Location: US:PA: Hershey
Work Type: Full Time
FTE: 1.00
Shift: Day
Hours: 8:00a - 5:00p
SUMMARY OF POSITION:
The Cybersecurity Requirements Planner will serve as a trusted advisor within the Cybersecurity team. This role focuses on continuous cybersecurity risk assessment, effective requirements planning, exception analysis, and enterprise security advisory services. This role will apply strong cybersecurity judgement to evaluate systems against organizational policies, standards, and baselines; assess risk; recommend mitigations and compensating controls; and support enterprise data protection, security awareness, and readiness activities. This role requires a blend of technical security expertise, governance maturity, and strong communication skills in a complex academic healthcare environment.
ESSENTIAL DUTIES: The percentage of time spent performing essential functions is 95%. Qualified individuals must have the ability (with or without reasonable accommodation) to perform the following duties: Key responsibilities include:
Requirements Planning & Consultation
• Review proposed IT systems and projects to ensure alignment with company cybersecurity policies, standards, security baselines, as well as regulatory and industry requirements.
• Act as a consultant for internal teams, helping them understand organizational cybersecurity requirements and how to meet them.
• Evaluate and document policy, standard, or baseline exception requests, recommend appropriate mitigations or compensating controls.
• Serve as a Cybersecurity consultant to IT and business teams during system design, implementation, and operational change.
• Translate cybersecurity requirements into clear, actionable guidance for technical and non-technical stakeholders.
Data Protection - Data Loss Prevention (DLP)
• Support the day-to-day enterprise data protection activities, including work within the DLP toolsets (e.g., monitoring alerts, refining discovery rules, and tuning policies).
• Investigate potential data leakage incidents and coordinating with stakeholders for remediation.
• Provide regular reporting on data protection trends and risks to leadership.
• Collaborate with stakeholders to protect sensitive data while minimizing business disruption.
Risk Assessment & Advisory
• Assist in performing formal and informal risk assessment for on-premises, hybrid, and cloud-based systems.
• Assess systems against cybersecurity policies, standards, and baselines.
• Identify security gaps, evaluate risk, and recommend appropriate mitigations or compensating controls.
• Recommend mitigations, compensating controls and risk-reduction strategies based on organizational risk tolerance and emerging threats.
• Apply cybersecurity and privacy principles to ensure compliance with regulatory and organizational requirements.
Security Awareness & Readiness
• Define training requirements based on risk assessments, Incident Response & Threat intel reports, policy requirements, regulatory requirements and relevant best security practices.
• Evaluate training effectiveness and revise to address gaps.
• Write professional articles covering relevant training topics for publishing to the enterprise.
• Develop and deliver cybersecurity awareness training content to foster a security-first culture. Delivery methods include online videos, articles, presentations using Microsoft Teams and in-person training.
• Design and facilitate Cybersecurity Tabletop Exercises (TTX) to test incident response and business continuity capabilities.
• Conduct quarterly phishing exercises including development of objectives, selecting content and using associated tools to perform the testing and monitoring of the results.
Performance Metrics & Security Posture
• Develop and track Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) to measure the effectiveness of security controls (e.g., DLP block rates, policy exception trends, training completion, phishing campaign results).
• Conduct continuous improvement reviews using metric trends to identify gaps in current policies, standards, baselines, or processes and recommend updates.
• Develop metrics, trend analysis, and management reports.
• Ensure compliance with regulatory and organizational security requirements.
MINIMUM QUALIFICATION(S):
• Senior Level: Bachelor's degree in computer science, Cybersecurity, IT, or related field + 8 years' experience OR twelve (12) years combined education/experience.
PREFERRED QUALIFICATION(S):
• CISSP or equivalent preferred
• Strong foundational knowledge of cybersecurity principles, including infrastructure security, identity and access management, logging/monitoring, and risk management.
• Experience performing cybersecurity risk assessments, risk analysis, and control evaluations using NIST 800-53 controls or similar assessment methodologies.
• Working knowledge of the NIST Cybersecurity Framework (CSF), and hands-on experience with NIST SP 800-53 (Rev 5) controls or similar frameworks.
• Strong knowledge of risk management, and regulatory compliance (HIPAA, PCI, FERPA, GLBA, PA Law)
• Proficiency with Data Loss Prevention (DLP) (Microsoft & Palo Alto preferred) including ability to create and tune DLP policies.
• Excellent analytical, communication, and organizational skills.
• Ability to develop and maintain cybersecurity documentation (policies, standards, procedures, SSPs, POA&Ms) aligned with NIST frameworks.
• Understanding of continuous monitoring practices as discussed in NIST guidance, including evidence collection, control testing, and reporting.
Penn State Health offers an exceptional benefits package including medical, dental and vision with no waiting period as well as a Total Rewards Program that highlights a few of the many additional offerings below:
• Be Well with Employee Wellness Programs, and Fitness Discounts (University Fitness Center, Peloton).
• Be Balanced with Generous Paid Time Off, Personal Time, and Paid Parental Leave.
• Be Secured with Retirement, Extended Illness Bank, Life Insurance, and Identity Theft Protection.
• Be Rewarded with Competitive Pay, Tuition Reimbursement, and PAWS UP employee recognition program.
• Be Supported by the HR Solution Center, Learning and Organizational Development and Virtual Benefits Orientation, Employee Exclusive Concierge Service for scheduling.
Union: Non Bargained