior leaders and stakeholders; builds trust through empathy and vulnerability while skillfully navigating complex conversations, influencing decisions, and delivering compelling, accessible messages in both formal and informal settings.
- Excellent oral and written communication skills. Facilitates meetings between diverse groups and interests and prepare communications that includes independent advisory recommendations. Ability to communicate with non-technical leaders and business owners providing a clear understanding of appropriate technology solutions to support and enhance business needs.
- Proficiency in performing third-party risk assessments and negotiating contractual security language
- Proven ability to apply appropriate project management methodology. Excellent project leadership, organization, integration, and execution skills required.
- Knowledge of and experience with change control, risk management, project planning, relationship management, budgeting, and scheduling.
- Ability to operate in an ambiguous and highly matrix organizational structure. Ability to manage multiple and ever-changing priorities in a highly autonomous self-directed manner.
- Some knowledge of and experience with clinical application systems (i.e., hospital work environment, technical terminology, etc.).
- Considerable knowledge of multiple technologies and experience with enterprise-wide applications and systems in an integrated work environment.
- Proven ability to operate with speed and focus, driving measurable value through high-quality delivery of time-sensitive initiatives.
Preferred Qualifications
- Master's degree in Cybersecurity or related field from an accredited college/university
- Two or more Certification(s) in project management, change management, information security, and/or information technology.
- Experience with risk quantification models (e.g. FAIR) or building custom risk scoring approaches.
- Familiarity with data visualization tools (e.g., Tableau, Power BI) for building risk dashboards
- Experience working cross-functionally to evaluate security controls and business processes, translating findings into meaningful risk insights
- Experience in managing risk in a healthcare environment
- Demonstrated passion for business relationship management, fostering strong partnerships and aligning stakeholder needs with strategic outcomes.
- Experience with Artificial Intelligence (AI) as a strategic tool to enhance efficiency in day-to-day business processes and strengthen risk assessment capabilities through automation, predictive analytics, and intelligent decision support.
Physical & Mental Requirements & Working Conditions
- This position operates in a typical office environment. The area is well lit, temperature-controlled, and free from hazards. Incumbent communicates frequently, in person and over the telephone, with people in a number of various locations on technical issues. Remote office must be set up to maintain confidentiality and privacy of business and clinical information. Manual dexterity is needed to operate a keyboard. Hearing is needed for extensive telephone and in person communications. The environment in which the incumbent will work requires the ability to concentrate, meet deadlines, work on several projects at the same period and adapt to interruptions. The incumbent must be capable of traveling in the course of completing project assignments. Frequent over time is required to meet deadlines.
- Must be able to set and organize own work priorities and adapt to them as they change frequently.
- Must be able to travel to the various Trinity Health sites as needed (may or may not apply).
Our Commitment
Rooted in our Mission and Core Values, we honor the dignity of every person and recognize the unique perspectives, experiences, and talents each colleague brings. By finding common ground and embracing our differences, we grow stronger together and deliver more compassionate, person-centered care. We are an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, veteran status, or any other status protected by federal, state, or local law.