Associate Director, Information Security

**About OICR**

The Ontario Institute for Cancer Research (OICR) is Ontario’s cancer research institute. We bring together people from across the province and around the world to improve the lives of everyone affected by cancer. We take on the biggest challenges in cancer research and deliver real-world solutions to find cancer earlier and treat it more effectively. We are committed to helping people living with cancer, as well as future generations, live longer and healthier lives.

Launched in December 2005, OICR is an independent institute funded by the Government of Ontario through the Ministry of Colleges and Universities.

**Job Details**

Position: Associate Director, Information Security

Location: MaRS Centre, Toronto

Department: Corporate Information Technology

Reports To: Senior Director, IT and Information Security Officer

**Salary**: Commensurate with level of experience; total compensation includes a competitive benefits plan, plus a defined benefit pension plan (HOOPP)

Hours: 35 hours/week

**Job Type**: Hybrid (flexible)

Status: Full-time, Permanent

**Position Summary**

OICR is dedicated to upholding a highly effective and mature Information Security Program, with the full backing of the OICR Executive and Board. The new Associate Director of Information Security will work closely with the Senior Director to ensure that institute data, including patient health information and personal information is protected with appropriate measures to prevent unauthorized access, alteration, or removal. As a Prescribed Person under the Personal Health and Information Protection Act, 2004 (PHIPA) for its work with the Ontario Tumour Bank, OICR has an additional responsibility to safeguard data and report on key information security indicators.

**Position Responsibilities**
- Leadership:

- Demonstrate OICR values in all that you do; lead by example;
- In conjunction with the Senior Director, IT and ISO, lead the Information Security Program, and maintain a “mature” rating;
- Work closely with the Associate Director, Research IT and the Associate Director, Corporate IT, as well as other IT leaders;
- Provide leadership and mentoring to Information Security Administrators and other IT staff;
- Conduct performance management, hiring, team building, and other staff management tasks;
- Manage relationships and deliverables of information security vendors and third party service providers;
- Create and maintain Information Security policies, procedures and practices, in compliance with regulators, standards such as NIST, and industry best practice;
- Create and conduct Information Security related training sessions;
- Create Information Security related reports and key performance indicators;
- Attend meetings with all levels of staff, up to Executive and Board level, to present and answer questions regarding OICR’s Information Security program;
- Perform other Information Technology leadership activities as assigned.
- Technical:

- Champion, develop, improve and expand OICR’s information security processes, tools and systems;
- Assess information security elements of new technology solutions and cloud services to ensure they align with OICR and industry best practices;
- Be aware of and assess evolving risks and adapt the Information Security Program to safeguard new technologies including AI, LLM and expanding technologies such as containerization and cloud;
- Perform expert level Information Security tasks and act as a point of escalation and coaching for event and incident management, breach management, and forensics;
- Perform and/or supervise in-house or third party audits and assessments including Threat Risk Assessments, Vulnerability Assessments, and Penetration Testing;
- As with all positions in OICR IT, occasional work outside of normal business hours and participating in a critical issue response on-call rotation will be required.

**Qualifications**
- Bachelor’s degree in Computer Science, Information Security, Computer Engineering, or recognized equivalent. A combination of formal education and work experience will be considered.
- CISSP, CISM or similar Information Security certification(s)
- Experience in the field of Information Security, including at experience as a senior leader
- Familiar with all areas of Information Technology both on-premise and cloud-based
- Experience identifying and prioritizing information security threats, and overseeing timely mitigation
- Must have expert level knowledge and working experience in all common areas of Information Security including:

- vulnerability assessment, threat risk assessment, penetration testing
- incident response and incident handling methodologies
- intrusion detection methodologies and techniques
- Microsoft Security/Defender or equivalent EDR/MDR/XDR
- Tenable Security Centre or equivalent
- Phishing simulations
- SOC/SIEM, security event logging, rule parsing, and alerting; immutable logging
- Enterprise class next