Director of Information Security Identity Access Management (IAM)

Location: Chicago, IL

Hospital: RUSH University Medical Center

Department: Digital & Information Services

Work Type: Full Time (Total FTE between 0.9 and 1.0)

Shift: Shift 1

Work Schedule: 8 Hr (8:00:00 AM – 5:00:00 PM)

Summary:

The Director, Cybersecurity Identity and Access Management (IAM) is responsible for developing, implementing, and maintaining RUSH’s IAM Program including the information technology systems and processes needed to support the program. This position will lead a team of managers, engineers, and analysts to deliver RUSH’s IAM vision, strategy, and program roadmap. This position will also work closely with Security Architecture, the CISO, Cybersecurity Governance Committee and other RUSH leadership to ensure the IAM program meets the maximum levels of information security while balancing the access needs of the organization. Directs the IAM strategy for authentication, authorization, directory services, and user management processes at RUSH. Provides IAM related technical consulting on complex organizational projects. Evaluates existing systems and procedures and makes recommendations for improvements of system controls while continually assessing the overall IAM program maturity. The individual who holds this position exemplifies the Rush mission, vision, and values and acts in accordance with Rush policies and procedures.

Responsibilities:

Governance

• Develops strategic direction and methodology for the IAM program and leads a team to develop content for the RUSH Cybersecurity governance, management, and other Board Committees. Presents action items for discussion and approval during these meetings.
• Leads the development of the IAM vision, roadmap, architecture, business cases, and projects to implement modern cybersecurity technologies and processes in RUSH’s digital and cloud environments.
• Works with RUSH IT management, risk managers, corporate compliance and legal counsel to assist with special projects or investigations.
• Understands the enterprise strategy and influences the integration of IAM security into RUSH business strategies and processes while ensuring that the results are documented and actionable.
• Establishes, monitors, evaluates, and reports IAM key performance and key risk indicators (KPIs and KRIs) to provide leadership with accurate information regarding the effectiveness of the IAM Program.

Access Management

• Drives the RUSH IAM Program and access management processes including but not limited to identity administration, user authentication, authorization, API access control, UEBA, BYOI, SSO, and user self-service.
• Work closely with Security Architecture on development of strategy, technology and use-case requirements to support current and future Rush identity needs
• Develops strategy and drives implementation from a people, processes, and technology perspective for core access management capabilities including:

o Managing internal and external identities and providing directory and identity synchronization services leverage SCIM.

o Authorization decisions, policy creation and dynamic/adaptive access management.

o User authentication including MFA, one-time passwords, mobile pushes, etc.

o Standard application enablement including SSO to SaaS, web, and mobile applications leveraging modern identity protocols like SAML and OpenID Connect.

o External access management including user registration, profile management, delegated administration, federation support for third party identity providers, etc.

Identity Governance Administration (IGA)

• Drives the RUSH IGA processes including but not limited to identity lifecycle processes, identity data quality management, automated provisioning, entitlement management, roles and policy management, access requests, and access certifications.
• Develops strategy and drives implementation from a people, processes, and technology perspective for core IGA capabilities including:

o Authoritative source connectors and identity lifecycle management

o Target system connectors and birthright access

o IGA workflows, analytics and reporting

o Role based access controls including automated role modeling, entitlement management, roles and policy management, access requests and risk-based access certifications

Privileged Access Management (PAM)

• Drives the RUSH PAM processes including but not limited to privileged access governance, session management, credential management, JIT-PAM methods, account discovery, task automation, secrets management, privilege escalation and delegation management, and CIEM.
• Develops strategy and drives implementation from a people, processes, and technology perspective for core PAM use cases including:

o Human to machine PAM administration for servers and infrastructure, endpoints, and remote access.

o Machine to machine connectivity for databases, applications, and microservices.

o Machine to machine automation including scripts, DevOps pipelines, and RPA

o Cloud infrastructure entitlements for IaaS, PaaS, and SaaS.

Administration

• Defines strategy, with a roadmap of key deliverables and timelines, and delivers consistently.
• Provides enterprise-wide leadership and direction in all areas of IAM.
• Aligns the security team scope, budget and staffing to the company level strategy, emerging technologies and changes in the threat landscape
• Leads a functional Cybersecurity team to manage IAM operations to meet the business and compliance requirements of RUSH
• Represents RUSH at local and national security conferences to understand industry trends and incorporate into current operations
• Approves/disapproves department expenditures. Develops short and long-term budget projections and plans. Provides financial status reports as needed.

Required Job Qualifications:

• Requires bachelor’s degree in computer science or related technology field.
• CISM or applicable certification.
• 10+ years of relevant computer systems experience focusing on Information Security and Identity Management, preferably in a healthcare setting.
• Understands IAM principles, methodology, and solutions including access control (role-based and discretionary), authentication, authorization, provisioning, approvals, and workflows
• Experience with Single Sign On (SSO), Directory Federation, SAML, OAuth, and Multifactor authentication
• Expert knowledge in IAM tools, technology, governance, and program management.
• Extensive knowledge of current common paradigms for violating system integrity.
• Understanding of key IAM concepts such as Least Privilege, Privileged Access, Roles and Data mining, Segregation of Duty (SOD), and Zero Trust (ZTA/ZTNA)
• Must have excellent interpersonal skills to effectively communicate with all levels of hospital personnel, vendors, and IT personnel.
• Must possess the ability to deliver clear, concise communications and presentations. Must be able to train others quickly and thoroughly on key cybersecurity concepts.
• Expert knowledge with security role-based access for enterprise clinical applications.
• Experience as a technology security leader building world class security strategies and executing them.
• Experience building effective internal and external relationships and interacting effectively with individuals at all levels.
• Experience influencing and collaborating to get work done through others.
• Management experience.

Preferred Job Qualifications:

CISM, CISSP, or applicable security certification

Rush is an equal opportunity employer. We evaluate qualified applicants without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, veteran status, and other legally protected characteristics.

Read Full Description