Manager, Risk & Security

About Press Ganey:

Press Ganey pioneered the health care performance improvement movement 35 years ago. Today Press Ganey offers an integrated suite of solutions that enable enterprise transformation across the patient journey. Delivered through a cutting-edge digital platform built on a foundation of data security, Press Ganey solutions address safety, clinical excellence, patient experience, and workforce engagement. The company works with more than 41,000 health care facilities in its mission to reduce patient suffering and enhance caregiver resilience to improve the overall safety, quality, and experience of care. 

The Manager, Risk and Security is a leader in Press Ganey's Information Security team and is responsible for building and maintaining controls that manage information risk and security.  The manager is expected to design and implement controls order to secure Press Ganey data and keep Press Ganey in compliance with applicable laws, regulations, and contractual terms.

The Manager, Risk and Security provides vision and leadership for securing Press Ganey’s custom-developed software. This leader will work across teams to help drive security controls in custom software. This includes responsibility for training and oversight of development teams in secure development practices; support for product teams to identify regional compliance requirements; partnering with the ISO and GRC functions to ensure that policy and compliance requirements are met; and coordination of resources, schedules, and activities. The manager must be able to provide leadership for the security team, to coach and mentor the team, and to build strong partnerships with IT/engineering, security, business, and third-party partners, to ensure that Press Ganey can implement its business plans.  The manager will work with developers, architects, project leads/managers, business analysts, and others, in determining security requirements for projects and ensures that these requirements are met as part of the software development lifecycle (SDLC).

The duties of each member of the security team can fluctuate based on needs and risks, but this manager will be primarily responsible for setting policy and measuring compliance related to custom application development.  This manager will be responsible for testing applications for security and developing and monitoring corrective action plans.  As a leader in the team, this manager will be expected to stay informed of information security practices and act as a trusted subject matter expert for the team.

The security team at Press Ganey has created a culture of growth and gratitude.  Press Ganey has acquired more than 20 companies in the past 10 years, so the right manager will be prepared to deal with a rapidly changing environment.  For this role, we’re focused on finding someone with a passion for security with a background in application development.  We can teach most security skills, but we need you to bring software development leadership skills to the team.  This job will involve meeting with product manager and software development teams to set security standards, guide development practices, find and drive remediation of security flaws, and leading a team of skilled technical security people.

Duties and Responsibilities

Product Security

• Identify local and regional regulatory impacts for new products and services
• Set remediation priorities and work with product and IT departments to drive security improvements
• Assess and scope application security needs.
• Contribute to project planning and project deliverables.
• Collaborate with Product Management and Engineering to enhance products.

Application Security

• Scan source code, audit results with development and/or security teams and offer plans for remediation of vulnerabilities.
• Install and configure industry standard static code analysis products, such as Veracode, Sonarqube, or HP Fortify.
• Install, configure, and run industry standard dynamic scanning tools such as Acunetix, Burp Suite, or IBM AppScan.
• Communicate technical application security concepts to staff, including developers, architects, and managers.
• Train developers on application security and remediation of application security code defects.

Audit/Remediation

• Assess new projects and existing systems for compliance with security controls and best practices.

Policy and Governance

• Translate general security policies into specific technical guidance for IT and business teams.  Monitor and audit people, process, and technology to ensure compliance with approved policies. 
• Build non-functional requirements (NFRs) for application teams to implement required security controls.
• Develop plans to safeguard computer files against accidental or unauthorized modification, destruction, or disclosure and to meet emergency data processing needs. 
• Document computer security and emergency measures policies, procedures, and tests.

Data Protection and Risk Management

• Work with Legal, Technology, and business partners to establish and maintain controls that protect data and appropriately manage its lifecycle.
• Identify, assess, and communicate risks relating to Press Ganey data, systems, and personnel.
• Suggest changes that can reduce risk.
• Perform risk assessments and execute tests of data processing system to ensure functioning of data processing activities and security measures.

Incident Response

• Respond to event notifications generated by security monitoring systems, employees, and customers within agreed response times.  Some responses may require after hours and weekend availability. 
• Review violations of computer security procedures and discuss procedures with violators to ensure violations are not repeated.

Team Development and Management

• Develop and manage an organizational structure for the Risk and Security practice and Press Ganey.
• Recruit, develop, retain and motivate a team operating at a high performance level.

Qualifications

Education/training:

• (Required) High school diploma w/ relevant experience or 4-year degree
• (Preferred) Certification for information security management or networking (i.e. CISA, CISSP, CISM, CRISC).
• (Required) General knowledge of business theory, business processes, management, budgeting, and business office operations.

Skills

• Leadership of application development teams
• Strong understanding of application development lifecycle models, such as agile and scrum
• Demonstrated skills designing and implementing secure CI/CD pipelines
• Demonstrated competence in security and risk domains, including standards and practices; organization and management; processes; integrity, confidentiality and availability; and software development, acquisition and maintenance.
• Demonstrated analytical and problem-solving skills.
• Demonstrated technical skills using development or scripting tools, networking, or hardware.
• Strong understanding of basic computer science: Algorithms, data structures, databases, operating systems, networks, and tool development (not production software, but tools that can help you work more efficiently).
• Strong understanding of IT operations: Help desk, networks, endpoint management and server management.
• Strong understanding of adversary motivations: cyber-crime, cyber hacktivism, cyber war, cyber espionage and the difference between cyber propaganda and cyber terrorism.
• Strong understanding of security operations concepts: Perimeter defenses, BYOD management, data loss protection, insider threat, kill chain analysis, risk assessment and security metrics.
• Demonstrated competence in security and risk domains, including standards and practices; organization and management; processes; integrity, confidentiality and availability; and software development, acquisition and maintenance.
• Knowledge of and ability to use system security and controls including firewall and anti-virus software, identity management, and computer control environments

Experience

• 8 years' experience in IT Operations, IT Security, or Application Development
• 2 years’ leadership experience in an IT or security role
• 3 years’ experience implementing compliance standards such as HIPAA, PCI-DSS, SOX, etc.
• 3 years’ project management experience

Business Acumen

• The job holder should possess strong analytical and process management skills and have a broad understanding of business strategy and operations.  They must be able to clearly articulate the business value proposition for all security initiatives.

Compliance & Ethics Expectations:

• Participates and successfully completes the company's compliance program requirements and adheres to the Code of Conduct, Company policies, and applicable federal and state requirements.
• Sets an example for other employees regarding how the Company's Code of Conduct and Compliance Program is applied and observed every day when dealing with customers, business operations, or other teammates.
• Reports potential violations of company policy, Code of Conduct, and/or applicable laws and regulations to the company hotline, thorough the chain of command, to the Compliance and Ethics Department, or through other channels made available by the company for reporting potential violations.
• Promotes an environment in which other employees are encouraged to report potential violations.
• As appropriate, provides input and suggestions regarding areas in which policies, procedures, workflows, and/or controls can be improved to enhance compliance.

All positions at Press Ganey require an applicant who has accepted an offer to undergo a background check. The specific checks are based on the nature of the position. Background checks may include some or all of the following: SSN/SIN validation, education verification, employment verification, and criminal check, search against global sanctions and government watch lists, fingerprint verification, credit check, and/or drug test. By applying for a position with Press Ganey, you understand that you will be required to undergo a background check should you be made an offer. You also understand that the offer is contingent upon successful completion of the background check and results consistent with Press Ganey's employment policies. You will be notified during the hiring process which checks are required for the position. 

In order to ensure a healthy and safe work environment, Press Ganey requires all of its associates to be fully vaccinated against COVID-19, or have an approved medical or religious exemption, prior to their start date. Associates who cannot receive the vaccine because of a disability/medical contraindication or sincerely held religious belief may request an accommodation to this requirement. 

Press Ganey Associates LLC is an Equal Employment Opportunity/Affirmative Action employer and well committed to a diverse workforce. We do not discriminate against any employee or applicant for employment because of race, color, sex, age, national origin, religion, sexual orientation, gender identity, veteran status, and basis of disability or any other federal, state or local protected class. 

Pay Transparency Non-Discrimination Notice – Press Ganey will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant. However, employees who have access to the compensation information of other employees or applicants as a part of their essential job functions cannot disclose the pay of other employees or applicants to individuals who do not otherwise have access to compensation information, unless the disclosure is (a) in response to a formal complaint or charge, (b) in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by the employer, or (c) consistent with the contractor's legal duty to furnish information. 

#LI-Remote