Director, IT Security & Compliance

About The Position

Requirements

• Bachelor’s degree in Information Security, Information Technology, Accounting, or related field (or equivalent experience).
• 10+ years of experience in IT security, compliance, IT audit, and/or third-party risk management.
• Strong hands-on experience with: SOC 1 / SOC 2 ISO 27001 HITRUST IT General Controls (ITGCs) Third-party/vendor risk management frameworks
• Proven experience managing IT audits and vendor risk assessments.
• Proven experience managing security compliance teams.
• Experience with GRC platforms and risk scoring methodologies (inherent vs. residual risk).
• Strong understanding of control environments and risk mitigation strategies.
• Excellent communication and stakeholder management abilities
• Ability to manage multiple priorities, audits, and vendor relationships simultaneously
• Detail-oriented with strong documentation and evidence management discipline

Nice To Haves

• Professional certifications such as: CISA (Certified Information Systems Auditor) CISSP, CISM, or CRISC
• Experience working with internal audit teams or public accounting firms.
• Experience in healthcare or other regulated industries.
• Familiarity with vendor risk tools and security rating platforms (e.g., BitSight, SecurityScorecard).
• Familiarity with IT development and operations management tools (e.g. JIRA, WIZ, MEND, OneTrust, CrowdStrike)

Responsibilities

• Certification & Audit Management Lead and manage all external certification audit processes, including ISO 27001, HITRUST, and SOC 1 / SOC 2.
• Serve as the primary point of contact for external auditors, certification bodies, and IT audit firms.
• Oversee IT audit readiness activities, including control design, documentation, and evidence management.
• Coordinate internal stakeholders to ensure timely and successful audit execution.
• Respond to client-driven audits and due diligence requests across all business lines.
• IT Audit Oversight & Governance Lead internal and external IT audit engagements, including planning, scoping, execution support, and reporting.
• Ensure alignment of IT controls with audit frameworks (e.g., SOC, ISO, HITRUST, NIST).
• Partner with Internal Audit and external auditors to facilitate efficient audit cycles.
• Review audit results, assess control effectiveness, and provide strategic recommendations.
• Establish and maintain audit documentation standards, including policies, procedures, and control narratives.
• Third-Party Risk Management (TPRM) Define and lead the enterprise third-party risk management program.
• Establish processes to assess and tier vendor risk based on data sensitivity, access, and business impact.
• Evaluate vendor risk through: Business owner–completed risk assessments Vendor-provided certifications (e.g., SOC 2, HITRUST) Independent vendor security scorecards
• Leverage GRC tools to calculate and track inherent risk and residual risk for all vendors.
• Review vendor control environments and identify gaps against organizational and regulatory requirements.
• Partner with business owners to ensure appropriate risk acceptance, mitigation, or remediation strategies are implemented.
• Monitor vendor risk posture continuously and reassess critical vendors on a defined cadence.
• Support procurement and legal teams in embedding security and compliance requirements into vendor contracts.
• Corrective Action & Findings Management Define, implement, and manage the internal corrective action plan (CAP) process.
• Track and drive remediation of findings from: IT audits (internal and external) Client audits Penetration tests Risk assessments Vendor risk assessments
• Ensure timely closure of identified gaps and maintain appropriate audit-ready documentation.
• Risk Assessment & Compliance Processes Develop, implement, and oversee internal risk assessment processes aligned with certification and audit requirements.
• Evaluate IT general controls (ITGCs), application controls, and security controls.
• Identify control gaps and provide remediation strategies aligned with audit expectations.
• Continuous Improvement Define and execute strategies for continuous improvement of compliance, audit, and third-party risk processes.
• Enhance control frameworks, documentation quality, and audit efficiency.
• Monitor evolving regulatory, audit, and industry requirements.
• Client & RFP Support Respond to external audit requests, security questionnaires, and RFPs across all business units.
• Translate audit and compliance posture into clear, client-facing responses.
• Partner with sales, legal, and operational teams to support business growth.
• Access Management Oversight Execute and oversee the quarterly user access review process.
• Ensure compliance with ITGC access control requirements.
• Validate adherence to least privilege and segregation of duties (SoD).
• KPI Development & Performance Management Define, implement, and monitor KPIs for compliance, audit, and third-party risk processes.
• Develop dashboards to track audit readiness, vendor risk posture, control effectiveness, and remediation progress.
• Provide regular reporting to executive leadership and stakeholders.