Senior Director, Cybersecurity

University Pension Plan•Toronto, ON

7d•Hybrid

About The Position

UPP is seeking an experienced and pragmatic cybersecurity leader to own and lead UPP’s end-to-end cybersecurity capability. This role is accountable for protecting the organization’s information and technology assets through effective strategy, governance, risk management, and security operations. Operating in a lean team environment, the Senior Director combines executive leadership with hands-on accountability for outcomes. The role requires a leader who can translate strategy into execution, ensuring that controls are not only well-designed but effectively implemented and operated. Reporting to the Managing Director, Data & Technology, this role acts as the first-line owner of cyber risk and a key partner to Enterprise Risk, Technology, and business leaders. This role is based in downtown Toronto in a hybrid work environment, allowing employees the flexibility to work remotely and in-office (minimum two days per week in-office). This posting is for an existing vacancy.

Requirements

Minimum 10–12 years of progressive cybersecurity experience, including leadership of enterprise cybersecurity programs.
Prior experience operating as a senior cybersecurity leader (e.g., Head of Cybersecurity or equivalent) with end-to-end accountability.
Strong knowledge of cybersecurity frameworks (e.g., NIST CSF) and Canadian regulatory expectations.
Demonstrated experience integrating cybersecurity into enterprise risk management and executive governance.
Experience managing and optimizing vendor-delivered cybersecurity services (e.g., MSSP, MSP).
Strong understanding of modern technology environments, including cloud (Azure, GCP), identity, and endpoint security.
Executive-level communicator with the ability to translate cyber risk into business impact and board-level discussions.
Strong leadership presence with the ability to operate as a peer to senior executives and influence enterprise decision-making.
Strategic thinker with a bias toward execution and measurable outcomes.
Comfortable operating as the senior cybersecurity leader in a lean organization, balancing breadth of accountability with depth of involvement.
Ability to move fluidly between strategy, governance, and operational execution.
Sound judgment and decision-making in high-pressure situations.
Strong leadership presence with the ability to influence across technical and non-technical stakeholders.

Nice To Haves

Experience in financial services, asset management, pension plans, or similarly regulated environments is strongly preferred.
Relevant certifications (e.g., CISSP, CISM, CISA) are considered an asset.

Responsibilities

Define and evolve UPP’s cybersecurity strategy and roadmap aligned to business priorities and risk appetite.
Translate strategy into clear priorities, funded initiatives, and measurable outcomes.
Ensure consistent execution and delivery of cybersecurity initiatives across internal teams and partners.
Act as the first-line owner of cybersecurity risk, including identification, assessment, and treatment.
Ensure controls are not only defined but implemented, operating effectively, and continuously improved.
Provide clear, decision-oriented reporting on risk posture, trade-offs, and emerging threats.
Develop and deliver high-quality cybersecurity reporting and presentations for executive leadership and the Board, translating technical risk into business impact, options, and decisions.
Be accountable for the effectiveness of security operations, including vendor-delivered SOC capabilities.
Ensure readiness to detect, respond to, and recover from cybersecurity incidents.
Lead or directly support response during significant incidents and drive improvements through post-incident reviews.
Maintain a pragmatic set of policies, standards, and control expectations aligned to UPP’s risk profile.
Ensure governance processes enable timely and informed decision-making.
Oversee assurance activities to validate control effectiveness and address gaps.
Embed security into architecture, cloud adoption, and change delivery processes.
Partner with Technology and business leaders to enable secure, risk-informed decision-making.
Balance security, speed, and cost in support of business outcomes.
Lead and develop a small internal team and a network of external partners.
Operate as a player-coach, stepping in as needed to ensure outcomes are achieved.
Ensure clarity of accountability across governance, risk, cyber training, security operations, engineering, and incident response.
Promote a strong, practical security culture across UPP.
Enable leaders to understand and act on cyber risk in business terms.
Build trusted relationships across Technology, Risk, and business stakeholders.