Cybersecurity Director- Franklin, TN

We are seeking an experienced Cybersecurity Director to join our team in Franklin, TN.

Location: This position is based at Acadia Healthcare's corporate office in Franklin, TN. The first 90 days in this role will be fully in-person to ensure comprehensive onboarding and training.

After the initial period, the position will transition to a hybrid model, with 2 days remote and 3 days in the office each week. 

PURPOSE STATEMENT:

The Cybersecurity Director is responsible for leading and managing Acadia’s cybersecurity strategy, programs, and initiatives to protect the confidentiality, integrity, and availability of its information assets. This role involves developing and implementing comprehensive cybersecurity strategies, overseeing the security posture, managing cybersecurity teams, and ensuring compliance with regulatory requirements and industry standards.  

ESSENTIAL FUNCTIONS:

1. Cybersecurity Strategy and Planning:
1. Develop and implement a comprehensive cybersecurity strategy aligned with the organization's business goals.
2. Define cybersecurity policies, standards, and procedures.
3. Identify emerging threats and vulnerabilities and proactively address them.
2. Security Operations:
1. Oversee the day-to-day operation of the cybersecurity function.
2. Monitor and analyze security alerts and incidents, responding promptly to mitigate threats.
3. Implement security controls and technologies to protect against cyber threats.
3. Team Management:
1. Lead and mentor a team of cybersecurity professionals, including security analysts, engineers, and specialists.
2. Set performance goals and conduct regular performance reviews.
3. Recruit and onboard new talent as needed.
4. Risk Management:
1. Conduct regular risk assessments and vulnerability assessments.
2. Develop and maintain a risk management framework.
3. Recommend and implement risk mitigation strategies.
5. Compliance and Governance:
1. Ensure compliance with relevant regulatory requirements and industry standards (e.g., HIPAA, etc.).
2. Monitor and report on compliance status to senior management and external stakeholders.
6. Mergers and Acquisitions (M&A):
1. Actively participate in due diligence processes for M&A activities, assessing the cybersecurity posture of potential acquisition targets.
2. Develop integration plans for cybersecurity, ensuring the smooth transition of security controls and policies during mergers or acquisitions.
3. Identify and address cybersecurity risks associated with M&A transactions.
7. Vendor Risk Management:
1. Establish and maintain a comprehensive vendor risk management program.
2. Evaluate and assess the cybersecurity practices and controls of third-party vendors and service providers.
3. Define risk assessment criteria and conduct vendor risk assessments regularly.
4. Work with vendors to remediate identified security gaps or vulnerabilities.
5. Monitor vendor compliance with cybersecurity requirements and contractual agreements.
8. Cyber Insurance Management:
1. Collaborate with insurance providers to assess and procure cyber insurance coverage tailored to the organization's needs.
2. Maintain a comprehensive understanding of the organization's cyber insurance policies and coverage.
3. Ensure accurate documentation and reporting of cybersecurity incidents to facilitate insurance claims.
4. Review and update cyber insurance policies as needed to adapt to evolving risks.
5. Assist in the claims process and provide necessary documentation to expedite settlements.
9. Security Awareness and Training:
1. Promote a culture of cybersecurity awareness throughout the organization.
2. Conduct security training and awareness programs for employees.
10. Incident Response and Recovery:
1. Develop and maintain an incident response plan.
2. Lead incident response efforts in the event of a security breach.
3. Coordinate with legal, HR, and law enforcement as needed.
11. Budget Management:
1. Manage the cybersecurity budget, ensuring efficient allocation of resources.
2. Track and report on budget expenditures.
12. Vendor Management:
1. Collaborate with third-party vendors and service providers to enhance cybersecurity capabilities.
2. Evaluate and select cybersecurity technologies and tools.
13. Performance Metrics:
1. Define and track key performance indicators (KPIs) for the cybersecurity function.
2. Regularly report on cybersecurity metrics to senior management.

OTHER FUNCTIONS:

• Performs other duties as assigned.

STANDARD EXPECTATIONS:

• Complies with organizational policies, procedures, performance improvement initiatives and maintains organizational and industry policies regarding confidentiality.
• Communicate clearly and effectively to person(s) receiving services and their family members, guests and other members of the health care team.
• Develops constructive and cooperative working relationships with others and maintains them over time.
• Encourages and builds mutual trust, respect, and cooperation among team members.
• Maintains regular and predictable attendance.

EDUCATION/EXPERIENCE/SKILL REQUIREMENTS:

• Education: A Bachelor's degree or equivalent work experience.
• Experience: Minimum of 5 years of cybersecurity experience, with a preference for at least 2 years in a leadership role.
• Expertise: Strong knowledge of cybersecurity principles, technologies, and best practices.
• Communication: Excellent communication and interpersonal skills.
• Decision-Making: Ability to work effectively under pressure and make critical decisions in high-stress situations.
• Compliance: Knowledge and understanding of relevant legal and regulatory requirements, such as: Sarbanes-Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry/Data Security Standard (PCI).
• Frameworks:  Proficiency in common information security management frameworks, such as ITIL, Center for Internet Security (CIS) Critical Security Controls (CSC), and NIST, including 800-53 and Cybersecurity Framework
• Problem-Solving: Strong problem-solving and analytical abilities.
• Technology Proficiency: Candidates must be capable of effectively evaluating and implementing technical alternatives, staying up to date with emerging technologies.
• Incident Response Proficiency:  Proven background in incident response and a demonstrated ability to effectively manage data breaches highly desirable.
• Budget Management: Experience in managing cybersecurity budgets effectively and efficiently.
• Interpersonal Skills: Excellent interpersonal skills, including the ability to interact professionally with individuals at all levels, both internally and externally.
• Self-Motivation: Self-motivated with strong organizational skills and exceptional attention to detail.
• Multitasking: Ability to manage multiple tasks/projects simultaneously within strict time frames and adapt to frequent priority changes.
• Adherence: Capability to work within established policies, procedures, and practices set by the organization.
• Language Skills: Proficient in English to provide and receive instructions and directions effectively.

LICENSES/DESIGNATIONS/CERTIFICATIONS:

• Certifications: Desired by not required:  Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC),  GIAC Information Security Fundamentals (GISF), Certified Data Privacy Solutions Engineer (CDPSE), GIAC Critical Controls Certification (GCCC) or other similar credentials. 

SUPERVISORY REQUIREMENTS:

Supervises a team of employees

While this job description is intended to be an accurate reflection of the requirements of the job, management reserves the right to add or remove duties from particular jobs when circumstances
(e.g. emergencies, changes in workload, rush jobs or technological developments) dictate.

#LI-AH

AHCORP