Cyber Security Director – HIH – Evernorth

Key Responsibilities

• Manage all external local client and regularity engagements, including fielding queries, regulatory & compliance submissions in conjunction with matrix Cigna Information Protection Shared Service
• Partners and governance stakeholders, legal, compliance and data privacy.
• Lead localized Controls Assurance activities, define and track effectively control testing and remediation risks for local business line.
• Coordinate Shared Service benchmarking exercises (NIST etc.) using Cigna Information Protection standards.
• Leverage the Enterprise Risk Management framework, perform focused localized risk assessments of existing or new services and technologies in line with policies and standards, and manage the risk exceptions process.
• Develop residual risk registers and integrate into Shared Service Integrated Risk Management Framework.
• Coordinate the local delivery of global Cyber & Privacy portfolio risk mitigation projects and programs into business line / region.
• Conversely feed the portfolio by registering local business line residual risk outputs driving controls mitigation activity.
• Evolve Cigna Information Protection security policies and processes, aligning to local business requirements and operate the policy exceptions management process.
• Coordinate security education & awareness initiatives in line with policy framework, integrate with the Shared Service overall thematic awareness program.
• Partner with business line / regional CIOs and technology stakeholders to educate and integrate risk management activities in first and second line of defense governance.
• Coordinate with Shared Services to provide localized risk and vulnerability management information and reporting and embed Cyber / Information Security into business operational governance forums enabling data driven decision making.
• Develop organizational wide Cyber / Information Security risk views by collaborating with internal control groups e.g. Audit, Compliance, Enterprise Risk Management, Legal and Privacy.
• Liaise across Legal, Privacy and Sourcing teams to manage 3rd party risks. Conduct 3rd Party Assessments, including evaluations, contract reviews and onsite visit where appropriate.
• Embed secure development practices, working with local business and technology teams to implement enterprise tooling and processes to ensure secure code implementation.
• Embed risk management practices into Agile / DevSecOps pipelines to minimizing production vulnerabilities.
• Run localized Infrastructure, Application and Cloud evaluations / assessments against agreed security patterns and pre-production scanning processes to reduce production vulnerabilities.
• Integrate residual risk outputs in local and Shared Services governance.
• Champion local incident responses & handling processes, provide business context and local expertise in incident scenarios.
• Coordinate with Shared Service owner to manage local incident management post mortem activities and track residual findings to resolution.
• Maintain and manage local regulatory incident response reporting requirements.
• Engage with Shared Services to carry out forensics security investigations work integrating processes with business and legal / compliance stakeholders.
• Partner with Global Architecture Shared Services organizations to implement standard security solutions and capabilities, providing expert change solution design in local business line.
• Conversely feed global Architecture roadmaps by capturing local requirements.
• Support business line mergers, acquisitions and divestiture activities in line with the Shared Services playbook designed to reduce change risk.
• Lead local business Cigna Information Protection teams as well as matrix manage Shared Services peers.
• Ensure in person employee engagement by motivating team, running personalized development programs, and creating an empowering culture aligned with Cigna values.

Qualification & Requirements

Experience Required

• Minimum 18-21 years of Information Security / Cyber or related risk management experience.

Experience Desired

• Experience leading teams of over 125-150 employees
• Experience within the Healthcare, Insurance or Financial Services industry preferred.
• Education and Training Required:
• CISSP or other security related certification preferred (CISM / CISM etc.)

Primary Skills

• Implementation level knowledge of information security standards and frameworks (e.g. ISO/IEC 27001/27002, PCI-DSS, NIST Cybersecurity Framework, etc.) and attestation reports (e.g. SOC 1/2). Awareness of Governance, Risk and Compliance and workflow management tools, e.g. Onspring, ServiceNow VR, Brinqa etc.

Additional Skills

• Ability to translate information security and technical controls into business terms that are easily understood.

Benefits

Cigna’s mission is to improve the health, well-being and sense of security for those we serve, and that includes our employees. This same commitment is extended to our more than 37,000 employees across the globe, as we invest in them through a comprehensive total rewards program called the Your Cigna Life/Personal Portfolio, which has been carefully designed to help our employees enhance their personal, professional and financial life. Our mission also guides our internal health & wellness strategy – Healthy Life – and the design of our benefits. You see it in the additional services, too, from life coaching, to financial savings and protection benefits. Cigna employees have access to our leading products and services. Employees and all their household members have access to free life coaching and lifestyle management programs – even if they’re not enrolled in the Cigna Medical Plan.