Director, Information Security

Position Summary

The Director, Information Security, provides strategic, institutional leadership for National University’s information security and cyber risk management program. Reporting to the Associate Vice President (AVP), Information Security, this role is accountable for designing, governing, and advancing a comprehensive, risk‑based security program that protects the confidentiality, integrity, and availability of university information assets. The Director serves as the senior operational and strategic leader for all information security domains, including Security Engineering, Security Operations, Governance, Risk & Compliance (GRC), Identity & Access Management, and Third‑Party Risk Management.

They partner closely with executive leadership, IT, academic leadership, legal, privacy, and compliance stakeholders to ensure security is embedded into institutional strategy, operations, and culture.

Annual Salary: $87,923.00 - $

• Provides strategic leadership for the university’s enterprise information security program in alignment with institutional goals and risk appetite.
• Partners with the AVP, Information Security, to define long‑term security strategy, multi‑year roadmaps, and program maturity objectives.
• Serves as a senior advisor to IT and university leadership on cybersecurity risk, threat trends, and control effectiveness.
• Establishes and maintains security governance frameworks, policies, standards, and metrics aligned with recognized frameworks (e.g., NIST CSF, NIST 800‑53, ISO 27001).
• Leads institutional cybersecurity risk assessments and maturity evaluations, ensuring results inform investment and prioritization decisions.
• Provides executive‑level reporting and briefings on security posture, risk trends, incidents, and compliance status.

• Directs the design, implementation, and operation of security controls across on‑premises, cloud, and SaaS environments.
• Oversees security monitoring, detection, and response capabilities, including SIEM, endpoint protection, identity security, and network defense.
• Serves as executive lead for cybersecurity incident response, ensuring effective coordination, decision‑making, communications, and post‑incident improvement.
• Guides vulnerability management, penetration testing, and remediation strategies across the enterprise.
• Partners with Infrastructure, Applications, and Cloud teams to embed security into architecture, system design, and change management processes.

• Owns the university’s information security risk management program, including risk identification, assessment, treatment, and tracking.
• Ensures compliance with applicable regulatory and contractual requirements, including FERPA, GLBA, PCI‑DSS, HIPAA (as applicable), state privacy laws, and institutional policies.
• Leads internal and external security audits and assessments, coordinating remediation and executive reporting.
• Oversees the Third‑Party Risk Management (TPRM) program, ensuring vendors and partners meet institutional security expectations.
• Collaborates closely with Privacy, Legal, Compliance, and Data Governance stakeholders.

• Provides strategic oversight of identity and access management (IAM), role‑based access control (RBAC), and privileged access management.
• Ensures effective access lifecycle governance in partnership with HR, IT, and business units.
• Guides data protection strategies, including classification, access controls, and loss prevention capabilities.

• Champions a culture of shared responsibility for information security across the institution.
• Oversees security awareness and training initiatives in collaboration with institutional stakeholders.
• Represents Information Security on university committees, councils, and working groups related to technology, data, privacy, and risk.
• Maintains awareness of emerging threats, technologies, and regulatory developments to proactively advise leadership.
• Performs other duties as assigned.

• Provide…