Cyber Security Manager

About GroupHEALTH

At GroupHEALTH, we're proud of the work we do – but it's how we do it that truly sets us apart. We're a fast-moving, ever-evolving, stable organization with deep roots and a bold vision: to transform the way Canadians experience benefits. We combine agility with long-term stability to create meaningful impact.

Here, you'll find more than just a job. You'll find a purpose-driven, people-first culture where kindness, collaboration, and curiosity thrive. Whether you've been here fifteen years or fifteen days, you'll notice right away – our people are genuinely invested in one another's success and delivering exceptional experiences to our clients and plan members.

About the Role

The Cyber Security Manager will lead the development and implementation of our cybersecurity strategy, owning overall security posture and playing a crucial role in safeguarding our company. The Cyber Security Manager will be responsible for establishing and implementing robust security processes, developing policies, and building an Information Security Management System (ISMS). In this role, you will work on our existing roadmap of findings to identify and address security gaps, enhance our security posture, and ensure the protection of our valuable assets.

This is a hybrid role based out of our Surrey office, working a blend of days in office and days from home.

What to Expect in Your First 3 Months

First 30 Days:

• Compute a baseline composite score across all six KPI domains and present to the CIO with a gap analysis and 90-day improvement plan.

First 60 Days:

• Hire and onboard the Security Analyst and Security Engineer, with each team member receiving clear 90-day objectives within their first week.
• Develop and present the 12-month Cyber Security roadmap covering all six NIST CSF 2.0 functions, tool procurement, and maturity milestones by Day 45.

First 90 Days:

• Deliver the first quarterly cyber security report to the board risk committee covering the composite score baseline, top risks, PIPEDA compliance status, and Munich Re alignment summary.
• Oversee Security Analyst development of the GroupHEALTH policy suite, with all core policies approved by the CIO and communicated to all staff and entity presidents by Day 75.
• Identify all Tier 1 vendors across all 10 entities, initiate security questionnaires, and launch a Microsoft EASM or UpGuard evaluation by Day 75.

What You'll Do

• Establish and support an effective cybersecurity program aligned with industry best practices, regulatory requirements, and organizational objectives
• Develop, document, and implement comprehensive security policies, standards, and procedures to protect information assets
• Develop, implement, and monitor an ISMS program to ensure the confidentiality, integrity, and availability of sensitive data owned, controlled, or processed by the organization
• Serve as the primary point of contact and responsible party for cyber and information security across the organization
• Contribute to the development and oversight of a global security management strategy and framework
• Oversee third-party reviews and risk assessments to ensure comprehensive evaluation of security risks
• Lead business compliance efforts for security, including supporting regular risk assessments to identify potential vulnerabilities, threats, and areas for improvement, and developing action plans to mitigate identified risks
• Develop a metrics and reporting framework to measure cybersecurity and governance KPIs and KRIs, including tracking industry trends and best practices
• Collaborate with cross-functional teams and the Privacy and Risk team to ensure security requirements are integrated into system development and business processes
• Provide guidance and support to technical teams in the design and implementation of security systems, networks, and applications
• Stay current with the latest industry trends, emerging threats, and security technologies, and adjust the organization's security strategy accordingly
• Develop and deliver a security training and awareness program to promote a culture of security and influence behavior that reduces cyber and information security risk
• Monitor and respond to security incidents, conduct investigations, and lead incident response activities to effectively manage incidents to an acceptable resolution
• Work with internal and external stakeholders, including auditors and regulators, to ensure compliance with relevant security standards, laws, and regulations
• Ensure technology, processes, and governance are in place to monitor, detect, prevent, and react to current and emerging technology and security threats
• Maintain effective communication channels with management of both GroupHEALTH and the parent company to report on cybersecurity initiatives, risks, and progress
• Produce the monthly security input for the CIO's IT Executive Dashboard
• Lead, develop, and manage the Security Analyst and Security Engineer
• Manage all Cyber Security vendor relationships and Pen Testing engagements
• Serve as the primary escalation point for all P1 and P2 security incidents, including availability outside business hours for P1 events
• Lead P1 incident response and coordinate breach notification obligations under PIPEDA, and relevant contracts and agreements including Beneva and Munich Re
• Ensure post-incident reviews are completed within 5 business days for every P1 and P2 event

What We're Looking For

• Bachelor's degree in Information Security, Computer Science, or a related field; equivalent experience considered
• CISSP or CISM preferred; AZ-500 (Microsoft Azure Security) or SC-200 (Microsoft Security Operations) is a strong asset
• 7–10 years of progressive security experience in enterprise or regulated industry environments
• Prior team leadership required; experience presenting to board-level audiences required
• Insurance, healthcare, or financial services industry experience strongly preferred
• Solid understanding of security best practices and international standards such as ISO 27001 and NIST
• Cyber security consulting background is an asset
• Knowledge and experience in Security Training and Awareness, Security Governance, and Security Incident Management
• Basic knowledge of laws and regulations applicable in the area of responsibility
• Advanced knowledge of organization, technology controls, security, and risk issues
• Demonstrated ability to lead complex, comprehensive, or large-scale projects and initiatives
• Strong customer orientation, negotiating, and problem-solving skills
• Strong planning, organizational, and presentation skills
• Excellent command of business English, both spoken and written

Critical Competencies

You will succeed in this role if you are:

• An Effective Communicator – You communicate clearly, positively, and respectfully, building relationships through tact and diplomacy. You navigate difficult conversations with care, and you're experienced at translating technical concepts for non-technical audiences.
• An Organized Professional – You invest in upfront planning to achieve goals and objectives, schedule work in an efficient and productive manner, and stay focused on key priorities to meet deadlines.
• A Business Acumen & Strategic Thinker – You translate technical risk into financial impact, balance security rigor with business pragmatism, and think 12–18 months ahead to anticipate the threat landscape and position the program accordingly.
• A Collaborator & Influencer – You build genuine relationships with GroupHEALTH Family of Companies leaders, IT teams, and staff without relying on direct authority to drive outcomes.
• An Incident Management & Ownership Leader – You remain calm, decisive, and clear during P1 incidents, coordinate response effectively, and take full accountability for outcomes including the composite security score.
• A People Developer – You invest genuinely in the growth of the Security Analyst and Security Engineer, treating their capability development as a core accountability.

Compensation

At the time of this posting, the estimated annual base salary for this position is $150,000-$170,000. Individual compensation within this range is determined by factors such as job-related skills, relevant experience, and education/training. This range reflects the annual base salary only and does not encompass the comprehensive total rewards package that we proudly offer.

Why Join Us

• Beyond salary, we offer generous paid time off, extended health and dental benefits, RRSP matching, and flexible work options
• Wellness support, including comprehensive mental health resources, to prioritize your well-being both in and out of the workplace
• A supportive culture, with opportunities to grow, and where our team members feel valued and empowered to thrive.

Accommodation and Inclusion

GroupHEALTH is committed to equity, diversity, and inclusion. If you need accommodation during any stage of the hiring process, please let us know! We're here to help.

If you're ready to do meaningful work and grow your career with GroupHEALTH, we'd love to hear from you. Click Apply to submit your application.