Posted:
7/10/2026, 4:15:31 AM
Location(s):
Ohio, United States ⋅ Wooster, Ohio, United States
Experience Level(s):
Senior
Field(s):
IT & Security
Workplace Type:
On-site
Pay:
$62k/yr
Screen reader users may encounter difficulty with this site. For assistance with applying, please contact [email protected]. If you have questions while submitting an application, please review these frequently asked questions.
Current Employees and Students:
If you are currently employed or enrolled as a student at The Ohio State University, please log in to Workday to use the internal application process.
Welcome to The Ohio State University's career site. We invite you to apply to positions of interest. In order to ensure your application is complete, you must complete the following:
Ensure you have all necessary documents available when starting the application process. You can review the additional job description section on postings for documents that may be required.
Prior to submitting your application, please review and update (if necessary) the information in your candidate profile as it will transfer to your application.
Scope of Position
Reporting to the CIDO of the Ohio State University Wexner Medical Center with a dual report to the CISO of The Ohio State University, the WMC Chief Information Security Officer (WMC CISO) leads a department focused on security, risk management, compliance and security architecture for the clinical mission of Ohio State. Working closely with our university partners, the WMC CISO will engage and collaborate with various leaders in clinical operations, research, education, audit, legal and compliance and information systems on security initiatives. The WMC CISO oversees ongoing activities, programs, and projects that serve to protect WMC data confidentiality, integrity and availability while providing clinicians, students, patients, faculty, researchers, staff and vendors with secure and reliable access to systems and information. The WMC CISO ensures strategic alignment to the university on information security standards, controls, training, practices, and reporting.
Duties and Responsibilities
I. Strategy, Governance, and Risk Management (50%)
Health System Security Strategy: Develop, champion, and execute a visionary, comprehensive, multi-year information security strategy and roadmap across all mission areas of WMC, leveraging the University Security Framework.
Security Framework: Work in collaboration with University CISO to align on common standards, controls and practices, ensuring a cohesive security posture where systems, services and missions overlap. Oversee the development, enforcement and auditing of security policies, procedures, and standards for the health system.
Enterprise Ownership and Tolerance: Oversee Security Risk Assessments (SRAs) and vulnerability management across clinical, research, administrative, and third-party environments for the Health System. Develop and prioritize risk mitigation and remediation strategies. Coordinate with the University CISO on a streamlined risk assessment process for technologies that impact both the Medical Center and the University. Report on the WMC’s cybersecurity risk appetite in partnership with executive leadership and proactively manage and report on the overall cyber risk posture, translating technical exposure into clear business impact to the C-suite and the board through established reporting under the university CISO.
Regulatory Compliance: Ensure stringent adherence to all applicable laws and regulations, including but not limited to HIPAA/HITECH, 21 CFR Part 11, PCI DSS, state data privacy laws, and security mandates for research data and grant funding (e.g., CUI). Serves as the Security Officer to oversee implementation of HIPAA security regulations and to provide ongoing compliance monitoring and education on security.
Emerging Technology Governance: Establish and lead emerging technology governance frameworks for AI, cloud, automation, and other next-generation technologies, ensuring alignment with risk management, cybersecurity strategy, regulatory requirements, and business objectives.
Third-Party Risk Management (TPRM): Provide executive oversight of the Third-Party Risk Management program, ensuring vendor risks are assessed, governed, and aligned with enterprise security and compliance requirements. Oversee assessing and mitigating the security risks posed by vendors, business associates, and supply chain partners in alignment with university standards and frameworks where possible.
Business Continuity / Disaster Recovery: Provide executive oversight and strategic direction for enterprise Business Continuity and Disaster Recovery (BC/DR) programs, ensuring governance, resilience, regulatory compliance, and alignment with organizational risk management objectives to maintain and restore mission-critical operations during disruptions in alignment with university standards and frameworks where possible.
II. Security Operations and Leadership (30%)
Security Operations Center (SOC) Oversight: Oversee the day-to-day operations of the information security function, including threat intelligence, security monitoring, Security Information and Event Management (SIEM), and vulnerability management across on-premise, cloud, and hybrid environments in alignment with university standards and tools where possible.
Incident Response: Own the Computer Security Incident Response and Reporting (CSIRR) function, leading the coordination, containment, investigation, and recovery efforts for all security incidents and breaches, and fulfilling regulatory breach notification requirements.
Security Architecture and Consulting: Provide authoritative security consultation for the design and implementation of new systems (including EHR systems, clinical IoT, and cloud services) and review of existing systems, promoting security-by-design principles.
Access Management and Controls: Oversee the IT Access Management function, including the alignment to advanced Identity and Access Management (IAM) and Privileged Access Management (PAM) strategies consistent with a Zero Trust model established by the University CISO.
III. Culture, Talent, and Collaboration (20%)
Executive Collaboration: Collaborate directly and continuously with the University CISO, CIDO, and other executive and departmental leaders to align security initiatives with broad institutional and clinical goals.
Team Leadership: Lead, manage, mentor, and coach a diverse, high-performing team of information security professionals, fostering a culture of continuous learning, accountability, and excellence.
Security Awareness and Education: Advise Health Systems senior leadership on security risks and strategy. Drive a mandatory, ongoing security education and awareness program for all Health Systems faculty, staff, researchers, and students to effectively reduce the "human element" risk in a decentralized academic environment.
Communication: Serve as the visible, articulate internal and external champion for information security, possessing the ability to engage diverse stakeholders—from technical staff and researchers to clinicians.
Other duties as assigned.
Skills and Attributes
Intelligence and curiosity to instinctively question how things are done and how they may be done more effectively and efficiently.
Strength of personality, character and persistence to champion and implement positive change and cultural transformation.
Able to engage in high-level decision-making processes, develop priorities and goals and implement strategic and tactical measures.
Politically astute and able to navigate a complicated matrix.
Carry directions and vision of senior administration, as well as promote new ideas, strategies and innovations.
Develop understanding of applicable rules, requirements and procedures and challenge when appropriate.
Ability to delegate intelligently and appropriately.
Drive quality, performance, and attention to detail to a higher level and demand excellence.
Qualifications
Experience:
Minimum of 12 years of experience in information security, with at least five years in a significant leadership role.
Baccalaureate degree or higher in information systems or related degree.
Demonstrated experience in a large, complex organization, preferably within an academic medical center, or healthcare system.
Proven track record of developing and implementing a successful, enterprise-level information security program.
Certifications: Professional security management certification, such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), or an equivalent, is highly desirable.
Skills:
Strong business acumen to enable technology’s impact to support secure business objectives.
Demonstrated ability to build relationships, collaborate, and lead through influence across a decentralized enterprise.
Excellent communication, negotiation, and interpersonal skills with the ability to articulate complex security concepts to technical and non-technical audiences.
Strong knowledge of relevant legal and regulatory requirements (e.g., HIPAA).
Deep expertise in information security principles, practices, and technologies.
Adaptability to Innovation: Proven ability to manage security implications of rapid innovation in clinical care, biomedical research, and education, including cloud computing, telehealth, and AI/ML.
How to Apply
Inquiries, nominations and applications are invited. For full consideration, application materials should be received by August 17, 2026.
Applicants should submit the following:
Letter of Interest: Include a 1-2-page summary of your background and why you are interested in this opportunity.
Resume: Detailed overview of your experience.
Please direct all inquiries and nominations to: Allison Thomas, Talent Acquisition Consultant, The Ohio State University Executive Search team, at [email protected] with the Subject Line “WMC Chief Information Security Officer.”
Final candidates are subject to successful completion of a background check. A drug screen or physical may be required during the post offer process.
Thank you for your interest in positions at The Ohio State University and Wexner Medical Center. Once you have applied, the most updated information on the status of your application can be found by visiting the Candidate Home section of this site. Please view your submitted applications by logging in and reviewing your status. For answers to additional questions please review the frequently asked questions.
The university is an equal opportunity employer, including veterans and disability.
Website: https://www.osu.edu/
Headquarter Location: Wooster, Ohio, United States
Employee Count: None
Year Founded: 1870
IPO Status: Private
Last Funding Type: None
Industries: Agriculture ⋅ Education ⋅ Higher Education
Visa Sponsorship: Sponsors work visas