Edtech.com's Summary

The University of Delaware is hiring a Director of Governance, Risk, Compliance, and Security Architecture. The role leads the enterprise information security program, ensuring regulatory compliance and effective risk management while serving as the designated HIPAA Security Officer. It oversees security architecture across various environments and partners with stakeholders to align security measures with institutional priorities.

Highlights

Lead enterprise Information Security Governance, Risk, and Compliance (GRC) program.
Establish security policies aligned with frameworks like NIST, HITRUST, ISO 27001.
Serve as designated HIPAA Security Officer overseeing safeguards and compliance.
Own security architecture functions including design standards and secure-by-design principles.
Collaborate with Legal, Privacy, IT, Cloud, Application, and Security Operations teams.
Develop and report risk and compliance metrics to senior leadership.
Manage budgets and vendor relationships related to GRC and security architecture.
Require bachelor's degree in Information Security or related field; Master's preferred.
Seven years of progressive information security and leadership experience; certifications like CISSP or CISM preferred.
Experience with healthcare, higher education, and regulatory environments is advantageous.

Director GRC & Security Architecture Full Description

Pay Grade: 33S

Context of Job:

The Director of GRC and Security Architecture is a senior leadership role responsible for governing the organization’s information security risk, compliance, and architectural security posture. This role provides enterprise-wide leadership across governance, risk management, regulatory compliance (including HIPAA), and security architecture to ensure security controls are designed, implemented, and operating effectively in support of business, academic, and clinical objectives.

Serving as the designated HIPAA Security Officer, this role partners closely with Legal, Privacy, Compliance, IT, Cloud, Application, and Security Operations teams to ensure regulatory readiness, risk-informed decision-making, and secure-by-design technology architecture across on-premises, cloud, and SaaS environments.

This position reports to the Chief Information Security Officer of the University.

Major Responsibilities:

Governance, Risk & Compliance (GRC)

Lead the enterprise Information Security Governance, Risk, and Compliance (GRC) program.
Establish and maintain security policies, standards, procedures, and control frameworks aligned with NIST, HITRUST, ISO 27001, and other applicable frameworks.
Oversee enterprise risk assessments, third-party risk management, and control effectiveness evaluations.
Translate regulatory, legal, and contractual requirements into actionable security controls and architectural standards.
Ensure ongoing compliance with applicable regulations and standards, including HIPAA, PCI DSS, FERPA, SOC 2, and FIPS-140, as applicable

HIPAA Security Officer Responsibilities

Serve as the organization’s designated HIPAA Security Officer.
Oversee administrative, technical, and physical safeguards required under the HIPAA Security Rule.
Partner with Privacy, Legal, Compliance, and Health IT leadership on risk analyses, remediation plans, and regulatory inquiries.
Support audits, investigations, and compliance reviews related to protected health information (PHI).
Ensure appropriate security awareness and HIPAA training programs are developed and delivered across the organization.
Security Architecture & Secure Design
Own and lead the security architecture function, defining enterprise security architecture principles, reference architectures, and design standards.
Review and approve security architecture for new systems, applications, cloud services, and major technology initiatives.
Ensure security is embedded early in system lifecycle activities through secure-by-design and defense-in-depth principles.
Partner with infrastructure, cloud, application, and DevOps teams to integrate security requirements into platforms and solutions.
Guide architectural decisions related to identity, network segmentation, encryption, key management, logging, and data protection.

Strategic Planning & Program Leadership

Contribute to and lead multi-year security strategy and roadmap development in alignment with organizational objectives.
Actively participate in enterprise security and risk governance forums, advising executive leadership on risk posture and architectural trade-offs.
Balance risk reduction with operational efficiency, usability, and institutional mission requirements.
Serve as a trusted advisor to schools, departments, and business units on risk and architectural security decisions.

Oversight of Security Technologies & Controls

Provide governance and oversight for security technologies supporting risk management, compliance, and architectural controls.
Ensure alignment between security architecture standards and operational security tooling.
Evaluate new security technologies and frameworks to address evolving regulatory and threat landscapes.

Metrics, Reporting & Communication

Develop and report meaningful risk and compliance metrics to senior leadership and governance committees.
Communicate complex security and compliance topics clearly to technical and non-technical stakeholders.
Provide executive-level reporting on risk trends, compliance posture, and architectural maturity.

Leadership & Talent Development

Lead and develop GRC and security architecture professionals.
Establish clear role definitions, performance expectations, and professional development pathways.
Foster a culture of accountability, continuous improvement, and collaboration across security and IT teams.

Budget, Vendor & Resource Management

Manage budgets associated with GRC, compliance, and security architecture programs.
Oversee vendor relationships related to risk management, compliance tooling, and architectural services.
Ensure responsible financial stewardship and alignment with strategic priorities.

Qualifications:

Bachelor’s degree in Information Security, Computer Science, Information Systems, or a related field (Master’s preferred).
Seven years of progressive experience in information security, risk management, or IT, including leadership roles.
Demonstrated experience leading GRC programs, regulatory compliance efforts, and enterprise risk management.
Strong knowledge of HIPAA Security Rule, PCI DSS, and related regulatory frameworks.
Proven experience defining and governing security architecture across enterprise and cloud environments.
Excellent written and verbal communication skills, including executive-level presentations.
Experience supporting healthcare, higher education, or regulated enterprise environments preferred.
Hands-on experience with NIST, HITRUST CSF, ISO 27001, SOC 2, and third-party risk frameworks preferred.
Professional certifications such as CISSP, CISM, CRISC, or equivalent preferred.
Experience partnering closely with SOC, IR, Privacy, and Legal teams preferred.
Demonstrated success leading organizational change and maturing security governance programs preferred.

Original Job Description

Pay Grade: 33S

Context of Job:

Major Responsibilities:

Governance, Risk & Compliance (GRC)

Lead the enterprise Information Security Governance, Risk, and Compliance (GRC) program.
Establish and maintain security policies, standards, procedures, and control frameworks aligned with NIST, HITRUST, ISO 27001, and other applicable frameworks.
Oversee enterprise risk assessments, third-party risk management, and control effectiveness evaluations.
Translate regulatory, legal, and contractual requirements into actionable security controls and architectural standards.
Ensure ongoing compliance with applicable regulations and standards, including HIPAA, PCI DSS, FERPA, SOC 2, and FIPS-140, as applicable

HIPAA Security Officer Responsibilities

Serve as the organization’s designated HIPAA Security Officer.
Oversee administrative, technical, and physical safeguards required under the HIPAA Security Rule.
Partner with Privacy, Legal, Compliance, and Health IT leadership on risk analyses, remediation plans, and regulatory inquiries.
Support audits, investigations, and compliance reviews related to protected health information (PHI).
Ensure appropriate security awareness and HIPAA training programs are developed and delivered across the organization.
Security Architecture & Secure Design
Own and lead the security architecture function, defining enterprise security architecture principles, reference architectures, and design standards.
Review and approve security architecture for new systems, applications, cloud services, and major technology initiatives.
Ensure security is embedded early in system lifecycle activities through secure-by-design and defense-in-depth principles.
Partner with infrastructure, cloud, application, and DevOps teams to integrate security requirements into platforms and solutions.
Guide architectural decisions related to identity, network segmentation, encryption, key management, logging, and data protection.

Strategic Planning & Program Leadership

Contribute to and lead multi-year security strategy and roadmap development in alignment with organizational objectives.
Actively participate in enterprise security and risk governance forums, advising executive leadership on risk posture and architectural trade-offs.
Balance risk reduction with operational efficiency, usability, and institutional mission requirements.
Serve as a trusted advisor to schools, departments, and business units on risk and architectural security decisions.

Oversight of Security Technologies & Controls

Provide governance and oversight for security technologies supporting risk management, compliance, and architectural controls.
Ensure alignment between security architecture standards and operational security tooling.
Evaluate new security technologies and frameworks to address evolving regulatory and threat landscapes.

Metrics, Reporting & Communication

Develop and report meaningful risk and compliance metrics to senior leadership and governance committees.
Communicate complex security and compliance topics clearly to technical and non-technical stakeholders.
Provide executive-level reporting on risk trends, compliance posture, and architectural maturity.

Leadership & Talent Development

Lead and develop GRC and security architecture professionals.
Establish clear role definitions, performance expectations, and professional development pathways.
Foster a culture of accountability, continuous improvement, and collaboration across security and IT teams.

Budget, Vendor & Resource Management

Manage budgets associated with GRC, compliance, and security architecture programs.
Oversee vendor relationships related to risk management, compliance tooling, and architectural services.
Ensure responsible financial stewardship and alignment with strategic priorities.

Qualifications:

Bachelor’s degree in Information Security, Computer Science, Information Systems, or a related field (Master’s preferred).
Seven years of progressive experience in information security, risk management, or IT, including leadership roles.
Demonstrated experience leading GRC programs, regulatory compliance efforts, and enterprise risk management.
Strong knowledge of HIPAA Security Rule, PCI DSS, and related regulatory frameworks.
Proven experience defining and governing security architecture across enterprise and cloud environments.
Excellent written and verbal communication skills, including executive-level presentations.
Experience supporting healthcare, higher education, or regulated enterprise environments preferred.
Hands-on experience with NIST, HITRUST CSF, ISO 27001, SOC 2, and third-party risk frameworks preferred.
Professional certifications such as CISSP, CISM, CRISC, or equivalent preferred.
Experience partnering closely with SOC, IR, Privacy, and Legal teams preferred.
Demonstrated success leading organizational change and maturing security governance programs preferred.

Let me find your next job.

Thanks - you're signed up.

Director GRC & Security Architecture

Edtech.com's Summary

Director GRC & Security Architecture Full Description

Associate Director, Cyber Defense - OIT

Information System Security Officer

Senior Security Engineer

Principal Research Security Architect

Chief Information Security Officer (CISO) (Re-Announcement)