Senior Director, Information Security

The Broad Institute•Cambridge, MA

19h•Hybrid

About The Position

The Senior Director, Global Information Security and Risk is the senior-most leader accountable for the organization’s enterprise-wide information security posture, risk management, and compliance maturity. Reporting to the CIO, this role provides strategic direction, technical authority, and operational oversight for security across enterprise IT, cloud platforms, research environments, and external partnerships. Operating at the intersection of academia and industry, the Senior Director ensures that security enables scientific innovation while meeting the expectations of commercial partners, regulators, and funding organizations. This role translates executive risk tolerance and institutional priorities into a coherent, defensible, and scalable security program, and ensures consistent execution through strong domain leadership across Enterprise & Cloud Security, Security Operations, and Risk management. The Senior Director is the primary authority on security risk, control effectiveness, and program maturity, and serves as a trusted advisor to executive leadership on the organization’s readiness to engage in increasingly complex industry partnerships. This role is a hybrid position, requiring 3 days a week onsite at our office in Cambridge, MA.

Requirements

Bachelor’s degree in Computer Science, Information Security, Engineering, or equivalent professional experience.
15+ years of progressive experience in information security, with at least 10+ years leading large, multi-domain security programs and teams.
Demonstrated experience operating at the senior executive level in complex, regulated, and research-driven environments.
Deep understanding of enterprise and cloud security architectures, identity and access management, data protection, detection and response, and vulnerability management.
Proven expertise in regulatory and assurance frameworks including HIPAA, NIST, ISO 27001, SOC 2, FISMA, and related standards, particularly in life sciences contexts.
Track record of building and leading senior security leadership teams and influencing organizational change at scale.
Experience managing significant security budgets, complex vendor ecosystems, and enterprise-wide security initiatives.
Strong executive communication skills, with the ability to clearly articulate technical risk and security posture to non-technical leaders and boards.
Pragmatic, risk-based approach to security that balances protection, usability, and scientific velocity.
CISSP required

Nice To Haves

Additional certifications such as CISM, CRISC, or cloud security credentials are strongly preferred.

Responsibilities

Define, own, and continuously mature the organization’s global information security and risk strategy, aligning security investments with institutional mission, growth objectives, and partnership requirements.
Establish and maintain a multi-year security roadmap that integrates enterprise, cloud, application, data, and operational security capabilities.
Own the enterprise security risk management program, including risk identification, assessment, prioritization, and reporting, and maintain the authoritative enterprise risk register.
Translate executive and board-level risk tolerance into actionable security architectures, control frameworks, and operational priorities.
Provide oversight and direction to Associate Directors and senior leaders across Enterprise & Cloud Security, Security Operations, and GRC, ensuring clear accountability and consistent execution.
Build, mentor, and sustain a high-performing security leadership team with strong technical depth and management capability.
Own the overall Information Security budget, including planning, prioritization, forecasting, and investment decision-making.
Govern strategic security tooling, vendor relationships, and managed service providers to ensure architectural coherence and measurable value.
Lead the maturation of the organization’s compliance and assurance posture, supporting frameworks such as HIPAA, NIST, ISO 27001, SOC 2, FISMA, and related standards.
Ensure security controls are not only compliant but operationally effective, repeatable, and auditable, supporting both regulatory obligations and partner due diligence.
Serve as the senior technical authority during audits, assessments, and industry partner security reviews.
Act as the primary security advisor to the CIO and executive leadership, providing clear, accurate insight into security posture, risk trends, and investment needs.
Develop and deliver executive- and board-level reporting on security risk, incidents, program maturity, and strategic initiatives.
Own executive-level oversight of security incident response, ensuring preparedness, effective coordination, and durable remediation.
Partner with Legal, Compliance and Data Privacy, Research, Engineering, IT, Finance, and external stakeholders to embed security into institutional initiatives by design.
Drive continuous improvement and security transformation through automation, standardization, and scalable security platforms.