Manager of Information Security

Description

Job Title: Manager of Information Security

Job Description

Summary

The Manager of Information Security is responsible for building, operating, and maturing the organization’s information security program across a distributed, hybrid environment supporting ~2,700 users and 100 locations.

This is a hands-on leadership role with ownership of security operations, governance, risk, and compliance. The role is accountable for protecting the organization’s systems, data, and users while enabling business operations in a practical, risk-based way.

The organization is actively maturing its security posture following a prior ransomware incident, making this a high-impact opportunity to establish sustainable security practices, strengthen resilience, and build trust across the business.

The Manager of Information Security reports to the CIO, who retains executive security oversight, and works closely with the Director of Infrastructure and Director of Service Operations to deliver secure, reliable IT services.

Responsibilities

Security Program Leadership

• Own and operate the organization’s information security program
• Develop and maintain security policies, standards, and procedures in partnership with the CIO
• Establish and track key security metrics, risk indicators, and program maturity
• Maintain and manage the enterprise risk register

Governance, Risk & Compliance (GRC)

• Partner with compliance team (Legal) on compliance efforts for HIPAA, PCI, JCAHO, and AAAHC
• Coordinate audits, assessments, and remediation activities
• Ensure security controls are documented, implemented, and auditable
• Manage third-party/vendor security risk as needed
• Coordinate and manage third-party penetration testing and security assessments (internal and external)
• Establish and maintain a vulnerability management program, incorporating findings from penetration tests, scanners, and external reviews
• Drive remediation efforts in partnership with Infrastructure and Service Operations, ensuring findings are prioritized, tracked, and resolved

Security Operations & Incident Response

• Own the security incident response program, including playbooks, processes, and coordination
• Act as the tactical lead during security incidents, partnering with the CIO as executive lead
• Coordinate with Service Operations, Infrastructure, NOC, and MDR providers during incidents
• Drive post-incident reviews and continuous improvement
• Oversee vulnerability intake, triage, and prioritization across all security findings

Security Tooling & Monitoring

• Own and manage security platforms, including:
• Endpoint Detection & Response (CrowdStrike)
• Managed Detection & Response (MDR) relationship
• SIEM and logging platforms
• Oversee alerting, detection tuning, and response workflows
• Ensure effective collaboration between internal teams, MDR, and NOC/MSP

Identity & Access Management (IAM)

• Lead IAM strategy and operations, including:
• Identity lifecycle management
• Role-based access and least privilege models
• Privileged Access Management (PAM/PIM)
• Manage and mentor IAM engineering resources
• Partner with Service Operations

Business Continuity & Disaster Recovery

• Partner with Infrastructure leadership and the CIO to define and govern BC/DR strategy
• Ensure security considerations are embedded in recovery planning
• Support testing, validation, and continuous improvement of recovery capabilities
• Cross-Functional Collaboration
• Work closely with the Director of Infrastructure to ensure secure architecture and system design
• Partner with Service Operations to align security with operational processes and user support
• Serve as a key security advisor to IT and business stakeholders

Security Awareness & Culture

• Develop and lead security awareness and training programs
• Promote a culture of security aligned with business needs and user experience
• Balance risk reduction with operational practicality
• Vendor & Partner Management
• Manage relationships with security vendors, including MDR providers and penetration testing firms
• Ensure third-party services meet security expectations and contractual obligations
• Provide input into security budgeting and investment planning

Maintain a clean and safe work environment

Other duties as assigned

Requirements

Education

• Bachelor’s degree preferred but not required

Certifications/Licensure

• Relevant industry certifications preferred, such as: CISSP, CISM, CISA, CDPSE.

Experience

• 5–8+ years of experience in information security, with increasing responsibility
• Hands-on experience across multiple domains, including:
• Security operations and incident response
• IAM and access control models
• Endpoint security and detection/response tools
• SIEM or log management platforms
• Vulnerability management and penetration testing coordination
• Experience operating in hybrid (cloud + on-prem) environments
• Proven ability to build or mature security programs

Technical Skills

• Experience in regulated environments, particularly healthcare
• Familiarity with HIPAA, PCI, JCAHO, and AAAHC compliance frameworks
• Experience working with MDR/SOC providers
• Exposure to Microsoft and Google Workspace ecosystems
• Preference for familiarity with Crowdstrike ecosystem

Soft Skills

• Hands-on and accountable, able to operate both strategically and tactically
• Strong judgment in balancing security, usability, and business needs
• Calm and decisive during security incidents
• Effective collaborator across Infrastructure and Service Operations
• Builder mindset with the ability to mature programs over time

Physical Requirements

• Stand or sit for extended periods of time

This description is intended to provide only basic guidelines for meeting job requirements. Duties and responsibilities, experience, qualifications, skills, supervisory relationship, physical/mental demands, and environmental/ working conditions may change as needs evolve.

Base salary offers for this position may vary based on factors such as location, skills and relevant experience. We offer the following benefits to those who are benefit eligible (30+ hours a week):  medical, dental, vision, life and AD&D insurance, long and short term disability, 401k program with company match and profit sharing, wellness program, health savings accounts, flexible savings accounts, ID protection plan and accident, critical illness and hospital benefits. In addition, we offer paid holidays and paid time off.  

Illinois Bone and Joint Institute, LLC is an equal opportunity employer. All employment decisions are based on qualifications, merit, and business need, without regard to race, color, religion, age, sex, national origin, disability status, military or veteran status, sexual orientation, gender identity and expression, or any other characteristic protected by federal, state or local laws. This policy applies to recruitment and placement, promotion, training, transfer, retention, rate of pay and all other terms and conditions of employment.