What we offer
In addition to a competitive salary and a rewarding career where you can truly make a difference, we offer a comprehensive package that meets the various needs of our diverse employees, including:
-
Ability to participate in inclusive employee-led networks to educate, inspire, amplify voices, build relationships and provide development opportunities;
-
Minimum three (3) weeks of paid annual vacation days, increasing with years of service;
-
Four (4) paid personal days;
-
Defined benefit pension plan with OMERS, includes 100-per-cent employer matching;
-
Health and dental benefits, including a health spending account available upon your start date;
-
Employee and family assistance program;
-
Maternity and parental leave top up (93% of base salary);
-
Training and development programs including tuition reimbursement of $1500 per calendar year.
-
Fitness membership discount;
This job offers the opportunity to work from home as part of a hybrid work arrangement. This arrangement will allow you to work some days at a TCHC work location and the rest of the time from home. The amount of time required to work at a TCHC work location is flexible, while considering operational and service delivery requirements.
Make a difference
Reporting to the Senior Manager, Governance, Risk and Compliance (GRC), the Security Advisor is responsible for establishing and governing a risk-based vulnerability management lifecycle covering identification, assessment, prioritization, remediation tracking, validation, reporting, and continuous improvement. The position translates technical vulnerabilities into business risk, ensures SLA/SLO adherence, manages exception and risk acceptance processes, and delivers executive-level reporting on cyber risk exposure.
Key areas of focus include:
-
Participate in security assessments on our in-house developed products as well as procured products.
-
Participate in the planning and design of enterprise security architecture, where appropriate.
-
Ensure vulnerability scans are scheduled and cover all in-scope assets.
-
Review vulnerability findings to confirm accuracy and remove false positives.
-
Apply risk-based prioritization to vulnerabilities using severity, exploitability, and business impact.
-
Track vulnerabilities through the full lifecycle from identification to closure and coordinate with IT, cloud, and application teams to clarify findings and confirm remediation actions.
-
Validate that vulnerabilities have been resolved by reviewing evidence and confirming re-scan results.
-
Identify recurring vulnerabilities or systemic issues such as patching gaps or misconfigurations.
-
Participate in the information security incident response process and support communication of TCHC’s cybersecurity program.
-
Knowledge of legislation (MFIPPA), regulations, policies, procedures, interpretations and apply applicable orders of the Information and Privacy Commissioner of Ontario.
The incumbent will work with a high degree of autonomy, engaging with stakeholders at all levels within TCHC and contributing to the continuous improvement of TCHC’s cyber security posture.
What you’ll do
-
Enterprise VM Governance & Leadership
-
Establish and govern VM framework, standards, procedures and lifecycle
-
Align VM program to IT and Cyber strategy
-
Monitor SLA, escalation and risk acceptance governance
-
Provide advisory to IT and business teams
-
Vulnerability Identification & Assessment
-
Oversee scanning across IT, OT, cloud and applications
-
Ensure asset coverage and scan completeness
-
Analyze vulnerabilities and assess business impact
-
Support Pen testing exercises
-
Risk Prioritization & Remediation Oversight
-
Develop prioritization models (CVSS + business context)
-
Coordinate with remediation teams
-
Track SLA adherence and escalate issues
-
Validate remediation through rescans
-
Improve scanning quality and reduce false positives
-
Conduct root cause analysis
-
Maintain vulnerability register and exceptions
-
Report KPIs (MTTR, SLA, backlog)
-
Produce executive dashboards including reporting, Metrics & KPIs
-
Ensure alignment to NIST, ISO and policies
-
Maintain procedures and documentation
-
Participates in after-hours and on-call schedule
What you’ll need
-
Undergraduate degree (or equivalent experience) in Information Technology, Computer Science, Engineering, Business, or a related field. Information security-specific coursework is an asset.
-
One or more security certifications in good standing, including but not limited to: CEH (Certified Ethical Hacker), EC-Council ECSA, GIAC/SANS certifications, CompTIA CySA+, CISSP, CCSK, or industry equivalents.
-
5+ years of progressive information security experience in an enterprise environment including security program development, risk and vulnerability analyses, system design, and security architecture.
-
Minimum 2 years in an information security position within a medium to large organization.
-
Demonstrated experience conducting cyber risk assessments, maintaining risk registers, and producing risk reports for management audiences.
-
Exposure to security operations activities including SIEM, EDR, vulnerability management, or incident response support.
-
Demonstrable experience conducting security reviews, implementing information security recommendations, analyzing technical controls, and applying security control standards.
-
Experience working within regulatory or legislative compliance environments (MFIPPA, PIPEDA, or equivalent privacy legislation is an asset).
-
Experience working on solutions that support verticals such as government, finance, human resources, and information management is preferred.
-
Excellent written and verbal communication skills; ability to produce high-quality policies, reports, and proposals for both technical and non-technical audiences.
-
Ability to build effective working relationships with internal and external stakeholders and to affect change in a positive and constructive manner.
Nice to have:
-
Experience with vulnerability management platforms (e.g., Tenable, CrowdStrike, Zscaler, or similar).
-
Familiarity with cloud security principles and hybrid infrastructure risk considerations.
-
Experience with threat intelligence platforms and threat hunting methodologies.
-
Experience with threat intelligence platforms and contextualized risk prioritization methodologies.
-
Exposure to security investigation or digital forensics activities in an enterprise environment.
-
Additional security industry certifications or vendor-specific security product certifications would be considered an asset
What’s next
Once you apply, we’ll review your resume and contact you if we believe your skills and experience will make you successful in the role. If you are selected to move forward, the process will include one or more interviews and/or assessments and reference checks.
INDS