• Lead the enterprise Information Security Governance, Risk, and Compliance (GRC) program.
• Establish and maintain security policies, standards, procedures, and control frameworks aligned with NIST, HITRUST, ISO 27001, and other applicable frameworks.
• Oversee enterprise risk assessments, third-party risk management, and control effectiveness evaluations.
• Translate regulatory, legal, and contractual requirements into actionable security controls and architectural standards.
• Ensure ongoing compliance with applicable regulations and standards, including HIPAA, PCI DSS, FERPA, SOC 2, and FIPS-140, as applicable

HIPAA Security Officer Responsibilities

• Serve as the organization’s designated HIPAA Security Officer.
• Oversee administrative, technical, and physical safeguards required under the HIPAA Security Rule.
• Partner with Privacy, Legal, Compliance, and Health IT leadership on risk analyses, remediation plans, and regulatory inquiries.
• Support audits, investigations, and compliance reviews related to protected health information (PHI).
• Ensure appropriate security awareness and HIPAA training programs are developed and delivered across the organization.
  Security Architecture & Secure Design
• Own and lead the security architecture function, defining enterprise security architecture principles, reference architectures, and design standards.
• Review and approve security architecture for new systems, applications, cloud services, and major technology initiatives.
• Ensure security is embedded early in system lifecycle activities through secure-by-design and defense-in-depth principles.
• Partner with infrastructure, cloud, application, and DevOps teams to integrate security requirements into platforms and solutions.
• Guide architectural decisions related to identity, network segmentation, encryption, key management, logging, and data protection.

Strategic Planning & Program Leadership

• Contribute to and lead multi-year security strategy and roadmap development in alignment with organizational objectives.
• Actively participate in enterprise security and risk governance forums, advising executive leadership on risk posture and architectural trade-offs.
• Balance risk reduction with operational efficiency, usability, and institutional mission requirements.
• Serve as a trusted advisor to schools, departments, and business units on risk and architectural security decisions.

Oversight of Security Technologies & Controls

• Provide governance and oversight for security technologies supporting risk management, compliance, and architectural controls.
• Ensure alignment between security architecture standards and operational security tooling.
• Evaluate new security technologies and frameworks to address evolving regulatory and threat landscapes.

Metrics, Reporting & Communication

• Develop and report meaningful risk and compliance metrics to senior leadership and governance committees.
• Communicate complex security and compliance topics clearly to technical and non-technical stakeholders.
• Provide executive-level reporting on risk trends, compliance posture, and architectural maturity.

Leadership & Talent Development

• Lead and develop GRC and security architecture professionals.
• Establish clear role definitions, performance expectations, and professional development pathways.
• Foster a culture of accountability, continuous improvement, and collaboration across security and IT teams.

Budget, Vendor & Resource Management

• Manage budgets associated with GRC, compliance, and security architecture programs.
• Oversee vendor relationships related to risk management, compliance tooling, and architectural services.
• Ensure responsible financial stewardship and alignment with strategic priorities.

• Bachelor’s degree in Information Security, Computer Science, Information Systems, or a related field (Master’s preferred).
• Seven years of progressive experience in information security, risk management, or IT, including leadership roles.
• Demonstrated experience leading GRC programs, regulatory compliance efforts, and enterprise risk management.
• Strong knowledge of HIPAA Security Rule, PCI DSS, and related regulatory frameworks.
• Proven experience defining and governing security architecture across enterprise and cloud environments.
• Excellent written and verbal communication skills, including executive-level presentations.
• Experience supporting healthcare, higher education, or regulated enterprise environments preferred.
• Hands-on experience with NIST, HITRUST CSF, ISO 27001, SOC 2, and third-party risk frameworks preferred.
• Professional certifications such as CISSP, CISM, CRISC, or equivalent preferred.
• Experience partnering closely with SOC, IR, Privacy, and Legal teams preferred.
• Demonstrated success leading organizational change and maturing security governance programs preferred.