"Director, Information Security"

Brandeis University is hiring for the position of Director, Information Security. The Director of Information Security is responsible for developing, implementing, and managing the university’s information security program. This role ensures that institutional information assets, technology systems, and data are protected through policy, governance, risk management, technical controls, incident response, and security awareness. The Director leads cybersecurity personnel and collaborates with campus stakeholders to ensure adherence to regulatory and contractual requirements. The position works closely with academic and administrative leadership to balance security needs with the university’s mission of research, teaching, and openness, and operates under the leadership of the Associate CIO to help define Brandeis’ institutional risk posture. 

Core Responsibilities:

• Function 1 – Information Security Program Leadership, Governance, and Risk Management (35%) Develops, implements, and manages the university’s information security program including policies, standards, governance, and risk management activities. Serves as the primary ITS liaison to General Counsel, Risk Management, Internal Audit, and Public Safety on matters related to information security, compliance, and incident coordination. Prepares materials and provides updates for the Board of Trustees Risk and Audit Committee in coordination with the Associate CIO or CIO. Works closely with Identity and Access Management on authentication and authorization standards, while IAM operations remain under a separate reporting structure.
• Function 2 – Cybersecurity Operations, Threat Response, and Resilience (25%) Leads cybersecurity operations including threat monitoring, vulnerability management, and incident detection and response. Contributes security requirements and risk evaluations to business continuity and disaster recovery planning, including review of backup protection standards, cyber-resilience practices, and tabletop exercises. Coordinates with external partners such as law enforcement, government agencies, and incident-response organizations when required during major security events. Collaborates with Networking and Systems on infrastructure hardening standards, logging requirements, and review of changes with security impact.
• Function 3 – Regulatory Compliance, Risk Management, and Vendor Security (15%) Ensures regulatory, contractual, and compliance obligations are met, including FERPA, GLBA, state privacy laws, federal research security mandates, and other applicable standards. Oversees third-party vendor security assessments for procurement, contracting, and SaaS adoption, ensuring appropriate risk evaluation and mitigation. Supports development of research security controls and compliance frameworks in partnership with the Office of Research Administration and relevant federal guidelines.
• Function 4 – Campus Engagement, Security Advising, and Stakeholder Partnership (15%) Advises university leadership, faculty, researchers, and administrative units on security risks, emerging threats, and mitigation strategies that support secure teaching, research, and business operations. Builds strong partnerships with campus stakeholders to promote secure technology practices and integrate security considerations into institutional planning and decision-making.
• Function 5 – Security Awareness, Community Education, and Outreach (10%) Develops and delivers campus-wide security awareness, training, and outreach programs tailored to faculty, researchers, students, and staff. Promotes a culture of shared responsibility for cybersecurity across the institution.

Job Requirements:

• Bachelor's degree required. Master's degree preferred.
• 8+ years of experience required with 3-5 years of supervisory experience
• Knowledge of information security principles, risk management, compliance requirements (for example FERPA, GLBA), and cybersecurity frameworks (such as NIST or CIS Controls). Strong communication and collaboration skills with the ability to work with technical and non-technical stakeholders
• Responsible for directing work, assigning priorities, and conducting performance reviews for cybersecurity staff.
• Requires the ability to drive. Requires the ability to lift 50 pounds.
• May provide input on hiring, corrective action, and other employment decisions. This position makes decisions related to cybersecurity risk, incident response, and the implementation of technical and administrative security controls. The role provides recommendations to senior leadership on emerging threats, compliance obligations, and risk mitigation strategies and coordinates with legal, audit, research, and IT units on security-related matters.
• The position requires discretion, sound judgment, and the ability to balance institutional mission needs with security and compliance requirements.

The hiring range for the position is $160k-$174.8k.

Internal Number: R0012775