Director, Information Security Assurance

About The Position

Requirements

• Bachelor's degree in Information Security, Computer Science, or a related field; Master's degree preferred.
• Minimum of 10 years of experience in information security, with at least 5 years in a leadership role.
• Professional certifications such as CISSP, CISM, CISA, CRISC, or equivalent.
• In-depth knowledge of information security management frameworks and standards (e.g., HITRUST, HIPAA, ISO/IEC 27001, NIST CSF).
• Familiarity with the convergence of various cyber control frameworks and the generation of control requirements in the context of risk management.
• Proven experience in risk management, compliance, and governance.
• Strong leadership, communication, and interpersonal skills.
• Ability to manage multiple priorities and work effectively in a fast-paced environment.
• Excellent analytical and problem-solving abilities.

Responsibilities

• Develop and implement a comprehensive security assurance strategy aligned with the organization's business objectives.
• Lead and mentor a team of security assurance professionals, fostering a culture of continuous improvement and professional development.
• Serve as a key advisor to senior leadership on security assurance matters.
• Identify, assess, and prioritize security risks across the organization.
• Develop and implement strategies for information security risk management, ensuring alignment with threat-driven, risk-based technical, compliance and business requirements, while providing risk-informed guidance.
• Develop and implement risk mitigation strategies and controls.
• Conduct regular risk assessments and security audits to ensure compliance with internal policies and external regulations.
• Responsible for meeting SLA's for client attestations and security questionnaires.
• Maintain up-to-date knowledge of industry standards, regulatory requirements, and emerging threats to inform risk assessment and remediation processes.
• Ensure compliance with relevant regulatory requirements, industry standards, and best practices (e.g., HIPAA, NIST, ISO 27001, GDPR, etc.).
• Develop, implement, and maintain enterprise security policies, procedures, and standards.
• Coordinate and lead internal and external audits (HISTRUST, SOC 2 - Type II, PCI), and manage remediation efforts for any identified gaps.
• Familiar with using and implementing GRC tools for audits and evidence management.
• Oversee the development and execution of security assurance programs, including vulnerability management, penetration testing, and security assessments.
• Develop and maintain metrics and report mechanisms to track the effectiveness of security assurance activities.
• Collaborate with other departments to ensure security controls are integrated into business processes and systems.
• Lead the incident response team in the investigation and resolution of security incidents.
• Develop and maintain incident response plans and procedures.
• Conduct post-incident analysis and implement lessons learned to improve security posture.
• Build and maintain relationships with key stakeholders, including IT, legal, privacy, compliance, and business units.
• Communicate security risks and assurance activities to stakeholders in a clear and effective manner.
• Represent the organization in industry forums and working groups related to security assurance.