Director of Information Security Compliance

Summary

Job Summary

The

Office of Information Technology

encourages applications for a

Director of Information Security Compliance

! This role is responsible for directing CU Boulder’s information security risk and compliance program. This role serves as the campus expert for cybersecurity compliance, risk governance and assurance, and translates regulatory, contractual, and policy obligations into a cohesive, risk-based enterprise program.

The Director ensures that cybersecurity compliance is consistent, auditable, and aligned with institutional risk tolerance, while enabling research, instruction, and administrative operations to proceed responsibly. This role acts on behalf of the ISO to integrate compliance, risk management, and assurance activities across the institution, serving as a bridge between technical security controls and institutional governance expectations. This is a senior level position that exercises independent judgment under the supervision of the ISO.

CU is an Equal Opportunity Employer and complies with all applicable federal, state, and local laws governing nondiscrimination in employment. We are committed to creating a workplace where all individuals are treated with respect and dignity, and we encourage individuals from all backgrounds to apply, including protected veterans and individuals with disabilities.

Vision

Who We Are

OIT will be valued by campus as a strategic, inclusive and innovative partner in advancing learning and discovery in order to enable CU Boulder to be an outstanding public university.

Mission

• OIT enables campus priorities by providing high-value IT services and solutions.

Values

• Trust, as a foundation for how we engage with one another and with campus partners, along with
• Curiosity in how to better support the campus and our partner’s while
• Encouraging empowerment and authentic engagement among ourselves and
• Celebrating a culture that promotes a sense of belonging while acknowledging that each person is unique and valued.

Strategy

• OIT will advance learning and discovery by delivering high-value reliable IT services and solutions that:
• Provide a fluid and adaptable academic and student experience
• Enable research competitiveness and
• Deliver core infrastructure and enterprise IT services for business efficiency.

Responsibilities

What Your Key Responsibilities Will Be

Enterprise Risk \& Compliance Program Leadership:

• Direct the enterprise information security risk and compliance program, ensuring alignment with institutional priorities, regulatory obligations, and evolving threat and compliance landscapes.
• Establish and maintain a risk-based compliance framework that integrates the research, administrative, and regulated environments into a unified enterprise view.
• Oversee identification, tracking, and reporting of cyber risks, including risk acceptance and escalation pathways.
• In partnership with the Security \& Identity leadership team, ensure campus leadership understands and has clear insight into risk posture, trends, and areas of noncompliance, with actionable recommendations.
• Supervise four IT security analysts (plus 2 student employees). Supervision comprises selecting, training, managing, empowering, developing and mentoring staff; setting and holding staff accountable to objectives and key results and evaluating performance against these metrics; and performing day-to-day supervisory activities (leave approval, work prioritization, etc.).

Research Cybersecurity Assurance \& Enablement

• Work proactively and collaboratively with Export Control, Ethics \& Compliance, Contracts \& Grants, and peers within the Information Technology Security Office (ITSO) to sustain and enhance compliance with NIST 800-171, CMMC, DFARS, and other federal mandates impacting university researchers.
• Serve as a strategic integrator between researchers, campus offices, and technical implementers, ensuring mutual understanding and alignment, effectuating cross-unit decision making and helping educate on the current infrastructure to guide future grant and research opportunities.
• Provide information security guidance for CU Boulder’s contract and grant review process to guide and facilitate alignment of supporting systems and platforms with business needs and security requirements.

Policy \& Outreach

• Lead the development, maintenance, and enforcement of security policies, standards, and control expectations.
• Translate external requirements (e.g., federal regulations, contractual clauses, system-wide mandates) into clear institutional obligations and decision frameworks.
• Support executive decision making by framing cybersecurity compliance issues in terms of risk, impact, and institutional exposure.
• Support campus‑wide information security awareness and training initiatives, including mandatory, role‑based, and remedial training, to support compliance with institutional policy and applicable regulatory requirements and to reduce organizational security risk.

What You Should Know

• This position is in a hybrid work situation. Expected to work normal business hours with some flexibility, and may require after-hours work.
• Visa sponsorship is not available for this position.
• Due to the requirement to access export-controlled data and information, only U.S. citizens, lawful permanent residents (green cards), or other protected individuals (i.e., persons designated as an asylee, refugee, or a temporary resident under amnesty provisions) may apply.

What We Can Offer

The annual salary for this full-time position is $147,300 - $165,000\.

Benefits

At the University of Colorado Boulder , we are committed to supporting the holistic health and well-being of our employees. Our comprehensive benefits package includes medical, dental, and retirement plans; generous paid time off; tuition assistance for you and your dependents; and an ECO Pass for local transit. As one of Boulder County’s largest employers, CU Boulder offers an inspiring academic community and access to world-class outdoor recreation. Explore additional perks and programs through the CU Advantage program.

Be Statements

Be ambitious. Be inspired. Be Boulder.

What We Require

• Bachelor’s degree in information security, risk management, computer science, law, or related field (or equivalent experience). A combination of education and/or experience as described below can be substituted for the degree on a year for year basis.
• 6\+ years of experience leading cybersecurity, research IT security compliance, or risk management teams within higher education, government, or research settings.
• Demonstrated expertise with cybersecurity requirements, including FERPA, IRB, CMMC, CUI, NIST SP 800-171, PCI, GLBA, and HIPAA.
• Experience that includes a deep understanding of research data lifecycles, cybersecurity frameworks, and compliance standards.

What You Will Need

• Knowledge of risk management processes (e.g., methods for assessing and treating risk).
• Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
• Knowledge of emerging security issues, risks, and vulnerabilities.
• Knowledge of computer networking concepts and protocols, and network security methodologies.
• Knowledge of higher education or research organization policies, practices and procedures, including reporting standard methodologies.
• Skill in analyzing complex contracts, legal documents, and policies.
• Skill in developing policy, plans, and strategy in compliance with laws, regulations, policies, and standards in support of organizational cyber activities.
• Skill in communicating complex regulations and policies.
• Skill in establishing relationships quickly and effectively across a broad constituency; a high degree of ease, sensitivity, and flexibility in working with partners across organizational lines.
• Skill in interpersonal communication proven by effective interactions and clear articulation of organizational goals.
• Ability to evaluate internal controls and understand organizational risk, implementing appropriate policies or procedures to ensure compliance.
• Ability to collect and analyze data, develop performance measures and benchmarks, identify trends, and implement changes to achieve operational effectiveness.
• Ability to organize work effectively, conceptualize and prioritize objectives, and exercise independent judgment based on an understanding of university policies and activities.
• Ability to be a visibly involved leader with strong relationship skills, a reputation for visibility, integrity, and high ethical standards, who will rigorously uphold quality standards earning the trust of individuals within and outside CU.
• Ability and commitment to collaborate with colleagues to find solutions to reduce risk and eliminate compliance barriers.

What We Would Like You To Have

• Master’s or PhD in information technology, computer science, or a related field.
• Ability to acquire a US Government security clearance.
• Experience in higher education or research-intensive environments.
• Experience coordinating with enterprise risk management and compliance offices.
• Familiarity with ITIL and enterprise system architecture.
• Professional certifications (e.g., CISSP, CISM, CISA).

Special Instructions

To Apply, Please Submit The Following Materials

• A current resume.
• A cover letter that specifically tells us how your background and experience align with the requirements, qualifications, and responsibilities of the position.

We may request references at a later time.

Please apply by

April 10, 2026,

for consideration.

Note: Application materials will not be accepted via email. For consideration, please apply through CU Boulder Jobs

In compliance with the Colorado Job Application Fairness Act, in any materials you submit, you may redact or remove age-identifying information such as age, date of birth, or dates of school attendance or graduation. You will not be penalized for redacting or removing this information.