Department: Information Technology – Enterprise Security
Location: Grapevine, TX or Cranberry Township, PA (Remote)
Position Overview
The Sr. Business Information Security Officer (BISO) serves as the primary bridge between Omnicell’s Enterprise Security Team and designated lines of business and functions. This role helps business units understand, adopt, and operationalize security policies and processes in a way that enables secure growth while meeting regulatory, customer, and audit expectations.
The BISO partners closely with Enterprise Security pillars (Cyber Architecture & GRC, SecOps, Product/Cloud Security, IAM, Third‑Party Risk, Resilience), Privacy, Legal, and commercial, services, and operations leadership.
Essential Duties & Responsibilities
Business Partnership and Risk Advisory
Serve as the primary security liaison for designated business units and functions (e.g., commercial and service leadership, operations, and enabling functions).
Participate in business reviews, portfolio planning, and steering committees to ensure security and privacy requirements are identified early.
Provide clear, risk‑based guidance on new initiatives (e.g., product launches, SaaS and cloud deployments, integrations, use of AI, new market segments), documenting recommended controls and trade‑offs.
Help business leaders balance growth, customer expectations, and regulatory obligations with Omnicell’s security, privacy, and compliance standards.
Security Governance, Alignment & Coverage
Ensure business units operate within Omnicell’s Global Cybersecurity Policy Suite, Enterprise Security Policy, and supporting standards (e.g., IAM, Network Security, Data Protection, Incident Response, Third‑Party Risk).
Interpret global policies in the context of regulations and frameworks (e.g., HIPAA/HITECH, HITRUST, SOC 2, state privacy laws such as CCPA/CPRA, payer/provider security requirements).
Maintain a documented security engagement model for stakeholders, including RACI for key controls, decision rights, and escalation paths.
Represent the security risk posture and control maturity in enterprise security and IT risk governance forums.
Risk Management, Assessments & Reporting
Maintain a security risk register aligned with NIST CSF v2.0, Omnicell’s risk taxonomy, and enterprise risk processes.
Coordinate or lead risk and privacy impact assessments for systems, data flows, and business processes, in partnership with Privacy, Legal, Product, and IT.
Translate assessment findings into corrective action plans (CAPs) with clear owners, timelines, and mapping to applicable control frameworks (e.g., NIST CSF, NIST 800‑53, HITRUST, SOC 2, Omnicell policies, and relevant regulations).
Contribute data to enterprise security metrics and dashboards (e.g., vulnerabilities, incident trends, IAM metrics, training completion) and help drive remediation and continuous improvement.
Security Enablement, Projects &Change Initiatives
Embed security into programs and projects (e.g., cloud migrations, data center moves, partner integrations, major customer programs, M&A integrations, and divestitures) by ensuring requirements are captured and designs align with enterprise reference architectures and policies.
Partner with Product/Cloud Security and IT to ensure hosted workloads follow standards across segmentation, logging, IAM, PAM, CSPM, DLP, EDR, and related controls.
Support data classification and handling for operations, ensuring that confidential information, PHI, and PII are managed per Omnicell policies and applicable US laws and regulations.
Promote and coordinate security training and awareness tailored for audiences (commercial, operations, support, engineering, and partners).
Customer, Audit & Regulatory Engagement
Support customer security assessments, RFPs, due diligence, and contract negotiations for opportunities, ensuring accurate and consistent representation of Omnicell’s security posture.
Collaborate with Legal, Privacy, and Enterprise Security to provide timely, high‑quality responses to regulators, auditors, and key strategic customers.
Coordinate evidence collection and responses for audits and certifications that include scope (e.g., HITRUST, SOC 2, ISO 27001, HIPAA-related assessments).
Help maintain and improve customer‑facing security narratives and documentation relevant to healthcare providers, health systems, and other regulated customers.
Incident Management, Business Continuity & Resilience
Act as a key security lead for incidents impacting systems, customers, or data, in accordance with global Incident Response policies and playbooks.
Coordinate with SecOps, Privacy, Legal, and leadership on triage, containment, remediation, and required customer or regulatory notifications (e.g., HIPAA breach notifications).
Ensure lessons learned from incidents and near misses are captured and drive durable improvements (policy updates, new controls, training, or process changes).
Partner with Enterprise Resilience / BCDR leaders to align continuity and recovery plans for operations with security and risk priorities.
Leadership, Influence & Culture
Build and maintain trusted relationships with general managers, functional leaders, IT, Product, and strategic partners.
Influence decision‑making by presenting clear, concise narratives on risk, options, and recommended paths that align with Omnicell’s risk appetite and customer commitments.
Mentor security champions and points of contact within business units to distribute ownership of security beyond Enterprise Security.
Champion a strong “security and privacy by design” culture across operations, reinforcing Omnicell’s core values (Do the Right Thing, Passionate Transformer, Relationships Matter, Intellectually Curious).
Qualifications & Experience
Preferred Qualifications
Working Conditions
Travel Requirements