Specialist, Security

To obtain a French translation of the following job posting, please email careers@ontariohealth.ca. Requests will be addressed within three business days, and the application window will be extended by three business days.

At Ontario Health, we are committed to developing a strong organizational culture that connects and inspires all team members across the province. Our vision is that together, we will be a leader in health and wellness for all. Our mission is to connect the health system to drive improved and equitable health outcomes, experiences, and value. How we work together is reflected through our five values: integrity, inspiration, tenacity, humility, and care.

What Ontario Health offers:

Achieving your career goals is a priority to us. Benefits of working at Ontario Health may include the following based on employment type:

• Fully paid medical, dental, and vision coverage from your first day
• A health care spending or wellness spending account
• A premium defined benefit pension plan
• Three personal days and two float days annually
• Three weeks’ vacation to start (for individual contributors), increasing to four weeks after two years
• Career development opportunities
• A collaborative values-based team culture
• A wellness program
• A hybrid working model
• Participation in Communities of Inclusion

Want to make a difference in your career? Consider this opportunity.

The Specialist, Security will work with various teams within Ontario Health and with its partners to ensure the timely, efficient, and quality delivery of Cyber Security products and services. They will contribute to the execution and maturing of OH's security programs and serve as a security subject matter expert to the organization.

Here is what you will be doing:

• Identifies and recommends security controls and solutions, as well as the tactical approaches to deliver them, for product/services/and assessment initiatives that meet projects and customer needs and timelines, while adhering to overall OH security frameworks and approved methodologies and patterns.
• Consults on, advises, and influences product/portfolio project planning by identifying security by design and significant for products in a holistic approach to ensure end products and services are aligned with OH Security program requirements.
• Assesses and identifies cross-product security control gaps and opportunities for mitigation and alignment with the security policies and standards and industry best practices, and advocates for solutions to address security gaps with product owners before releasing them to production.
• Analyzes proposed solution architectures, technology, design, and IT development processes to identify potential threats and vulnerabilities, and to recommend options that enhance the security of solutions and business processes. Identifies, analyzes and recommends options for risk management at appropriate levels within the enterprise and the health care sector.
• Delivers internal and external security consulting services to stakeholders where required.
• Supports the development of security roadmaps, program and product vision.
• Works with a high level of autonomy in setting objectives based on minimal direction from management.
• Collaborates with internal peers and local programs to ensure alignment of security practices, controls, patterns, and solutions to mitigate identified risks and gaps.
• Stays current on the security landscape and threat vectors and assesses new security trends with respect to Ontario Health’s business needs and identifies opportunities to improve the security posture of products and services and on business, technology, architecture and solution design trends.
• Stays abreast of provincial, federal, and international security attack tools, Tactics, Techniques, and Procedures (TTPs), and secure operating trends.
• Provides guidance on how to build and deploy secure solutions or placing compensating controls for business and technical challenges.
• Identifies dependencies in project/product deliverables and provide guidance for planning and delivery.
• Coordinates internal and external information security initiatives as a subject matter expert to reach feasible security solutions for complex problems and issues across the health care sector. Plays a leading role in the implementation and operationalization of those solutions.
• Contributes to the ongoing development and maturing of the OH security program, consulting, and assurance practices.
• Maintains the currency of the OH security program by writing or updating security policies, standards, assessment, and guidance documents. Implements tools and processes to manage workflow and materials related to the information security governance.
• Prepares and maintain security-training materials, deliver security-training sessions to various stakeholders throughout the province and within the organization.
• Manages multiple clients and security-related projects simultaneously and presents status updates to upper management.
• Works with IT, Development, and all other OH Enterprise teams to establish appropriate security processes, controls and ensure compliance with security policies.
• Guides and influences project team to align and build with an eye to OH's Information Security approved frameworks and methodology.
• Collaborates with and guides and mentors senior, junior and peer security specialists.
• Identifies opportunities, impacts and transformations required to realize their value and assess their implications on the future state of specific products or portfolios.
• Provides subject matter expertise to various provincial and regional security governance and risk management initiatives.
• Consults with members and organizations in the health care community to implement security policies and related controls and to onboard them to regional and provincial health care initiatives.
• Works with internal and external (regional partner and vendor) stakeholders.
• Makes decisions where results have a major impact across the organization requiring sophisticated solutions and long-term correction.

Here is what you will need to be successful:

Education and Experience:

• BA in Computer Science, Information Systems or other related field, or equivalent work experience.
• 2 to 5 years of experience in IT with minimum two years of it working experience in security technologies, principles, risk management, vulnerability management, monitoring and incident response, program development, and architecture.
• Certifications in cyber security (e.g., CISSP or CISA) are required, or working towards.
• Experience supporting Cyber Security Readiness assessments, business process analysis, continuous improvement, process redesign.
• Experience evaluating existing cyber security performance, establishing cyber security KPIs, applying performance methodologies.
• Experience in security governance development Policies, Standards, Procedures.
• Experience with change management including design, preparation and maintenance of security training materials, proven ability to deliver security training sessions to various stakeholders within healthcare and at different scales.
• Experience influencing, negotiating, and building positive relationships within the team and external parties.
• Experience with and knowledge of Microsoft Office tools including SharePoint and Teams, Microsoft Project, and Microsoft Project Server.
• Advanced understanding of information and cyber security risk concepts (assets, threats, vulnerabilities, controls), models, and assessment methodologies (e.g., HTRA).
• Advanced understanding of information security architecture and associated methodologies (e.g., SABSA).
• Advanced understanding of information security frameworks including ISO 27001/2 and NIST CSF.
• Intermediate understanding of technical vulnerability assessment approaches.
• Intermediate knowledge of laws, regulations, policies, and ethics as they relate to cyber security and privacy.
• Advanced knowledge of information systems and security technologies used to protect them, including host, server, network, and application security.
• Analysis of information security risks by applying formalized threat risk assessment methodologies (e.g., HTRA).
• Experience performing threat risks assessments.

Knowledge and Skills:

• Analytical and problem-solving skills to assess security control gaps; identify dependencies in project/product deliverables; track implementation/remediation activities across organizations; analyze and recommend options for risk management.
• Communications skills, both orally and in writing, to present subject matter information that is both comprehensive and easy to understand; present materials to large audience; interpret and communicate risk management concepts; consult with stakeholders; write/update security policies, standards, assessment, guidance documents and training material.
• Ability to motivate other team members to achieve higher goals and improve the impact of technology initiatives.
• Demonstrated ability to understand and discuss technical concepts, manage trade-offs, and evaluate opportunistic innovative ideas with internal and external partners.
• Ability to learn new technologies and support new projects and initiatives in a rapidly changing environment.
• Ability to take a leading role in various OH security initiatives providing security expertise, facilitating collaboration and furthering OH's security objectives.
• Ability to lead end-to-end planning, architecture, solution development, and execution of program activities.
• Ability to utilize and monitor various state of the art tools to detect, prevent and mitigate cyber security threats or risks to OH.
• Ability to participate in cyber security incident response and on-call rotations.
• Ability to engage with clients with competing priorities and sometimes in political settings which can have heavy impact and load on the emotions and become stressful, that would require professional and personal soft skills to handle such situations properly.
• Ability to make decisions where results have a major impact across the organization.

#LI-hybrid

#LI-AP1

#OH-IND-DIG

Location: Ontario (currently hybrid; subject to change)

Employment Type: Temporary + (Fixed Term) Full time

Contract Length: 18 Month(s)

Salary Band: Band 5

External Application Deadline Date: May 8, 2025

All applicants must be a resident of Ontario to be considered for roles at Ontario Health.

Ontario Health encourages applications from candidates who are First Nations, Métis, Inuit, and urban Indigenous; Francophone; members of Black and racialized groups; 2SLGBTQIA+ communities; trans and nonbinary individuals; and people living with disabilities.

Ontario Health is an accessible employer, and we offer accommodation in all aspects of employment, including the recruitment process. If you require a disability related accommodation in order to participate in the recruitment process, please email careers@ontariohealth.ca and a member of the team will connect with you within 48 hours.