Director of Information Security & Risk

Children's Hospital Association•Lenexa, KS

4d•$113,000 - $204,000•Hybrid

About The Position

Join us in shaping a healthier future for kids. At Children’s Hospital Association, we unite more than 200 member hospitals to put children first—advancing care, informing policy, and driving progress together. Where You’ll Work This position is based in our Lenexa, KS office. We leverage a hybrid working model working three days in the office, two days optional remote work. What You’ll Do The Director of Information Security & Risk is a senior strategic leader responsible for overseeing, securing, and continuously advancing the organization’s enterprise information security program. This role provides governance and risk leadership across the organization, with a strong focus on risk management frameworks, security governance and controls, protection of cloud-based data assets, and securing AI/ML systems and data analytics pipelines. Owns the design, scalability, and maturity of the enterprise security program, ensuring the protection of sensitive information, compliance with regulatory and contractual requirements, and the secure growth of cloud-based platforms, products, and services. Develop and execute a multi-year information security and risk management strategy aligned with organizational objectives, regulatory regulations, and recognized security frameworks. Oversee the development, implementation, and maintenance of the enterprise security policy, standards, guidelines, and procedures. Translate legal, regulatory, and contractual requirements into enforceable technical security standards. Draft and enforce the Enterprise Information Security Policy (EISP) framework, ensuring it evolves alongside AI advancements and Cloud scale. Lead enterprise risk assessments, identifying and mitigating security risks associated with data analytics (Enterprise & Member Facing data), third-party cloud vendors, and new technology adoption. Proposes security policies, procedures, initiatives, and standards specific to regulatory compliance, loss and fraud prevention, and breach prevention in both security and privacy. Lead the strategy for securing hybrid/cloud environments and AI/ML model security, including training data protection and model inference monitoring. Oversee data governance, classification, and secure data-sharing models for enterprise data platforms. Manage annual compliance audits (SOC 2 Type II and NIST risk audit). Identifies and addresses exposures to accidental or intentional destruction, disclosure, modification, or interruption of information that may cause regulatory compliance issues or serious financial and/or information loss. Creates and maintains security system architecture design documentation. Stays current on new IT security trends and understands potential threats and control techniques Identify risks across the technology stack and lead incident response teams to detect, analyze, and mitigate threats. Understands business needs, security risks and the company’s risk tolerance and balance between them in a way that ensures business continuity and regulatory compliance. Manage security operations, including 24x7 monitoring, threat detection, and incident response, leading post-incident forensics and remediation. Coordinates active penetration tests; discovers vulnerabilities in information systems and identifies and implements solutions to resolve them. Provide enterprise leadership by partnering with IT, business, legal, and risk stakeholders to embed Security by Design across cloud, AI, and analytics development lifecycles. Develop and manage the information security budget, ensuring effective prioritization, scalability, and efficient use of resources. Communicate security strategy, risk posture, and performance metrics to executive leadership through regular updates and dashboards. Lead organization-wide security awareness and training programs to foster a strong culture of security and shared accountability.

Requirements

Bachelor’s degree in computer science, Information Security, or related field.
Minimum 8 years in IT/Cybersecurity, with 3-5+ years in leadership roles within a SaaS, cloud-native, or technology-driven environment.
Strong understanding of data protection and privacy principles, risk management, and security compliance expectations.
Extensive experience with AWS or Azure security, IAM, data encryption, and network security.
Knowledge of risks related to AI/ML development pipelines and big data infrastructure.
Deep understanding of relevant security and privacy frameworks and requirements (e.g., HIPPA, HITRUST, HITECH, NIST, ISO 27001, SOC 2, and applicable privacy regulations).

Nice To Haves

CISSP, CISM, or CCSP certifications are highly preferred.

Responsibilities

Develop and execute a multi-year information security and risk management strategy aligned with organizational objectives, regulatory regulations, and recognized security frameworks.
Oversee the development, implementation, and maintenance of the enterprise security policy, standards, guidelines, and procedures.
Translate legal, regulatory, and contractual requirements into enforceable technical security standards.
Draft and enforce the Enterprise Information Security Policy (EISP) framework, ensuring it evolves alongside AI advancements and Cloud scale.
Lead enterprise risk assessments, identifying and mitigating security risks associated with data analytics (Enterprise & Member Facing data), third-party cloud vendors, and new technology adoption.
Propose security policies, procedures, initiatives, and standards specific to regulatory compliance, loss and fraud prevention, and breach prevention in both security and privacy.
Lead the strategy for securing hybrid/cloud environments and AI/ML model security, including training data protection and model inference monitoring.
Oversee data governance, classification, and secure data-sharing models for enterprise data platforms.
Manage annual compliance audits (SOC 2 Type II and NIST risk audit).
Identify and address exposures to accidental or intentional destruction, disclosure, modification, or interruption of information that may cause regulatory compliance issues or serious financial and/or information loss.
Create and maintain security system architecture design documentation.
Stay current on new IT security trends and understand potential threats and control techniques.
Identify risks across the technology stack and lead incident response teams to detect, analyze, and mitigate threats.
Understand business needs, security risks and the company’s risk tolerance and balance between them in a way that ensures business continuity and regulatory compliance.
Manage security operations, including 24x7 monitoring, threat detection, and incident response, leading post-incident forensics and remediation.
Coordinate active penetration tests; discover vulnerabilities in information systems and identify and implement solutions to resolve them.
Provide enterprise leadership by partnering with IT, business, legal, and risk stakeholders to embed Security by Design across cloud, AI, and analytics development lifecycles.
Develop and manage the information security budget, ensuring effective prioritization, scalability, and efficient use of resources.
Communicate security strategy, risk posture, and performance metrics to executive leadership through regular updates and dashboards.
Lead organization-wide security awareness and training programs to foster a strong culture of security and shared accountability.