Associate Director, Application Risk and Compliance

About The Position

Requirements

• Bachelor's Degree in Computer Science, Business, or related major
• 5+ years of progressive experience in information security, IT risk management, or IT compliance.
• Direct experience with secure software development lifecycles (S-SDLC), application security frameworks, and technical vulnerability management (e.g., OWASP Top 10).
• Proven history of conducting IT risk assessments, developing risk mitigation strategies, and overseeing compliance against institutional or federal standards.
• Experience operationalizing data protection standards and interpreting privacy regulations such as GDPR, HIPAA, or FERPA in a technical environment.
• Deep understanding of applications security risks (OWASP Top 10), secure software development lifecycles, secure application integration standards, and common vulnerabilities across modern (cloud-native, AI-integrated) and legacy application stacks.
• Proficiency in modern identity and access management standards.
• Experience establishing automated 'Joiner-Mover-Leaver' workflows and centralized access review processes.
• Strong ability to interpret federal and state regulations (e.g., FERPA, HIPAA, GDPR) and translate them into actionable technical controls for application developers.
• Demonstrated ability to act as a consultative partner to technical leads while effectively presenting risk-based data and dashboards to non-technical executive leadership.
• Technical proficiency in leveraging CI/CD security integrations and automation tools to automate and simplify compliance for distributed teams.
• Proven ability to balance security requirements with business speed, using sound judgment to determine when to grant a waiver versus when to escalate a 'blocker' to leadership.
• Demonstrated ability to think strategically.
• Must be able to work well in a changing, ambiguous environment and practice creative problem-solving.
• Possess effective verbal and written communication skills.
• Demonstrated public speaking ability.
• Skilled at stakeholder and audience engagement at multiple levels.
• Demonstrated ability to excel in a fast-paced environment with competing priorities, while remaining flexible and proactive.
• Ability to accurately and consistently meet deadlines.
• Ability to build consensus among diverse constituencies.
• Ability to work effectively with technical teams to achieve desired outcomes.
• Ability to demonstrate tact and diplomacy in difficult situations.
• Demonstrated ability to work effectively with a diverse population within a multicultural environment.
• Established experience in information systems operational strategies by evaluating trends; establishing critical measurements, determining productivity, quality, and customer service strategies.

Nice To Haves

• Master's Degree in Computer Science, Business or related field
• Significant experience in higher education or in a large, distributed, and global organization.
• Experience serving as a primary security or compliance liaison for multiple diverse technical portfolios.
• Significant experience in higher education or in a large, distributed, and global organization.
• Advanced professional credentials such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), or Certified in Risk and Information Systems Control (CRISC).
• Deep technical familiarity with secure coding practices and emerging technologies like AI and cloud-native security.
• Familiarity with GitHub Advanced Security (GHAS) features, including CodeQL, Secret Scanning, and Dependabot.
• Ability to configure GitHub Actions to automate security testing and enforce policy-as-code requirements within the developer workflow.

Responsibilities

• Provide strategic oversight and define validation and risk management frameworks.
• Partner with Institutional Solutions Group (ISG) application portfolio leads.
• Operationalize and oversee the implementation of application security and data privacy controls.
• Develop and implement standardized playbooks, templates, and tools.
• Validate that required controls are effectively in place across all ISG application portfolios.
• Aggregate risk data and provide comprehensive compliance reports and dashboards to executive leadership.
• Serve as a consultant and partner to application portfolio leads.
• Serve as a liaison between the Global Office of Information Security (GOIS) and application teams.