Penn State Health - Penn State Health Corporation
Location: US:PA: Hershey
Work Type: Full Time
FTE: 1.00
Shift: Day
Hours: 8:00a - 5:00p
SUMMARY OF POSITION:
The Cybersecurity Requirements Planner will serve as a trusted advisor within the Cybersecurity team. This role focuses on continuous cybersecurity risk assessment, effective requirements planning, exception analysis, and enterprise security advisory services. This role will apply strong cybersecurity judgement to evaluate systems against organizational policies, standards, and baselines; assess risk; recommend mitigations and compensating controls; and support enterprise data protection, security awareness, and readiness activities. This role requires a blend of technical security expertise, governance maturity, and strong communication skills in a complex academic healthcare environment.
ESSENTIAL DUTIES: The percentage of time spent performing essential functions is 95%. Qualified individuals must have the ability (with or without reasonable accommodation) to perform the following duties: Key responsibilities include:
Requirements Planning & Consultation
• Review proposed IT systems and projects to ensure alignment with company cybersecurity policies, standards, security baselines, as well as regulatory and industry requirements.
• Act as a consultant for internal teams, helping them understand organizational cybersecurity requirements and how to meet them.
• Evaluate and document policy, standard, or baseline exception requests, recommend appropriate mitigations or compensating controls.
• Serve as a Cybersecurity consultant to IT and business teams during system design, implementation, and operational change.
• Translate cybersecurity requirements into clear, actionable guidance for technical and non-technical stakeholders.
Data Protection – Data Loss Prevention (DLP)
• Support the day-to-day enterprise data protection activities, including work within the DLP toolsets (e.g., monitoring alerts, refining discovery rules, and tuning policies).
• Investigate potential data leakage incidents and coordinating with stakeholders for remediation.
• Provide regular reporting on data protection trends and risks to leadership.
• Collaborate with stakeholders to protect sensitive data while minimizing business disruption.
Risk Assessment & Advisory
• Assist in performing formal and informal risk assessment for on-premises, hybrid, and cloud-based systems.
• Assess systems against cybersecurity policies, standards, and baselines.
• Identify security gaps, evaluate risk, and recommend appropriate mitigations or compensating controls.
• Recommend mitigations, compensating controls and risk-reduction strategies based on organizational risk tolerance and emerging threats.
• Apply cybersecurity and privacy principles to ensure compliance with regulatory and organizational requirements.
Security Awareness & Readiness
• Define training requirements based on risk assessments, Incident Response & Threat intel reports, policy requirements, regulatory requirements and relevant best security practices.
• Evaluate training effectiveness and revise to address gaps.
• Write professional articles covering relevant training topics for publishing to the enterprise.
• Develop and deliver cybersecurity awareness training content to foster a security-first culture. Delivery methods include online videos, articles, presentations using Microsoft Teams and in-person training.
• Design and facilitate Cybersecurity Tabletop Exercises (TTX) to test incident response and business continuity capabilities.
• Conduct quarterly phishing exercises including development of objectives, selecting content and using associated tools to perform the testing and monitoring of the results.
Performance Metrics & Security Posture
• Develop and track Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) to measure the effectiveness of security controls (e.g., DLP block rates, policy exception trends, training completion, phishing campaign results).
• Conduct continuous improvement reviews using metric trends to identify gaps in current policies, standards, baselines, or processes and recommend updates.
• Develop metrics, trend analysis, and management reports.
• Ensure compliance with regulatory and organizational security requirements.
MINIMUM QUALIFICATION(S):
• Senior Level: Bachelor’s degree in computer science, Cybersecurity, IT, or related field + 8 years’ experience OR twelve (12) years combined education/experience.
PREFERRED QUALIFICATION(S):
• CISSP or equivalent preferred
• Strong foundational knowledge of cybersecurity principles, including infrastructure security, identity and access management, logging/monitoring, and risk management.
• Experience performing cybersecurity risk assessments, risk analysis, and control evaluations using NIST 800-53 controls or similar assessment methodologies.
• Working knowledge of the NIST Cybersecurity Framework (CSF), and hands-o