Director of Information Security

Reporting to the Sr. Director of Infrastructure & Operations, the Director of Information Security is a member of the IT leadership team and serves a key role in university leadership, working closely with senior administration, academic leaders, and the campus community.  The Director of Information Security is an advocate for Creighton University’s total information security needs and is responsible for the development and delivery of a comprehensive information security risk management program to optimize the security posture of the university.  

The Director of Information Security leads the development and implementation of a risk-based security program that leverages collaboration and campus-wide resources, facilitates information security governance, advises senior leadership on security direction and resource investments, and designs appropriate policies to manage information security risk.  

The complexity of this position requires a leadership approach that is engaging, imaginative, and collaborative, with a sophisticated ability to work with other leaders to set the best balance between security strategies and other priorities at the campus level.

Essential Functions

Security Strategy, Governance & Risk Management
•    Defines and executes the university’s multi-year information security strategy and roadmap.
•    Establishes governance structures, policies, standards, and risk management frameworks aligned with NIST and regulatory requirements.
•    Presents security posture, roadmap progress, and risk trends to Sr. Director of Infrastructure & Operations
•    Develop institutional risk models that reflect academic, clinical, and research environments.
Security Architecture & Engineering Oversight
•    Leads the design and engineering of technical controls, including SIEM, SOAR, EDR, logging pipelines, MFA, vulnerability management, email security, and administrative privilege management.
•    Ensures alignment with enterprise infrastructure, networking, cloud operations, and data governance teams.

Compliance & Regulatory Stewardship
•    Ensures cybersecurity compliance for HIPAA-aligned clinics, academic research, financial systems, and federal reporting requirements.
•    Leads security components of internal and external audits.
•    Creates institutional documentation, controls matrices, and evidence packages aligned with regulatory frameworks and accreditation needs.

Security Awareness, Culture & Academic Partnership
•    Develops institution-wide security training, awareness campaigns, and behavior-based education programs.
•    Builds strong relationships with colleges, schools, and clinical programs to support secure and compliant environments.
•    Encourages a campus culture of shared responsibility for cybersecurity.

Team Leadership & Talent Development
•    Leads security engineering, risk, compliance, and incident response teams.
•    Develops staff skillsets in threat detection, architecture, identity governance, cloud security, and compliance.
•    Fosters a culture of transparency, continuous improvement, and operational rigor.

Vulnerability Management & Remediation
•    Leads enterprise vulnerability identification, prioritization, and remediation workflows across servers, endpoints, networks, and cloud services.
•    Establishes risk-based SLAs, reporting dashboards, and remediation playbooks.
•    Partners with system owners, infrastructure engineering, and academic/clinical environments to implement secure baselines and configuration standards.

Qualifications

• Bachelor's Degree in Information Security and/or equivalent experience; Master's Degree preferred.
• Ten years or more experience as an Information Security Officer or lead IT Security engineer role, developing and administering an information security program.
• Should include:
  • Demonstrated experience advising and collaborating with senior management is required.  The ability to work in a team/collaborative environment with a broad range of constituencies is essential.
  • Extensive experience leading cybersecurity operations, incident response, and recovery initiatives.
  • Working knowledge and experience in policy and regulatory environment of information security, particularly in higher education, is highly desirable.
  • Deep understanding of the policy, compliance, and regulatory frameworks governing information security—particularly those impacting academic and research institutions.
  • Track record of designing, implementing, and advancing a comprehensive information security program aligned with institutional mission and risk posture.
  • Exceptional communication and collaboration skills, with the ability to effectively engage executive leadership, academic stakeholders, and cross-functional IT teams to drive alignment and shared accountability.
  • Demonstrated professional maturity and composure, with the capacity to lead decisively in challenging situations, respond constructively to feedback, and foster a culture of respect, integrity, and steady leadership.

Knowledge, Skills, and Abilities:

• Proven ability to lead and facilitate cross-campus advisory councils and governance committees, driving alignment on strategic initiatives and fostering collaborative decision-making.
• Experienced in building and developing high-performing teams, including talent acquisition, retention, coaching, and mentoring.
• Skilled in strategic sourcing, vendor partnerships, and managed service oversight, optimizing cost, performance, and compliance across complex technology ecosystems.
• Adept at prioritizing and deploying talent effectively across multiple initiatives to maximize impact, maintain operational resilience, and achieve institutional objectives.
• Cultivates strong, trust-based relationships with internal stakeholders and external partners through transparent communication, influence, and a customer-centric leadership approach.

Licenses/Certifications:

• CISSP or CISM Required
• GIAC certifications (GCIA, GCED, GCIH, GMON, or similar)
• Microsoft cybersecurity or identity certifications (SC-200, SC-300, AZ-500)
• Certified Cloud Security Professional (CCSP)
• ITIL Foundation (Required within 6 months)
   

Creighton University is committed to providing a safe and non-discriminatory educational and employment environment. The University admits qualified students, hires qualified employees and accepts patients for treatment without regard to race, color, religion, sex, marital status, national origin, age, disability, citizenship, sexual orientation, gender identity, gender expression, veteran status, or other status protected by law. Its education and employment policies, scholarship and loan programs, and other programs and activities, are administered without unlawful discrimination. Creighton complies with all applicable laws and regulations governing equal opportunity in the workplace and in educational activities.

Applicants with disabilities needing reasonable accommodations to complete the application or hiring process should contact Human Resources at [email protected]. Creighton University seeks candidates who understand, respect, and can contribute to the University's mission and values.