Job Title

WHO WE ARE When it comes to health, were always looking for ways to push for better. Its why we were founded in the first place. In 1957, our founder, pharmacist William Wilkinson, witnessed a mother sacrifice her health by forgoing her own medicine to pay for her sick daughters prescription. He knew there had to be a better way. So, he introduced North Americas first prepaid drug plan, and GreenShield was born as a not-for-profit with a mission to support better health for all Canadians. We arent just a health and benefits company. Were the only not-for-profit social enterprise that brings worlds of coverage and care together, all in one place. Were noble challengers, purposefully building a better way and we need the best people to help us create a more holistic approach that takes care of the mind and body. Our mission is to create better health for all Canadians, and we know that starts with our employees. THE ROLE IN A NUTSHELL Base Salary: Range Exempt The Director, Information Security Governance, is responsible for the strategic leadership and operational oversight of the organizations Information Security Governance, Risk, and Compliance (GRC) functions. This role ensures a robust, risk-based, and business-aligned information security posture across the enterprise. The Director will develop, execute, and continuously enhance governance programs, policies, and processes that align with the NIST Cybersecurity Framework, regulatory obligations, and organizational objectives. This position is both strategic and handsonrequiring expertise in cybersecurity risk management, policy governance, thirdparty oversight, regulatory compliance, and leadership of a multidisciplinary security team. The Director supports the Vice President, Security (CISO) to liaise with executive stakeholders, including the Risk Committee, Executive Committee, and Board of Directors. Responsibilities 1. Information & Cybersecurity Awareness and Testing - Design and oversee a comprehensive cybersecurity awareness and testing program covering onboarding, monthly microtrainings, quarterly phishing simulations, and annual enterprisewide training. - Deliver targeted training for executives, business units, and the Board of Directors, incorporating rolebased risk scenarios and regulatory expectations. - Measure training effectiveness through metrics and Key Risk Indicators (KRIs) for continuous program improvement. 2. Third-Party Risk Management (TPRM) Security Posture Assessments - Lead the information security evaluation and continuous monitoring of third-party vendors, ensuring robust due diligence and risk scoring against security posture standards and procedures. - Develop and manage the vendor security assessment lifecycle, integrating findings into enterprise risk reporting and procurement processes. 3. Information Security Policy and Standards Management - Maintain and expand the Information Security Policy and Standards library to align with evolving business operations, regulatory changes, threats, and frameworks (NIST, SOC2, OSFI, ISO 27001, etc.). - Oversee policy governance and internal communication to ensure organizational compliance and understanding. 4. Cybersecurity Incident Response Program - Lead the development, testing, and maintenance of the Cybersecurity Incident Response Plan (CIRP) and oversight of playbook updates in partnership with the Information Security Operations team. - Facilitate regular tabletop exercises simulating realworld attack scenarios, driving executive participation and readiness. 5. Business Enablement - Support revenue growth by leading the security response to RFPs, participation in client meetings, and due diligence requests, enabling sales opportunities. - Lead client assurance efforts, including security audit responses and TPRM assessments, reinforcing trust and compliance assurance with customers. 6. Information & Cybersecurity Risk Management Program - Develop and operationalize a comprehensive Cybersecurity Risk Management framework aligned to NIST CSF. - Oversee the execution of security risk assessments and quantification models to measure and report risk exposure across business units. - Lead ongoing security control testing for systems, applications, and third parties to validate security control design and effectiveness, ensuring risk mitigation. 7. Information Security Governance Program - Architect and execute a governance model that aligns with corporate strategy and risk appetite, ensuring consistent oversight of security programs and compliance obligations. - Maintain governance documentation, charters, and processes reflecting continuous improvement and audit readiness. 8. Information Security Control Framework - Develop and manage a centralized Control Library mapping to regulatory, policy, and framework requirements. - Oversee periodic control testing, validation, and maintenance activities, ensuring transparency and traceability to audit results. 9. Business Continuity Program (BCP) - Oversee development, implementation, and testing of Business Continuity and Disaster Recovery programs. - Conduct Business Impact Assessments (BIAs), Process Impact Analyses (PIAs), and dependency mapping across systems, processes, and vendors. - Lead BCP tabletop exercises and training to ensure operational resilience during crises. 10. Regulatory, Audit, and Compliance Stakeholder - Act as the primary Information Security stakeholder in SOC2, OSFI, CLHIA, and other regulatory audits. - Manage relationships with external auditors and internal risk teams to ensure timely, accurate evidence submission and remediation tracking. - Support annual cybersecurity insurance renewals through risk data aggregation and reporting. 11. Government of Canada Protected B Program - Serve as the Alternate Company Security Officer (ACSO) responsible for safeguarding sensitive government information and ensuring compliance with federal contract security requirements. 12. Data Governance & Data Loss Prevention (DLP) - Collaborate with the Data Governance Committee to design and enforce DLP strategies. - Guide the implementation of security controls to detect, prevent, and respond to data exfiltration risks. 13. Access Reviews and Audit Readiness - Oversee periodic access attestation reviews for critical systems and applications. - Ensure compliance with audit standards and integration of results into enterprise KRI dashboards and Risk Committee reporting. 14. Reporting and Executive Communication - Develop, author, and present quarterly Information Security performance and compliance reports to the Risk Committee, Executive Team, and Board of Directors. - Track progress against key deliverables, KRIs, and program OKRs. 15. Strategic Planning and Roadmap Development - Lead the creation and ongoing management of the Information Security Governance Roadmap, ensuring alignment with enterprise IT, risk, and organizational strategy. - Identify emerging risks, regulatory changes, and technological trends to inform forwardlooking governance objectives. WHO WE'RE LOOKING FOR - University degree in Computer Science or equivalent. - Certified Information Systems Security Professional (CISSP) - Certified Information Systems Auditor (CISA) - Certified Information Security Manager (CISM) - Certified Business Continuity Professional (CBCP) - Minimum of 10 years leadership role operating in enterprise IT, Risk, Regulatory, Audit and compliance environments - Strong leadership capabilities to motivate, build, develop and lead effective teams to achieve results. - Verbal and written communication with a spectrum of senior management, executives, users, other technical teams, external customers, to enable and influence business outcomes. - Strong problemsolving abilities and ability to work effectively under pressure. - An accomplished facilitator with excellent interpersonal and communications skills that support working effectively in multidisciplinary and multiple location team environments. - Experience in partnering with technology, product, risk, internal audit, compliance and sales. - Highly developed planning, organizing and negotiating skills; can manage multiple tasks, meet tight deadlines and respond to changing priorities. THE CULTURE We believe a career should be meaningful. Not just a means to earn a living. Our culture is one where everyones voice is heard and valued. Because thats what it takes to create better health for all. We dare to challenge the status quo. And were driven by people who have challenged theirs. We believe that your workplace should empower you to be the best version of yourself. Thats why we provide a place where you can be inspired, challenged, and rewarded. Where your growth means our growth. Where your voice is heard and valued. Where your work has purpose. And purpose matters. We believe our people are critical to our overall success. Inclusivity makes us a stronger, smarter and more informed organization. Being intentionally inclusive of diverse backgrounds, perspectives and experiences will enhance our company culture to positively impact how we support our communities. A career at GreenShield isnt just about personal achievements, it's about making a difference together. Heres to Better Health for All! AFEW MORE DETAILS Proficiency in English is required for this position. As part of this role, you will be required to communicate with colleagues or customers who use English as their primary language. By requiring English proficiency for this position, we aim to ensure that our employees can excel in their roles, collaborate, and communicate effectively, and contribute to the success of our organization. GS supports diversity, equity and inclusion in our teams and communities, and we value the unique contributions made by all. Even if your experience doesnt align perfectly to every requirement, we invite you to apply. We encourage applications from all candidates and will accommodate needs under human rights legislation throughout all stages of the recruitment and selection process. Please let us know of any accommodation through [email protected]. Information received relating to accommodation will be addressed confidentially. Providing this information gives GS consent to use your personal information to assess your suitability for specific positions, future opportunities or for your personnel file. Your rsum will be held in strict confidence and will be viewed only by the Organization. Information may be stored outside of Canada and could be used for aggregate statistical purposes (which uses no personal identification). AI Usage - GreenShield leverages AI to help produce Job Descriptions, and ideate on interview questions. We also leverage AI for interview transcription support. #J-18808-Ljbffr