Vice President, Cybersecurity in Des Moines, Iowa at IOWA HOSPITAL ASSOCIATION

Position Summary

Leads Iowa Hospital Association’s (IHA) operational and technical cybersecurity program, reporting to the Senior Vice President, IT Operations & Security. Provides strategic leadership and advanced technical oversight across security operations, engineering, architecture, governance and risk management. Ensures the confidentiality, integrity and availability of IHA’s information assets while aligning cybersecurity initiatives with organizational strategy, regulatory requirements and industry best practices. This role reflects IHA’s behaviors of ownership, collaboration, innovation and servant leadership.

Responsibilities

• Leads the development, execution and continuous improvement of IHA’s enterprise cybersecurity strategy, roadmap and operating model with authority to set priorities and recommend investments; delivers annual roadmap milestones and reduces identified enterprise cyber risks
• Oversees security operations, including Security Information and Event Management (SIEM), Managed Detection and Response (MDR) and Security Operations Center (SOC) services, vulnerability management, and incident detection, response and recovery; empowered to activate response plans and engage external sources as needed to reduce severity of security incidents and increase timely closure of corrective actions
• Coordinates and leads tabletop exercises and disaster recovery drills, ensuring lessons learned and corrective actions are documented and implemented
• Owns and governs cloud-based and on premises security architecture, approving designs and control decisions to ensure secure-by-design principles and defense-in-depth controls with reduction in critical and high-risk findings and conformance with approved architecture standards
• Establishes, maintains and enforces cybersecurity policies, standards and control frameworks aligned with the System and Organization Controls (SOC) 2, National Institute of Standards and Technology (NIST), Cybersecurity Framework (CSF), Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH) requirements, as applicable for successful audit results, ideal compliance posture, and timely remediation of control deficiencies
• Manages third party cybersecurity risk, including vendor assessments, tool evaluations and ongoing risk monitoring with authority to approve risk treatment recommendations within defined thresholds
• Measures, reports and communicates cybersecurity risk posture through meaningful metrics, key performance indicators (KPI), executive dashboards and playbooks, translating technical/cyber risk into business, operational, financial and reputational impact for executive stakeholders
• Partners with Human Resources and Marketing Communications to design and deliver an effective, organization-wide security awareness and training program ensuring high completion rates, phishing simulation outcomes, and reduction in user-driven security incidents
• Engages in continuous learning to stay current with evolving threats, technologies and regulatory expectations and proactively adopts relevant controls and provides informed recommendations to leadership
• Models and promotes safe work practices, including proper workstation ergonomics, to support employee well-being and injury prevention
• Performs other related duties as assigned to support departmental and organizational goals

Internal Relationships

• Works closely with the Senior Vice President, IT Operations & Security to align cybersecurity initiatives with enterprise priorities
• Collaborates with department leaders, legal, HR and operational teams to embed security into business processes

External Relationships

• Coordinates with cybersecurity vendors, managed service providers, auditors and consultants
• Engages with external partners, peer organizations and industry groups for benchmarking and shared learning

Knowledge and Skills

• Advanced knowledge of threat detection and response, vulnerability management, risk management and security architecture
• Strong understanding of cloud security, identity and access management and modern endpoint and email security platforms
• Proficiency in developing metrics, KPIs and executive-level reporting
• Excellent communication, facilitation and stakeholder management skills

Education and Experience

• Bachelor’s degree in cybersecurity, information security, computer science, or a related field preferred
• Minimum ten (10) years of experience in cybersecurity leadership and/or senior security engineering roles required
• CompTIA A+ Certification or equivalent required; Microsoft Certified Professional (“MCP”) preferred
• Demonstrated ability to lead complex cybersecurity programs; coordinating major security incidents and response activities
• CISSP Certified Information Systems Security Professional (CISSP) certification required; Certified Information Security Manager (CISM), Cloud Security Certification (CCSP), Global Information Assurance Certification (GIAC), or Information Technology Infrastructure Library (ITIL v4) experience preferred
• Experience integrating security awareness platforms (e.g., KnowBe4) with Microsoft Defender and email security controls
• An equivalent combination of education, training and experience may be considered

Physical Requirements

• Prolonged periods sitting at a desk and working on a computer
• Must be able to lift up to 25 pounds at times and on occasion, up to 50 pounds
• Ability to support organizational events, which may occasionally require extended periods of standing, light lifting, or schedule flexibility

Equal Opportunity Employer

Qualified applicants will be considered despite race, color, religion, creed, sex, sexual orientation, gender identity, marital status, national origin, age, veteran status, disability or any other protected class.