Information Technology Security Lead Full Time NEW

Position Summary:

• The Information Security Lead is responsible for leading, managing, and continuously improving OneHealth’s Information Security Program. The role serves as the primary operational owner of all information security, cybersecurity, risk management, governance, compliance, security operations, security architecture, vulnerability management, and incident response activities.
• The Information Security Lead will ensure that security controls, policies, standards, and procedures are effectively implemented and maintained across the organization while supporting business objectives and compliance requirements. The role will coordinate with business units, IT teams, third-party providers, auditors, regulators, and AXA Group stakeholders to maintain an effective and mature security posture.

Key Responsibilities

Information Security Governance & Management

• Lead and manage the Information Security Program across the organization.

• Develop, implement, maintain, and continuously improve the Information Security Strategy, Roadmap, Policies, Standards, Procedures, and Guidelines.

• Define and execute annual information security objectives aligned with business goals and AXA Group requirements.

• Establish and monitor Information Security KPIs, KRIs, compliance metrics, and security maturity indicators.

• Prepare and present security reports, dashboards, and risk updates to senior management, executive leadership, and relevant governance committees.

• Manage information security documentation and ensure continuous review and improvement of security processes.

Risk Management & Compliance

• Own and manage the Information Security Risk Management Program in alignment with AXA’s IRM framework.

• Conduct and oversee enterprise security risk assessments and maintain the Information Security Risk Register.

• Identify security threats, vulnerabilities, and business impacts and ensure effective remediation plans are implemented.

• Manage compliance with local regulations, legal requirements, AXA Group standards, ISO 27001 requirements, and other applicable security frameworks.

• Coordinate internal and external audits and ensure timely closure of audit findings and security observations.

• Manage security exceptions, risk acceptance processes, and compliance tracking activities.

Information Security Management System (ISMS)

• Own, maintain, and continuously improve the Information Security Management System (ISMS).

• Ensure all security controls remain effective and aligned with organizational risks and compliance requirements.

• Coordinate management reviews, internal assessments, corrective actions, and continuous improvement initiatives.

Security Operations & Incident Response

• Manage and oversee all security operations activities, including security monitoring, vulnerability management, threat management, and incident response.

• Manage internal and external Security Operations Center (SOC) services and ensure effective detection, investigation, escalation, and response to security events.

• Lead cybersecurity incident investigations and coordinate remediation activities with IT, business stakeholders, vendors, legal, and HR functions.

• Ensure security incidents are properly documented, investigated, reported, and resolved.

Vulnerability Management & Security Testing

• Own and manage vulnerability assessment and penetration testing programs.

• Ensure regular vulnerability scans, penetration tests, security assessments, and remediation activities are conducted.

• Track and report remediation status and ensure closure of identified security weaknesses.

Security Architecture & Secure Design

• Review and approve security requirements, architectures, and designs for new systems, applications, cloud environments, and technology initiatives.

• Ensure cybersecurity requirements are incorporated into projects, procurement processes, RFIs, RFQs, and RFPs.

• Participate in project governance processes and provide security approvals before production deployment.

• Promote secure-by-design and security-by-default principles across all technology initiatives.

Application Security & Change Management

• Ensure security requirements are embedded within Software Development Lifecycle (SDLC), Change Management, and Project Management processes.

• Conduct security reviews and risk assessments for new applications, infrastructure, and business initiatives.

• Ensure appropriate security testing is completed before Go-Live approval.

Third-Party & Vendor Security Management

• Conduct security reviews and risk assessments for vendors, suppliers, partners, and third parties.

• Define and monitor security requirements for third-party relationships.

• Manage security assessments and remediation activities related to external service providers.

Security Awareness & Training

• Develop and manage the Information Security Awareness Program.

• Deliver security awareness initiatives and promote a strong security culture throughout the organization.

• Conduct targeted awareness activities for technical and non-technical employees.

Resource, Budget & Vendor Management

• Manage security vendors, consultants, and external security service providers.

• Support development and management of the Information Security budget and resource plans.

• Identify resource requirements and recommend improvements to strengthen the organization’s security capabilities.

Qualifications

Education

• Bachelor’s Degree in Information Security, Computer Science, Information Technology, Engineering, or a related discipline.

Professional Experience

• Minimum 8–10 years of progressive experience in Information Security, Cybersecurity, Risk Management, Security Operations, Security Architecture, or related disciplines.

• Minimum 3–5 years in a management role responsible for information security programs.

• Proven experience managing Information Security Management Systems (ISMS), security governance, risk management, compliance programs, incident response, vulnerability management, and security operations.

• Experience managing third-party security providers, auditors, consultants, and security vendors.

• Experience within healthcare, insurance, financial services, or highly regulated environments is preferred.

Technical Knowledge

• Strong understanding of ISO 27001, NIST Cybersecurity Framework, CIS Controls, and information security best practices.

• Strong knowledge of cloud security, network security, application security, vulnerability management, and security monitoring.

• Experience with security risk assessment methodologies and cybersecurity governance frameworks.

• Knowledge of regulatory and compliance requirements applicable to healthcare and insurance sectors.

Preferred Certifications

• CISSP

• CISM

• CRISC

• ISO 27001 Lead Implementer and/or Lead Auditor

• CCSP

• Security+, CEH, or equivalent cybersecurity certifications

Leadership Competencies

• Motivates People – Gains commitment to achieve business objectives through effective communication, coaching, and leadership.
• Models our Values – Promotes accountability, integrity, ownership, and adherence to company values and standards.
• Strategic Thinking – Aligns security initiatives with business objectives and organizational priorities.
• Stakeholder Management – Builds strong relationships with business leaders, technology teams, auditors, regulators, and external partners.
• Decision Making – Makes sound risk-based decisions while balancing business and security requirements.