Data Security Architect, Sr

We’re looking for a Senior Data Security Architect/GRC Analyst
, someone who’s ready to grow with our company.

The GRC Analyst will play a vital role within Information Security, supporting Texas Children’s governance, risk, and compliance initiatives. This position focuses on identifying and mitigating IT and cybersecurity risks, strengthening internal controls, and ensuring alignment with applicable regulatory, contractual, and industry standards. The analyst will collaborate closely with stakeholders across Information Services, as well as clinical and non-clinical departments, to maintain a strong security posture that protects Texas Children’s systems and sensitive information, ensuring patient care remains uncompromised.

This role operates within a healthcare environment that adheres to frameworks and requirements including the NIST Cybersecurity Framework (CSF), HIPAA Security Rule, Texas HHS Information Security Controls, Texas Department of Insurance (TDI) regulations, OPTN security expectations, Joint Commission standards, and Annual Financial Reporting Model Regulation (AFRMR).

Think you’ve got what it takes?

• Provide guidance on IT and cybersecurity risk-related matters, including identifying, assessing, and prioritizing risks across systems and business processes. Collaborate with business owners, service owners, control owners, and technical teams to design, implement, and maintain risk-mitigating controls that reduce exposure to threats and support organizational compliance objectives.
• Perform assessments of IT and security controls to verify effectiveness, ensure ongoing compliance, and identify opportunities for improvement.
• Support the execution and delivery of internal and external assurance activities such as audits, security assessments, certifications, and compliance reviews, ensuring control evidence and documentation are complete and accurate.
• Track, document, and report gaps, control exceptions, and issues; guide remediation activities and validate resolution to closure.
• Review and provide input on information security policies, standards, and procedures to ensure continued alignment with applicable laws, regulations, and industry frameworks.
• Provide advisory support to other GRC work streams such as vendor risk management, and security awareness, ensuring consistent control expectations across the enterprise.
• Offer guidance on implementing controls to mitigate risks associated with the use of AI technologies, including data privacy, model integrity, and algorithmic transparency, ensuring alignment with internal AI policies and applicable regulatory requirements.
• Serve as a subject matter expert to various departments and project teams, offering guidance on appropriate security, technical, and privacy controls that safeguard organizational assets and sensitive data.
• Develop or assist in creating executive-level presentations, reports, and dashboards that communicate cybersecurity performance, risk metrics, and control effectiveness to leadership for strategic decision‑making.
• Utilize enterprise GRC platforms such as Service Now GRC to manage risk and compliance workflows; familiarity with Data Loss Prevention (DLP), Data Classification, Shadow IT tools, and other cybersecurity tools is preferred.

• 3–5 years of experience in GRC, IT audit, information security, or risk management within a regulated industry (healthcare or insurance preferred).
• Working knowledge of frameworks such as NIST CSF, NIST SP 800-53, HIPAA Security Rule, and state or accreditation-based security standards (e.g., Texas HHS, TDI, Joint Commission).
• Familiarity with internal controls over financial reporting audit requirements such as SOX, AFRMR (MAR).
• Understanding of emerging AI governance and compliance considerations, with the ability to recommend appropriate controls to mitigate AI-related risks.
• Experience using GRC platforms (e.g., Service Now GRC, Archer, One Trust, or similar).
• Strong understanding of IT and security control domains (access management, configuration management, vulnerability management, incident response, asset protection, etc.).
• Excellent communication and presentation skills with the ability to translate technical details into business‑relevant insights.

• Required H.S. Diploma or GED
• Preferred
  
  Licenses/Certifications:
• CISSP -  Security Profes. ISC2
• SANS - Sys Admin, Audit, Network, Sec. SANS
• HCISPP –  ISC2
• Security+ CompTIA
• CCSP Cert.
  
  Cloud.
  
  Sec.
  
  Profes. ISC2
• SSCP Sys.
  
  Sec.
  
  Cert.
  
  Profes. ISC2
• Required 10 years' experience in information security, computer management, identity access management, or IS networking, including at least 5 years of information security experience

Note:

An associates degree will substitute for 2 years of experience. A bachelor's degree will substitute for 4 years of experience.