The Chief Information Security Officer (CISO) provides strategic leadership for Mayo Clinic’s global information security program by balancing the preservation of trust by securing the privacy and security of patients, staff and other third parties with the need for simplification, convenience and frictionless use of technology and digital solutions for end users. Mayo Clinic’s CISO is responsible for safeguarding sensitive data and digital assets across all of Mayo Clinic and our related partnerships and affiliations. This executive role champions a proactive, adaptive security posture, leveraging emerging technologies and fostering a culture of shared responsibility for cybersecurity. The CISO works closely with leaders in the Digital Technology Organization (DTO) across Mayo Clinic to ensure security is seamlessly integrated into all technology initiatives. Additionally, the CISO partners with executive and functional leaders to embed security into business processes, digital transformation initiatives and innovation projects, ensuring alignment with Mayo Clinic’s mission and values, again in a manner that enables solutions not delays or serves as a barrier.

This is an on-site position based in Rochester, MN.

Key Responsibilities

1. Enterprise Information Security Leadership

• Refresh and execute a comprehensive, forward-looking information security strategy that protects Mayo Clinic’s data, systems and intellectual property across all operations and geographies.
• Oversee all elements of Mayo Clinic’s enterprise-wide information security program, including policy, strategy, architecture and operations, threat intelligence, incident response, AI and automation, security testing, identity management, ERIS and ERP, ensuring alignment to regulatory requirements and industry standards.
• Champion adoption of advanced security technologies, such as AI-driven threat detection, zero trust architecture, cloud security and identity management platforms in a manner that supports operations.
• Continuously assess and adapt the security program to address emerging threats, digital transformation and the needs of a remote and hybrid workforce.

2. Business Alignment & Collaboration

• Serve as a strategic partner to executive leadership and cross-functional teams, integrating security into business processes, technology initiatives and organizational change efforts.
• Foster a culture of cybersecurity awareness and shared accountability among employees, patients, partners and vendors.
• Collaborate with the DTO, internal audit, compliance, risk operations, legal, physical security, systems operations and development teams to coordinate security initiatives and drive enterprise-wide resilience while fostering and maintaining a positive user experience.
• Engage with external partners, industry groups and regulatory bodies to benchmark practices and ensure Mayo Clinic remains at the forefront of security innovation.

3. Vision, Governance & Risk Management

• Provide visionary leadership in risk management, governance and performance measurement, utilizing automation, advanced analytics, real-time dashboards and executive reporting.
• Guide the organization in balancing security, privacy and operational agility, ensuring business alignment and effective governance to safely enable emerging technology
• Lead the development and monitoring of executive-level metrics, risk analysis, mitigation strategies and reporting mechanisms.
• Provide executive leadership for enterprise cyber incident and crisis management, ensuring decisive, coordinated response and recovery for security events impacting the organization at any time.
• Advise senior leadership on security risks, trends and investment priorities, supporting informed decision-making and continuous improvement.
• Ensure security objectives are continually evaluated and sufficient to address evolving risks and aligned to organizational risk tolerance.

4. Team Leadership & Program Evolution

• Build, mentor and retain a diverse, high-performing team of information security professionals, promoting continuous learning and professional development.
• Cultivate a culture of inclusion, innovation and excellence within the security function.
• Lead the evolution of the information security program, securing executive sponsorship and budget, demonstrating measurable value and driving consensus among functional leaders.
• Manage relationships with external technology vendors and professional services firms, overseeing evaluation, negotiation and ongoing performance of service agreements.

Bachelor’s degree in information technology, Health Informatics, Business Administration or related field is required. Master’s degree of Science, Business Administration, Health Administration or related field is required. Qualified candidates must be a Certified Information Systems Security Professional (CISSP) with an active certification status. Experience as either a Chief Information Security Officer of an enterprise organization or as a direct report to a Chief Information Security Officer of a large international organization is required. Experience in the attraction, recruitment, hiring, retention and professional development of a diverse team of dedicated information security professionals. Experience in the successful evolution of an information security program. This will include garnering executive support and budget for information security initiatives, building consensus with functional leaders by demonstrating value and measurable results and creating a culture of information security awareness amongst the company’s core ecosystem, including patients, employees, partners and vendors,  while maintaining efficiency. 

Experience in the evaluation and implementation of industry standard enterprise-wide information security technologies and concepts, including but not limited to: Data Loss Prevention, Security Information and Event Management, Governance, Risk and Compliance Tools, Threat and Vulnerability Management, Identity and Access Management, Application Security, Cloud Security and Computer Forensics. A demonstrated understanding of the complex and diverse threats that an internationally renowned organization with sensitive data can be exposed to. Experience in managing relationships with external information security technology vendors, and specialized information security professional services firms, including management of the evaluation process of their capabilities, and the eventual negotiation of fair service level agreements and contracts between their company and these entities. Must be eligible to obtain security clearance if necessary.