Director of Information Security Compliance

Job Summary

The Office of Information Technology at the University of Colorado Boulder is seeking a Director of Information Security Compliance to lead the campus's information security risk and compliance program. This role is crucial for establishing cybersecurity compliance, risk governance, and assurance, translating regulatory and contractual obligations into a cohesive, risk-based enterprise program. The Director ensures cybersecurity compliance is consistent, auditable, and aligned with institutional risk tolerance, supporting research, instruction, and administrative operations. This senior-level position acts on behalf of the ISO to integrate compliance, risk management, and assurance activities across the institution, serving as a liaison between technical security controls and institutional governance.

CU Boulder is an Equal Opportunity Employer committed to diversity and inclusion, encouraging applications from all backgrounds, including protected veterans and individuals with disabilities.

Who We Are

The Office of Information Technology (OIT) aims to be a strategic, inclusive, and innovative partner for the University of Colorado Boulder, advancing learning and discovery. We enable campus priorities by providing high-value IT services and solutions that enhance the academic and student experience, support research competitiveness, and deliver essential infrastructure for business efficiency.

Our Values

• Trust
• Curiosity
• Empowerment
• Belonging

Responsibilities

Enterprise Risk & Compliance Program Leadership:

• Direct the enterprise information security risk and compliance program, aligning with institutional priorities, regulatory obligations, and the evolving threat landscape.
• Establish and maintain a risk-based compliance framework integrating research, administrative, and regulated environments.
• Oversee the identification, tracking, and reporting of cyber risks, including risk acceptance and escalation.
• Partner with the Security & Identity leadership team to provide campus leadership with clear insights into risk posture, trends, and noncompliance, offering actionable recommendations.
• Supervise four IT security analysts and two student employees, managing all aspects of staff development, performance, and daily activities.

Research Cybersecurity Assurance & Enablement:

• Collaborate with Export Control, Ethics & Compliance, Contracts & Grants, and ITSO peers to ensure compliance with NIST 800-171, CMMC, DFARS, and other federal mandates impacting researchers.
• Act as a strategic integrator between researchers, campus offices, and technical implementers, fostering understanding and facilitating decision-making.
• Provide information security guidance for CU Boulder’s contract and grant review process.

Policy & Outreach:

• Lead the development, maintenance, and enforcement of security policies, standards, and control expectations.
• Translate external requirements into clear institutional obligations and decision frameworks.
• Support executive decision-making by framing cybersecurity compliance issues in terms of risk and institutional impact.
• Support campus-wide information security awareness and training initiatives to reduce organizational risk and ensure policy compliance.

What You Should Know

• This is a hybrid position with expected normal business hours and some flexibility, potentially requiring after-hours work.
• Visa sponsorship is not available.
• Due to export-controlled data access requirements, only U.S. citizens, lawful permanent residents, or designated protected individuals may apply.

What We Can Offer

The annual salary for this full-time position ranges from $147,300 to $165,000. Employees receive a comprehensive benefits package including medical, dental, and retirement plans, generous paid time off, tuition assistance, and an ECO Pass for local transit. CU Boulder offers an inspiring academic community and access to outdoor recreation.

What We Require

• Bachelor’s degree in information security, risk management, computer science, law, or a related field, or equivalent experience.
• 6+ years of experience leading cybersecurity, research IT security compliance, or risk management teams in higher education, government, or research settings.
• Demonstrated expertise with cybersecurity requirements including FERPA, IRB, CMMC, CUI, NIST SP 800-171, PCI, GLBA, and HIPAA.
• Deep understanding of research data lifecycles, cybersecurity frameworks, and compliance standards.

What You Will Need

• Knowledge of risk management processes.
• Knowledge of cybersecurity and privacy laws, regulations, policies, and ethics.
• Knowledge of emerging security issues, risks, and vulnerabilities.
• Knowledge of computer networking concepts and protocols, and network security methodologies.
• Knowledge of higher education or research organization policies and procedures.
• Skill in analyzing complex contracts, legal documents, and policies.
• Skill in developing policy, plans, and strategy.
• Skill in communicating complex regulations and policies.
• Skill in building relationships and collaborating effectively across organizational lines.
• Ability to evaluate internal controls and organizational risk.
• Ability to collect and analyze data and implement changes for operational effectiveness.
• Ability to organize work, prioritize objectives, and exercise independent judgment.
• Ability to be a visibly involved leader with integrity and strong ethical standards.
• Commitment to collaborating with colleagues to reduce risk and compliance barriers.

What We Would Like You To Have

• Master’s or PhD in information technology, computer science, or a related field.
• Ability to acquire a US Government security clearance.
• Experience in higher education or research-intensive environments.
• Experience coordinating with enterprise risk management and compliance offices.
• Familiarity with ITIL and enterprise system architecture.
• Professional certifications (e.g., CISSP, CISM, CISA).

Special Instructions

To apply, please submit a current resume and a cover letter detailing how your background aligns with the position requirements. References may be requested later. Applications must be submitted through CU Boulder Jobs by April 8, 2026.

Key skills/competency

• Information Security
• Compliance Management
• Risk Governance
• Cybersecurity
• NIST SP 800-171
• CMMC
• DFARS
• FERPA
• HIPAA
• Higher Education IT