Director - InfoSec Governance, Risk and Compliance - Hybrid

Option Care Health•Bannockburn, IL

3d•Hybrid

About The Position

The Director of Information Security Governance, Risk & Compliance (GRC) is responsible for leading the enterprise-wide information security and IT GRC program, ensuring protection of electronic Protected Health Information (ePHI) and alignment with regulatory, contractual, and risk management obligations. This role drives the design, implementation, and continuous improvement of a comprehensive GRC program that delivers measurable risk reduction, audit readiness, and control maturity across clinical, operational, and corporate environments. The Director works closely with IT, Business Operations, Compliance, Privacy, Legal, Internal Audit, and Enterprise Risk Management. The role has direct accountability for HIPAA security governance, NIST framework adoption, third-party risk management, SOX IT controls coordination, and business continuity and incident readiness.

Requirements

Bachelor’s degree required; Master’s degree preferred in relevant field.
10+ years of progressively responsible experience in information security, IT and InfoSec risk, governance, compliance, metrics, business continuity, and training.
5+ years direct management experience leading InfoSec and/or IT GRC Teams
Experience managing third‑party risk, business continuity programs, and security training initiatives
Demonstrated experience managing enterprise information security risk, NIST‑aligned programs, SOC 2, and SOX ITGC environments
Proven success implementing metrics‑driven GRC programs at scale
Experience with GRC tooling, continuous control monitoring, M&A security due diligence, and AI governance programs
Demonstrated experience with HIPAA Security Rule implementation and HITRUST CSF alignment.
Business acumen with an ability to explain to business leaders security initiatives, programming and impact
Exceptional written, verbal, and public speaking skills

Nice To Haves

Professional certifications such as CISSP, CISM, CRISC, CISA, HCISPP, or HITRUST CCSFP
Experience presenting to executive leadership

Responsibilities

Lead the enterprise information security and IT risk management program, including identification, assessment, classification, and measurement of risks impacting healthcare operations and ePHI.
Lead the enterprise information security governance program, including development and maintenance of policies, standards, procedures, and control narratives
Lead a scalable third‑party risk management program covering security and privacy assessments, risk tiering, remediation tracking, and continuous monitoring
Lead enterprise‑wide security education and awareness programs for employees, contractors, and vendors
Develop executive‑level metrics and dashboards translating technical risk into business‑relevant insights
Present security risk, compliance posture, and investment needs to leadership
Provide governance oversight for incident response and lead enterprise tabletop exercises
Expand Data Governance program in alignment with privacy and compliance
Support the AI Governance Committee with effective implementation of governance controls around enterprise AI use
Maintain and govern the InfoSec and IT risk register, including risk ownership, treatment plans, exception handling, and align with Enterprise Risk Management.
Develop and maintain key risk and performance metrics (KRIs/KPIs), dashboards, and trend analyses demonstrating risk posture and maturity improvements
Lead control maturity and compliance programs aligned to NIST‑CSF, SOC 2, SOX IT General Controls (ITGC), and other applicable regulatory or assurance frameworks
Coordinate external audits and assessments, serving as the primary liaison for auditors and assessors
Identify and research potential performance improvement opportunities in leveraging security benchmarks and best practices.
Lead, mentor, and develop a high‑performing GRC team.