Director GRC & Security Architecture

Context of Job

The Director of GRC and Security Architecture is a senior leadership role responsible for governing the organization’s information security risk, compliance, and architectural security posture. This role provides enterprise-wide leadership across governance, risk management, regulatory compliance (including HIPAA), and security architecture to ensure security controls are designed, implemented, and operating effectively in support of business, academic, and clinical objectives. Serving as the designated HIPAA Security Officer, this role partners closely with Legal, Privacy, Compliance, IT, Cloud, Application, and Security Operations teams to ensure regulatory readiness, risk‑informed decision‑making, and secure‑by‑design technology architecture across on‑premises, cloud, and SaaS environments. This position reports to the Chief Information Security Officer of the University.

Major Responsibilities

Governance, Risk & Compliance (GRC)

• Lead the enterprise Information Security Governance, Risk, and Compliance (GRC) program.
• Establish and maintain security policies, standards, procedures, and control frameworks aligned with NIST, HITRUST, ISO 27001, and other applicable frameworks.
• Oversee enterprise risk assessments, third‑party risk management, and control effectiveness evaluations.
• Translate regulatory, legal, and contractual requirements into actionable security controls and architectural standards.
• Ensure ongoing compliance with applicable regulations and standards, including HIPAA, PCI DSS, FERPA, SOC 2, and FIPS‑140, as applicable.

HIPAA Security Officer Responsibilities

• Serve as the organization’s designated HIPAA Security Officer.
• Oversee administrative, technical, and physical safeguards required under the HIPAA Security Rule.
• Partner with Privacy, Legal, Compliance, and Health IT leadership on risk analyses, remediation plans, and regulatory inquiries.
• Support audits, investigations, and compliance reviews related to protected health information (PHI).
• Ensure appropriate security awareness and HIPAA training programs are developed and delivered across the organization.

Security Architecture & Secure Design

• Own and lead the security architecture function, defining enterprise security architecture principles, reference architectures, and design standards.
• Review and approve security architecture for new systems, applications, cloud services, and major technology initiatives.
• Ensure security is embedded early in system lifecycle activities through secure‑by‑design and defense‑in‑depth principles.
• Partner with infrastructure, cloud, application, and DevOps teams to integrate security requirements into platforms and solutions.
• Guide architectural decisions related to identity, network segmentation, encryption, key management, logging, and data protection.

Strategic Planning & Program Leadership

• Contribute to and lead multi‑year security strategy and roadmap development in alignment with organizational objectives.
• Actively participate in enterprise security and risk governance forums, advising executive leadership on risk posture and architectural trade‑offs.
• Balance risk reduction with operational efficiency, usability, and institutional mission requirements.
• Serve as a trusted advisor to schools, departments, and business units on risk and architectural security decisions.

Oversight of Security Technologies & Controls

• Provide governance and oversight for security technologies supporting risk management, compliance, and architectural controls.
• Ensure alignment between security architecture standards and operational security tooling.
• Evaluate new security technologies and frameworks to address evolving regulatory and threat landscapes.

Metrics, Reporting & Communication

• Develop and report meaningful risk and compliance metrics to senior leadership and governance committees.
• Communicate complex security and compliance topics clearly to technical and non‑technical stakeholders.
• Provide executive‑level reporting on risk trends, compliance posture, and architectural maturity.

Leadership & Talent Development

• Lead and develop GRC and security architecture professionals.
• Establish clear role definitions, performance expectations, and professional development pathways.
• Foster a culture of accountability, continuous improvement, and collaboration across security and IT teams.

Budget, Vendor & Resource Management

• Manage budgets associated with GRC, compliance, and security architecture programs.
• Oversee vendor relationships related to risk management, compliance tooling, and architectural services.
• Ensure responsible financial stewardship and alignment with strategic priorities.

Qualifications

• Bachelor’s degree in Information Security, Computer Science, Information Systems, or a related field (Master’s preferred).
• Seven years of progressive experience in information security, risk management, or IT, including leadership roles.
• Demonstrated experience leading GRC programs, regulatory compliance efforts, and enterprise risk management.
• Strong knowledge of HIPAA Security Rule, PCI DSS, and related regulatory frameworks.
• Proven experience defining and governing security architecture across enterprise and cloud environments.
• Excellent written and verbal communication skills, including executive‑level presentations.
• Experience supporting healthcare, higher education, or regulated enterprise environments preferred.
• Hands‑on experience with NIST, HITRUST CSF, ISO 27001, SOC 2, and third‑party risk frameworks preferred.
• Professional certifications such as CISSP, CISM, CRISC, or equivalent preferred.
• Experience partnering closely with SOC, IR, Privacy, and Legal teams preferred.
• Demonstrated success leading organizational change and maturing security governance programs preferred.