AVP Information Security Offic

• Cybersecurity Strategy and Roadmap: Develops and implements a comprehensive cybersecurity strategy aligned with the Institute’s mission, goals, and regulatory requirements. Creates and maintains a multi-year roadmap to address current and emerging threats across research and clinical operations and reports progress and risk posture to executive leadership and governance committees.
• Governance, Policies, and Standards: Establishes, maintains, and enforces cybersecurity policies, standards, and procedures to ensure the confidentiality, integrity, and availability of Institute data and systems. Aligns controls with NIST CSF, HITRUST, and ISO 27001; oversees the policy lifecycle, attestation, and exceptions process.
• Matrixed Operations and Third-Party Integration: Leads security delivery in a matrixed environment where select services (e.g., SOC, threat monitoring) are provided by a third-party MSSP. Defines clear RACI, SLAs, and coordinated runbooks; ensures seamless integration of tooling, processes, and incident response between internal teams and the provider; manages vendor performance and continuous improvement.
• Research and Clinical Security Leadership: Tailors controls for research computing (e.g., HPC, laboratory systems, core facilities, data repositories) and clinical operations (e.g., Epic/EHR, medical/IoT devices, imaging systems, interfaces). Implements segmentation, privileged access, and secure data handling to enable collaboration and innovation while protecting patient care and scientific data.
• Risk Management and Compliance Integration: Leads efforts to identify, assess, and mitigate cybersecurity risks across the organization, integrating risk management practices into hospital and research operations. Operates GRC capabilities; oversees third-party/vendor risk; ensures compliance with HIPAA/HITECH, 42 CFR Part 2, MA 201 CMR 17.00, NIH/IRB/FDA expectations; coordinates audits and remediation.
• Cross-Entity Strategy and Interoperability: Develops a coordinated information security strategy with clinical partners—including BILH—supporting secure interoperability, shared standards, joint risk assessments, incident coordination, resilience planning, and alignment of BAAs and data-sharing agreements across institutional boundaries.
• Security Operations and Incident Response: Oversees threat detection, vulnerability management, penetration testing, and threat intelligence. Establishes and exercises incident response playbooks, forensics, communications, and post-incident reviews in collaboration with Legal (OGC), Privacy, HR, Research Integrity, Security & Emergency Management, ETS, clinical operations, research IT, and the MSSP.
• Program Management, Budget, and Awareness: Manages the security program operating budget (~$1.5M); Directs security awareness and phishing simulation programs tailored to clinicians, researchers, and administrative staff; defines KPIs/KRIs and dashboards to track program performance.
• People Leadership and Staffing: Supervises staff and develops future staffing and hiring plan. Hires, develops, and manages staff to achieve organizational goals. Sets clear expectations, delivers feedback, and monitors performance for quality, efficiency, and compliance with policies and procedures. Mentors staff, fosters career growth, and cultivates a positive and productive work environment.

Supervisory Responsibilities

Directly supervises a team of information security analysts and specialists.

• Bachelor's Degree in Computer Science, Information Security/Cybersecurity, Information Systems, Engineering, or related field required. Master's Degree or advanced study in Information Security/Cybersecurity, Technology Management, or Business (MBA) preferred.

• 12+ years of progressive information security experience with 5+ years leading an enterprise security program or major security function in a complex, highly regulated organization. Demonstrated success building security governance, risk, and compliance aligned to frameworks (e.g., NIST CSF, ISO 27001, HITRUST) and healthcare regulations (HIPAA/HITECH, 42 CFR Part 2, MA 201 CMR 17.00).

• Proven experience leading incident response, vulnerability management, SOC operations (e.g., SIEM, EDR, SOAR), and partnering on security architecture, IAM/MFA/PAM/IGA, cloud security, and DevSecOps. Experience managing and integrating third-party managed security service providers (MSSP) and collaborating on cross-entity security strategies with clinical partners (e.g., BILH). Experience managing operating budgets and leading small teams in a matrixed environment.

• Experience operating across research and clinical hospital environments in an academic medical center or research institution strongly preferred, including protection of PHI/PII, EHR ecosystems (e.g., Epic), medical/IoT devices, and research computing/data.
• CISSP or CISM strongly preferred; additional certifications such as HCISPP, CRISC, CISA, GIAC (e.g., GCIH/GSEC/GCCC), and HITRUST CCSFP are desirable.

Knowledge, Skills and Abilities:

• Deep knowledge of information security operations and technologies (e.g., SIEM, EDR/XDR, SOAR, vulnerability management, red/blue teaming, DLP, encryption, PKI/key management, PAM/IGA, network segmentation, zero trust).
• Strong command of healthcare and research regulatory requirements and standards: HIPAA/HITECH, 42 CFR Part 2, MA 201 CMR 17.00; NIH/IRB/FDA expectations for research; and frameworks such as HITRUST, NIST CSF, ISO 27001.
• Expertise addressing unique cybersecurity challenges in healthcare, including medical device security, regulatory compliance, secure interoperability, and the critical nature of uninterrupted patient care.
• Experience securing EHR ecosystems (e.g., Epic), clinical and research systems, medical/IoT devices, and interoperability interfaces; familiarity with HL7/FHIR and secure cross-institution data exchange.
• Advanced understanding of cloud security (AWS, Azure, SaaS), identity, data protection, shared responsibility models, and secure configuration baselines.
• Proven ability to lead incident response and crisis management across matrixed teams and third-party MSSPs, including forensics, communications, regulatory notifications, and after-action improvements.
• Demonstrated success building enterprise GRC capabilities, conducting risk assessments, and managing third-party/vendor risk programs, Business Associate Agreements (BAAs), and data-sharing agreements.
• Effective collaborator and influencer with strategic partnerships across OGC (Legal), Privacy, HR, Research Integrity, and Security & Emergency Management; adept at operating in decentralized, multi-institution environments and coordinating with clinical partners (e.g., BILH).
• Strong leadership and communication skills to manage teams, influence stakeholders, and drive organizational change; ability to translate complex cyber risks into clear, actionable guidance for executives, clinicians, researchers, and technical teams.
• Strategic mindset with strong analytical skills; defines KPIs/KRIs, leverages data to drive decisions, and communicates risk posture and program performance to leadership and governance bodies.
• Strong project and program management; plans, prioritizes, and executes multiple concurrent initiatives with disciplined delivery and change management.
• High integrity and commitment to confidentiality; exercises sound judgment and balanced risk decisions that support patient care and research missions.
• Familiarity with business continuity, disaster recovery, and resilience engineering in healthcare and research environments.
• High technical literacy with enterprise systems, identity platforms, and security tooling; continuous learning orientation to track evolving threats and best practices. Deep knowledge of information security operations and technologies (e.g., SIEM, EDR/XDR, SOAR, vulnerability management, red/blue teaming, DLP, encryption, PKI/key management, PAM/IGA, network segmentation, zero trust).
• Strong command of healthcare and research regulatory requirements and standards: HIPAA/HITECH, 42 CFR Part 2, MA 201 CMR 17.00; NIH/IRB/FDA expectations for research; and frameworks such as HITRUST, NIST CSF, ISO 27001.
• Expertise addressing unique cybersecurity challenges in healthcare, including medical device security, regulatory compliance, secure interoperability, and the critical nature of uninterrupted patient care.
• Experience securing EHR ecosystems (e.g., Epic), clinical and research systems, medical/IoT devices, and interoperability interfaces; familiarity with HL7/FHIR and secure cross-institution data exchange.
• Advanced understanding of cloud security (AWS, Azure, SaaS), identity, data protection, shared responsibility models, and secure configuration baselines.
• Proven ability to lead incident response and crisis management across matrixed teams and third-party MSSPs, including forensics, communications, regulatory notifications, and after-action improvements.
• Demonstrated success building enterprise GRC capabilities, conducting risk assessments, and managing third-party/vendor risk programs, Business Associate Agreements (BAAs), and data-sharing agreements.
• Strong leadership and communication skills to manage teams, influence stakeholders, and drive organizational change; ability to translate complex cyber risks into clear, actionable guidance for executives, clinicians, researchers, and technical teams.

Pay Transparency Statement

The hiring range is based on market pay structures, with individual salaries determined by factors such as business needs, market conditions, internal equity, and based on the candidate’s relevant experience, skills and qualifications.

For union positions, the pay range is determined by the Collective Bargaining Agreement (CBA)

$242,200 - $276,300

At Dana-Farber Cancer Institute, we work every day to create an innovative, caring, and inclusive environment where every patient, family, and staff member feels they belong.  As relentless as we are in our mission to reduce the burden of cancer for all, we are equally committed to diversifying our faculty and staff.  Cancer knows no boundaries and when it comes to hiring the most dedicated and diverse professionals, neither do we. If working in this kind of organization inspires you, we encourage you to apply.

Dana-Farber Cancer Institute is an equal opportunity employer and affirms the right of every qualified applicant to receive consideration for employment without regard to race, color, religion, sex, gender identity or expression, national origin, sexual orientation, genetic information, disability, age, ancestry, military service, protected veteran status, or other characteristics protected by law.

EEOC Poster