Vice President, ACM Information Security, CISO

Position Summary 

The Vice President, ACM Information Security; CISO leads the enterprise-wide information security and cyber risk management program for ACM. This role ensures that all information assets—technology, applications, systems, infrastructure, and processes—are protected across the digital ecosystem, and identifies, evaluates, and reports on legal, regulatory, IT, and cybersecurity risks while enabling business objectives. 

The position safeguards the confidentiality, integrity, and availability of data and systems supporting R&D, clinical trials, manufacturing, supply chain, regulatory submissions, and commercial operations. It protects high‑value research assets, clinical development systems, proprietary algorithms, and sensitive partner data, while enabling rapid innovation, collaboration, and compliance. 

Operating in a highly regulated environment, the VP, ACM Information Security; CISO balances cybersecurity with clinical trial needs, innovation, speed to market, and patient safety. 

Key Responsibilities 

Strategic Leadership & Governance 

• Facilitate an ACM information security governance structure through the implementation of a hierarchical governance program, including the formation of an information security steering committee or advisory board. 

• Define and execute the enterprise information security strategy and roadmap aligned with business objectives and regulatory obligations 

• Provide regular reporting on the current status of the information security program to enterprise risk teams, senior business leaders and the board of directors as part of a strategic enterprise risk management program, thus supporting business outcomes. 

• Ensure that IT security requirements are included in vendor contracts by liaising with vendor management and procurement organizations. 

• Create and manage a targeted information security awareness training program for all employees, contractors and approved system users, and establish metrics to measure the effectiveness of this security training program for the different audiences. 

• Understand and interact with related disciplines through committees to ensure the consistent application of policies and standards across all technology projects, systems and services, including privacy, risk management, compliance and business continuity management. 

• Serve as executive advisor on cyber risk to ACM’s Executive Leadership Team (ELT) 

• Establish security governance, policies, standards, and metrics across global operations 

• Lead security investment planning and budgeting 

IT Security Strategy / Framework Development, Execution and Reporting 

• Develop an information security vision and strategy that is aligned to organizational priorities and enables and facilitates the organization's business objectives, and ensure senior stakeholder buy-in and mandate. 

• Develop, implement and monitor a strategic, comprehensive information security program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy and recovery of information assets owned, controlled or/and processed by the organization. 

• Develop and enhance an up-to-date information security management framework based on ISO 27001.  

• Create and manage a unified and flexible control framework to integrate and normalize the wide variety and ever-changing requirements resulting from global laws, standards and regulations. 

• Develop and maintain a document framework of continuously up-to-date information security policies, standards and guidelines. Oversee the approval and publication of these information security policies and practices. 

• Create a framework for roles and responsibilities with regard to information ownership, classification, accountability and protection of information assets. 

• Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increase the maturity of the information security, and review it with stakeholders at the executive and board levels. 

Regulatory & Compliance Leadership 

• Ensure compliance with regulations and standards, including; 

• ISO 27001 

• NIST, HIPAA, SOC 2, PCI 

• FDA (21 CFR Part 11) 

• GxP (GMP, GLP, GCP) 

• HIPAA / HITECH 

• GDPR and global privacy laws 

• Partner with Quality, Regulatory Affairs, and Legal to support audits and inspections 

• Oversee data integrity and validation controls for regulated systems 

Protection of Intellectual Property & Sensitive Data 

• Safeguard research data, clinical trial data, patient data, software development, manufacturing IP, and trade secrets 

• Implement data classification, encryption, and access control strategies 

• Oversee secure collaboration with CROs, CMOs, research partners, and academia 

Cyber Risk Management & Operations (Partnering with RRH IT as needed)  

• Identify, assess, and mitigate cyber risks across IT, OT, cloud, and laboratory environments 

• Oversee and provide continuous status updates regarding ACM’s vulnerability management, penetration testing, and threat intelligence and related remediation efforts 

• Oversee ACM’s vulnerability management, penetration testing, and threat intelligence efforts 

• Work collaboratively with RRH IT to establish and oversee incident response, breach management, and cyber resilience programs 

• Work collaboratively with RRH IT to coordinate with law enforcement and regulators in the event of security incidents 

• Develop cyber resilience and business continuity capabilities 

Technology & Architecture Oversight  

• Guide secure implementation of cloud platforms, AI/ML, digital labs, IoT/OT, and data platforms 

• Ensure security-by-design across system development and validation lifecycles 

• Oversee identity and access management, zero trust architecture, endpoint security, network security, and SOC operations 

• Embed security into SDLC and system validation processes 

Third-Party & Supply Chain Security 

• Develop and enforce third-party risk management programs for vendors, CROs, CMOs, and SaaS providers 

• Assess cyber risks in manufacturing, logistics, and distribution partners 

• Support secure onboarding and continuous monitoring of partners 

Operate the Function 

• Create a risk-based process for the assessment and mitigation of any information security risk in your ecosystem consisting of supply chain partners, vendors, consumers and any other third parties 

• Work with the ACM QA staff to ensure that all information owned, collected or controlled by or on behalf of the company is processed and stored in accordance with applicable laws and other global regulatory requirements, such as data privacy 

• Collaborate and liaise with the ACM’s data privacy officer and RRH IT security to ensure that data privacy requirements are included where applicable 

• Define and facilitate the processes for information security risk and for legal and regulatory assessments, including the reporting and oversight of treatment efforts to address negative findings 

• Ensure that security is embedded in the project delivery process by providing the appropriate information security policies, practices and guidelines 

• Oversee technology dependencies outside of direct organizational control. This includes reviewing contracts and the creation of alternatives for managing risk 

• Working collaboratively with RRH IT Security leadership, coordinate the management and containment of information security incidents and events to protect corporate IT assets, intellectual property, regulated data and the company's reputation 

• Working with RRH IT, monitor the external threat environment for emerging threats, and advise relevant stakeholders on the appropriate courses of action 

• Working with the RRH CISO, coordinate the development of implementation of incident response plans and procedures to ensure that business-critical services are recovered in the event of a security event; provide direction, support and in-house consulting in these areas 

• Facilitate and support the development of asset inventories, including information assets in cloud services (manage by ACM, RRH or 3rd parties) 

Leadership & Team Development 

• Build and lead a high-performing global information security organization 

• Develop talent, succession planning, and security culture across the enterprise 

• Promote security awareness training tailored to scientists, engineers, and business users 

• Working closely with the RRH IT CISO and IT security leaders, develop a collaborative, virtual expanded IT security team best support the ACM organization  

• Create the necessary internal networks among the information security team and line-of-business executives, corporate compliance, audit, physical security, legal and HR management teams to ensure alignment as required. 

• Build and nurture external networks consisting of industry peers, ecosystem partners, vendors and other relevant parties to address common trends, findings, incidents and cybersecurity risks. 

• Liaise with external agencies/regulators and clients, as necessary, to ensure that the organization maintains a strong security posture and is kept well-abreast of the relevant threats identified by these agencies and clients. 

Desired Qualifications:  

• Related Master’s degree in related field or MBA preferred 

• Demonstrated success managing global security programs in complex, regulated environments 

• Demonstrated experience managing / ensuring IT cloud security 

• ISO 27001 Lead Implementer/Auditor 

• Proven experience (5+ years) in global life sciences, biotech industries  

• Proven experience developing / managing ISO 27001 compliant IT security framework  

• Cloud security certifications (AWS, Azure, GCP) 

• Deep understanding of life sciences / biotech regulatory environments (global environments) 

• Proven ability to partner with and manage service providers to ensure compliance with organizational expectations  

• Significant experience /knowledge building IT security frameworks compliant with the following regulations / standards: 

• FDA (21 CFR Part 11) 

• GxP (GMP, GLP, GCP) 

• ISO 27001, NIST 

• HIPAA / HITECH 

• GDPR and global privacy laws 

• SOC 2, PCI 

• Advanced troubleshooting and analytical skills 

• Strong communication and cross-functional collaboration abilities 

• High attention to detail and commitment to system reliability 

• Ability to manage multiple complex initiatives simultaneously 

• Strong communication skills / strong executive communication and board-level presentation skills 

• Risk-based decision-making and business acumen 

• Experience balancing innovation with compliance and patient safety 

• Up-to-date knowledge of IT security methodologies and trends in both business and IT 

• Proven track record and experience in developing information security policies and procedures, as well as successfully executing programs that meet the objectives of excellence in a dynamic business environment 

• Project management skills: financial/budget management, scheduling and resource management 

• Engagement and collaboration with service providers 

Minimum Qualifications:  

• Bachelor’s degree in Computer Science, Information Security, Engineering, or related field 

• 10 years in information security, with 5 years in senior IT security leadership roles 

• 5 years of experience in global life sciences, biotech industries  

Required Licensure/Certifications:  

• CISSP or CISM or CISA

EDUCATION:

LICENSES / CERTIFICATIONS: 

PHYSICAL REQUIREMENTS:

For disease specific care programs refer to the program specific requirements of the department for further specifications on experience and educational expectations, including continuing education requirements.

Any physical requirements reported by a prospective employee and/or employee’s physician or delegate will be considered for accommodations.

PAY RANGE:

The listed base pay range is a good faith representation of current potential base pay for a successful full time applicant. It may be modified in the future and eligible for additional pay components. Pay is determined by factors including experience, relevant qualifications, specialty, internal equity, location, and contracts.

Rochester Regional Health is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, creed, religion, sex (including pregnancy, childbirth, and related medical conditions), sexual orientation, gender identity or expression, national origin, age, disability, predisposing genetic characteristics, marital or familial status, military or veteran status, citizenship or immigration status, or any other characteristic protected by federal, state, or local law.