At Ontario Health, we are committed to developing a strong organizational culture that connects and inspires all team members across the province. Our vision is that together, we will be a leader in health and wellness for all. Our mission is to connect the health system to drive improved and equitable health outcomes, experiences and value. How we work together is reflected through our five values: integrity, inspiration, tenacity, humility and care.
What Ontario Health offers:
Achieving your career goals is a priority to us. Benefits of working at Ontario Health may include the following based on employment type:
Fully paid medical, dental and vision coverage from your first day
a health care spending account
a premium defined benefit pension plan
three personal days and two float days annually
three weeks' vacation to start (for individual contributors), increasing to four weeks after two years
career development opportunities
a collaborative values-based team culture
a wellness program
a hybrid working model
participation in Communities of Inclusion
Want to make a difference in your career? Consider this opportunity.
The Lead Security Specialist is primarily responsible for assisting the Manager and / or Team Leader in delivering on security program/operational mandates within information security area of expertise by executing key activities and developing the required deliverables within the OH Information Security Office (ISO). Contributes to the development, execution and maturing of OH's information security program and serves as a senior security subject matter expert to the organization. As part of this role, the Lead, Information Security Specialist develops the required processes, tools, and technology to implement key activities and deliver on program plans.
The Lead, Information Security Specialist is focused on projects/programs/operational areas that are large and broad in scope, have more complex mandates/objectives, and/or related to more than one focused area of expertise. A strong collaborative working relationship with the team within ISO, across Digital Excellence in Health (DxH) as well across Ontario Health is essential.
Here is what you will be doing:
Provides expertise and security advice to the development of roadmaps, program and product vision.
Provides direction on how to build and deploy secure solutions or placing compensating controls for business and technical challenges.
• Identifies dependencies in project/product deliverables and provides guidance for planning and delivery.
• Works with a high level of autonomy in setting objectives based on minimal direction from management.
• Collaborates with internal peers, and local programs, and health sector partners to ensure alignment of security practices, controls, patterns, and solutions to mitigate identified risks and gaps.
• Stays current on security landscape and threat vectors and assess new security trends with respect to Ontario Health's business needs and identifies opportunities to improve the security posture of products and services and of business, technology, architecture, and solution design trends.
• Stays abreast of provincial, federal, and international security attack tools, Tactics, Techniques, and Procedures (TTPs), and secure operating trends.
• Stays abreast of any changes to industry best practices or legislative regulations and assesses the resulting impact on the organization.
• Provides security assessment/threat modelling/risk leadership for other subject matter experts within engineering, product management, architecture, and other technical domains.
• Guides and influences project team to align and build with an eye to OH's Information Security approved frameworks and methodology.
• Develops policy, plans, standards, assessments, guides, and strategies in compliance with legislation, policies, and standards in support of organizational cyber activities.
• Develops, maintains, and evolves relationships with external organizations and communities of practice toward the betterment of Ontario Health, Ontario, and Canadian health system cyber security practice.
• Guides and influences portfolios, partners, and health sector entities to align solutions and services to Ontario Health's digital and cyber security vision considering provincial, national and international mandates.
• Communicates in a high-risk environment where information sharing to demonstrate transparency and trust is closely balanced with the reputational and liability risks of not sharing the appropriate information to the right audience or at the right time.
• Acts as a subject matter expert in cyber and information security .
Sets security requirements, in a consultative and collaborative fashion. Influences and guides senior subject matter experts (e.g., lead developers, IT Operations and Service Desk, and Architects) related to execution of security requirements, vision, best practices, and principles.
• Provides leadership in the delivery of internal security consulting services.
• Collaborates with and guides and mentors senior, junior and peer security specialists.
• Coaches developers, IT operations and architects about latest security threats and landscape as well as introducing tools and techniques as needed controls for securing OH digital assets, data, and operation.
• Provides support to the Manager, Director, and VP level in understanding leading and emerging cyber security concepts.
• Analyzes proposed solution architectures, technology, design and IT development processes to identify potential threats and vulnerabilities, and to recommend options that enhance the security of solutions and business processes. Identifies, analyzes, and recommends options for risk management at appropriate levels within the enterprise and the health care sector.
• Coordinates internal and external information security initiatives as a subject matter expert to reach feasible security solutions for complex problems and issues across the health care sector. Plays a leading role in the implementation and operationalization of those solutions.
• Contributes to the ongoing development and maturing of the OH security program, consulting, and assurance practices.
• Implement tools and processes to manage workflow and materials related to the information security governance.
• Prepares and maintains security-training materials, delivers security-training sessions to various partners throughout the province and within the organization.
• Manages multiple clients and security related projects simultaneously and presents status updates to upper management.
• Works with IT, Development, and all other OH Enterprise teams to establish appropriate security processes, controls and ensure compliance with security policies.
• Takes a leading role in various OH security initiatives providing security expertise, facilitating
collaboration and furthering OH's security objectives.
• Collaborates with members within OH, and with the provincial and federal level cyber security counterparts to support OH and the healthcare sector from cyber threats.
Identifies opportunities, impacts and transformations required to realize their value and assess their implications on the future state of specific products or portfolios.
• Operates and monitors various state of the art tools to detect, prevent and mitigate cyber security threats or risks to OH.
• Works with internal and external (regional partner and vendor) partners.
• Makes decisions where results have a critical impact across the organization requiring on the fly recommendations to the project teams, developers, and IT operations while following the overall OH approved and Industry best practices. Errors in judgment could lead to increase probability of data and/or system breach, with negative consequences for OH and Provincial digital operations, reputation, and privacy.
Here is what you will need to be successful:
Education and Experience
Bachelors of Masters in Computer Science, Information Systems or other related field, or equivalent work experience.
8-10 years of overall working experience in technology/digital/systems roles.
Minimum 5 years of IT working experience in security technologies, principles, risk management, vulnerability management, monitoring and incident response, program development, and architecture.
Certifications in cyber security (e.g., CISSP or CISA) are required, or working towards.
Certifications in Privacy (e.g., CIPP/C) are required, or working towards.
Experience conducting and leading Cyber Security Readiness assessments, business process analysis, continuous improvement, process redesign.
Demonstrated experience leading an organization through Information and Privacy Commissioner (IPC) tri-annual audits
Demonstrated experience leading and developing Governance, Risk and Compliance capability within an organization
Experience evaluating existing cyber security performance, establishing cyber security KPIs, applying performance methodologies.
Experience in security governance development Policies, Standards, Procedures.
Experience with change management including design, preparation and maintenance of security training materials, proven ability to deliver security training sessions to various partners within healthcare and at different scales.
Experience influencing, negotiating, and building positive relationships within the team and external parties.
Experience with and knowledge of Microsoft Office tools including SharePoint & Teams, Microsoft Project and Microsoft Project Server.
Knowledge of and experience in the Evaluation and Synthesis of security risk using methodologies such as HTRA and frameworks such as ISO 27001/2 and NIST CSF. Expert understanding of risk assessment methodologies such as HTRA and CSF, and frameworks such as ISO 27001/2and NIST.
Strong understanding of Security Architectural and Design concepts for products and services within Ontario Health and partners (e.g., Hospitals).
Evaluation of systems knowledge and experience developing and working with security architecture, and IT management frameworks such as SABSA, and CoBIT.
Broad understanding and ability to interpret and communicate risk management concepts.
Broad knowledge of TRA methodologies and other risk assessment methodologies and tools, and familiarity with related security tests and test methodologies.
Broad Understanding of typical security threats, vulnerabilities and safeguards relevant to application development, test and QA environments, and IT (datacenter) operations.
Strong understanding of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy. e.g., PHIPA.
Knowledge of a wide variety of information systems and security technologies including Operating Systems security, LAN and WAN, Internet protocols and applications, secure communications, firewalls, IDS/IPS, PKI, identity management, identification and authentication techniques, role-based access control, malware defenses, etc.
Knowledge and experience on a wide variety of information systems and security technologies including Operating Systems security, Cloud Security, SIEM, SOAR, EDR, Email Security, Firewalls, Container Security, Secure SDLC, etc.
Knowledge on how to construct and evaluate threat models, based on architecture/design of OH systems and comprehensive understanding of current threats and corresponding defenses.
Expert level of cyber integration into process and business flow
Broad "east / west " knowledge of the health care sector as well as Ontario Health assets and how cyber impacts upon various digital assets and the clinical/system programs it supports.
Experience in leading end-to-end planning, architecture, solution development, and execution of program activities.
Key Competencies
Expert problem-solving and analytical skills to prioritize rapidly changing incidents, investigate and troubleshoot; track implementation/remediation activities across organizations; recommend options that enhance the security of solutions.
Expert communication skills, both oral and written, to listen, facilitate, and communicate complex content to large and diverse audiences; build consensus and influence partners; discuss technical concepts; develop security-related tools, policies, training, and other material.
Ability to motivate other team members to achieve higher goals and improve the impact of technology initiatives.
Demonstrated ability to understand and discuss technical concepts, manage trade-offs, and evaluate opportunistic innovative ideas with internal and external partners.
Superior leadership skills.
Ability to learn new technologies and support new projects and initiatives in a rapidly changing environment.
Able to perform under extreme degrees of pressure during live security incidents.
Adept at managing trade-offs and evaluating opportunities for innovation with internal and external partners.
Ability to build strong relationships with clients.
Ability to support cyber security incident response and on-call rotations.
Ability to engage with the clients with competing priorities and sometimes in political settings which can have heavy impact and load on the emotions and become stressful, that would require professional and personal soft skills to handle such situations properly.
Ability to make decisions where results have a critical impact across the organization
#OH-IND-DIG
#LI- AA1
#LI-hybrid
Employment Type:
Temporary + (Fixed Term) Part timeContract Length:
12 Month(s)Salary Band:
Band 7External Application Deadline Date:
January 1, 2025All applicants must be a resident of Ontario to be considered for roles at Ontario Health.
Ontario Health encourages applications from candidates who are First Nations, Métis, Inuit, and urban Indigenous; Francophone; members of Black and racialized groups; 2SLGBTQIA+ communities; trans and nonbinary individuals; and people living with disabilities.
Ontario Health is an accessible employer, and we offer accommodation in all aspects of employment, including the recruitment process. If you require a disability related accommodation in order to participate in the recruitment process, please email careers@ontariohealth.ca and a member of the team will connect with you within 48 hours.