Careers

Posted: March 20, 2026

The Director of Information Security will lead the continued development and advancement of the Health Connector’s information security and risk management program, ensuring the protection of systems, infrastructure, and sensitive information from evolving cybersecurity threats. Reporting to the Chief Technology Officer, this role is responsible for developing and advancing the organization’s Information Security Roadmap and strengthening practical security capabilities across Security Operations, Governance Risk and Compliance, Identity and Access Management, Security Architecture, and Vendor Security Risk Management.

The ideal candidate will bring a broad technical information security background and strong familiarity with enterprise IT environments, with experience implementing modern security capabilities such as identity-driven access controls, endpoint security, cloud security controls, and Zero Trust architectures. Working closely with IT and Operations leadership, Infrastructure, Data & Analytics, Legal, Compliance, and a broad set of internal and external partners, the Director will ensure security practices are integrated across the Health Connector’s technology platforms and operational processes while aligning the security program with ARC-AMPE, CMS security guidance, and the NIST Cybersecurity Framework.

• Lead and advance the Health Connector’s information security and risk management program, ensuring systems, infrastructure, and sensitive information are protected from evolving cybersecurity threats.
• Develop and advance the organization’s Information Security Roadmap, prioritizing security capabilities and investments based on organizational needs, technical risk, and regulatory requirements.
• Oversee and operate core security capabilities including Security Operations, Governance Risk and Compliance (GRC), Identity and Access Management (IAM), Security Architecture, and Vendor Security Risk Management.
• Establish and maintain security policies, standards, and governance frameworks aligned with ARC-AMPE, CMS guidance, and the NIST Cybersecurity Framework.
• Oversee and operate cybersecurity monitoring and defense capabilities, including threat detection, vulnerability management, security event monitoring, and incident response.
• Lead the organization’s incident response program, coordinating investigation, containment, remediation, and communication during security incidents.
• Ensure appropriate safeguards are implemented to protect personally identifiable information (PII), protected health information (PHI), and other regulated data, including data classification and data protection controls.
• Guide the evolution of the Health Connector’s security architecture, including implementing and operating Zero Trust security capabilities across identity, device, network, and application access.
• Oversee and operate the Health Connector’s third-party security risk management program, ensuring vendors, contractors, and partners meet security and compliance expectations.
• Partner with Infrastructure and Client Services teams to implement and operate security controls across endpoint management, device configuration, identity platforms, and collaboration technologies.
• Support disaster recovery, business continuity, and operational resilience planning efforts in coordination with technology leadership.
• Provide regular reporting to leadership regarding cybersecurity posture, operational security metrics, compliance status, and remediation activities.
• Perform supervisory and program administration responsibilities including staff development, hiring, and performance management.
• Coordinate cross-functional security initiatives across the organization.
• Other duties as assigned.

• Bachelor’s degree from an accredited college or university
• 7 to 10 years of experience in cybersecurity or information security roles, including leadership responsibilities
• Demonstrated experience building and operationalizing security capabilities across multiple security domains
• Experience designing and implementing technical security controls across identity, endpoint, cloud, and network access environments
• Experience implementing and operating Zero Trust security architectures, including identity, device, network, and application access controls
• Experience leading incident response, vulnerability management, and security monitoring programs
• Experience managing vendor and third-party security risks
• Experience working in regulated environments involving sensitive data such as PII or PHI
• Experience implementing security programs aligned with NIST frameworks and regulatory requirements
• Strong understanding of core IT infrastructure and platforms, including networks, operating systems, cloud environments, endpoint management, and identity services
• Knowledge of modern cybersecurity architecture and controls, including Zero Trust, identity-driven access controls, endpoint protection, vulnerability management, and security monitoring technologies
• Understanding of security operations practices, including threat detection, incident response, and security event monitoring
• Knowledge of data protection practices, including data classification, encryption, data loss prevention, and protection of regulated data such as PII and PHI
• Familiarity with security governance and compliance frameworks, including the NIST Cybersecurity Framework and related regulatory standards
• Ability to translate complex cybersecurity risks and technical issues into clear organizational impacts
• Ability to collaborate effectively across technical and non-technical teams
• Strong analytical and problem-solving skills
• Strong organizational and time-management skills
• Strong written and verbal communication skills
• Demonstrated leadership and team development capabilities

• Bachelor’s degree in Information Security, Computer Science, Information Systems, Cybersecurity, or a related field
• Experience working in public sector, healthcare, or regulated technology environments
• Familiarity with ARC-AMPE, CMS security guidance, or similar federal regulatory frameworks
• Professional certifications such as CISSP, CISM, or equivalent
• Demonstrated experience developing and executing security roadmaps or long-term security strategies