Vice President, Chief Information Security Officer

We are so glad you are interested in joining Sutter Health!
Organization
SHSO-Administrative Payroll
Position Overview
Sutter Health is one of California’s most comprehensive healthcare systems and one of the nation’s largest, generating $18+ billion in revenues. Headquartered in Sacramento, Sutter Health is a not-for-profit, integrated healthcare system committed to health equity, community partnerships and innovative, high-quality patient care. Sutter’s 60,500+ employees, 14,000+ physicians and advanced practice clinicians, serve more than 3.5 million patients through its network of hospitals, medical foundations, ambulatory surgery centers, urgent and walk-in care centers, telehealth, home health and hospice services.
The Chief Information Security Officer (CISO) is the senior executive responsible for safeguarding the confidentiality, integrity, and availability of the health system’s information assets, technologies, and patient data. CISO develops and leads an enterprise cybersecurity program that balances patient safety, regulatory compliance, and business enablement. This role requires a visionary leader who can navigate the evolving healthcare threat landscape, foster a culture of security and resilience, and partner with clinical, operational, and digital leaders to support safe, effective, and trusted care delivery.
Essential Responsibilities
Strategic Leadership

• Develop and implement a multi-year information security strategy that aligns with organizational priorities, digital transformation goals, and regulatory requirements.
• Advise the CEO, CDO, COO, and Board of Directors on emerging cyber threats, risks to patient care, and mitigation strategies.
• Lead enterprise participation in healthcare security coalitions, information sharing groups (e.g., H-ISAC), and public–private partnerships.

Governance, Risk & Compliance

• Establish and maintain a security governance program based on healthcare-aligned frameworks (NIST CSF 2.0, HITRUST CSF, HICP, HIPAA/HITECH).
• Drive enterprise risk assessments and develop mitigation plans for cybersecurity, privacy, and clinical safety risks.
• Ensure compliance with HIPAA, HITECH, CMS, FDA (for medical device security), and state privacy regulations.
• Oversee security audits, penetration tests, and third-party/vendor risk assessments, ensuring remediation of findings.

Clinical & Operational Security

• Protect the Electronic Health Record (EHR), patient-facing portals, and digital health platforms against compromise, downtime, or data loss.
• Partner with Clinical Engineering and Biomedical teams to secure medical devices and Internet of Medical Things (IoMT).
• Lead preparedness for ransomware, phishing, insider threats, and advanced persistent threats with an emphasis on minimizing patient safety impact.
• Oversee disaster recovery and business continuity planning in alignment with emergency preparedness and patient safety frameworks.

Collaboration & Culture

• Partner with Digital, Compliance, Privacy, Clinical, and Operational leaders to embed security into new initiatives, system design, and patient engagement platforms.
• Build and lead organization-wide security awareness and phishing-resistance training tailored to caregivers, clinicians, and administrative staff.
• Serve as the public face of information security during regulatory reviews, patient safety investigations, and stakeholder engagements.

Team Leadership

• Recruit, develop, and lead a high-performing healthcare cybersecurity team across areas such as threat intelligence, incident response, IAM, and risk management.
• Promote a culture of accountability, clinical safety, and innovation in cybersecurity practices.
• Provide coaching and mentoring for next-generation security leaders.

Job Description
Minimum Qualifications:
Education & Experience

• Bachelor’s degree in Information Technology, Cybersecurity, Healthcare Administration, or related field required; Master’s degree preferred.
• 10+ years of progressive leadership in information security and risk management, with 5+ years in healthcare or another highly regulated industry.
• Demonstrated success implementing enterprise cybersecurity programs in a multi-hospital health system, payer, or large healthcare delivery network.

Knowledge & Skills

• Deep knowledge of HIPAA, HITECH, CMS, OCR enforcement, FDA guidance for medical devices, and healthcare-specific risk management frameworks.
• Expertise in EHR security (Epic preferred), identity and access management, cloud security, and medical device security.
• Strong business and clinical acumen; ability to align security with patient care priorities.
• Exceptional communication skills with the ability to present to clinical leaders, executives, and boards.
• Relevant certifications strongly preferred: CISSP, HCISPP, CISM, CISA, or CHPS.

The primary office location of this position will be in Sacramento or Emeryville, CA.
Job Shift
Days
Schedule
Full Time
Days Of The Week
Monday - Friday
Weekend Requirements
As Needed
Benefits
Yes
Unions
No
Position Status
Exempt
Weekly Hours
40
Employee Status
Regular
Sutter Health is an equal opportunity employer EOE/M/F/Disability/Veterans.
Pay Range is $393,140.00 to $531,877.00 / annual salary
*The compensation range may vary based on the geographic location where the position is filled. Total compensation considers multiple factors, including, but not limited to a candidate’s experience, education, skills, licensure, certifications, departmental equity, training, and organizational needs. Base pay is only one component of Sutter Health’s comprehensive total rewards program. Eligible positions also include a comprehensive benefits package.*