Governance, Risk & Compliance Director

About The Position

Requirements

• Expert knowledge of NIST 800-53 Rev. 5, MARS-E 2.0, HIPAA Security Rule, and Texas DIR cybersecurity standards.
• Advanced knowledge of Governance, Risk, and Compliance (GRC) frameworks.
• Proven leadership skills in ATO governance, POA&M and SAR oversight, vendor risk, insider risk, and RBD processes.
• Highly skilled with GRC tools such as Archer or equivalent platforms.
• Ability to communicate cybersecurity risk to executive and non-technical stakeholders.
• Ability to maintain the security and integrity of critical infrastructure systems by preventing unauthorized access and ensuring compliance with laws and regulations related to national security and foreign ownership restrictions
• Professional certifications: CISSP, CISM, CRISC, CISA, CGRC or GRCP
• Graduation from an accredited four-year college or university with major coursework in information technology security, computer information systems, computer science, management information systems, or a related field is strongly preferred. Education and experience may be substituted for one another on a year for year basis.
• Seven (7) years of progressively responsible experience in: Cybersecurity governance, risk, or compliance Security authorization (Authorization to Operate or ATO) processes A Plan of Action and Milestones (POA&M) management

Nice To Haves

• Ten (10) or more years of cybersecurity GRC leadership experience.
• Experience in state or federal government or healthcare environments.
• Leadership experience in vendor risk and insider risk programs.
• Experience briefing executives and supporting high-visibility audits.

Responsibilities

• Direct HHSC’s enterprise cybersecurity governance, risk, and compliance programs.
• Establish risk management frameworks, tolerance thresholds, escalation procedures, and reporting mechanisms.
• Provide executive-level risk posture reporting and compliance dashboards.
• Ensure alignment of cybersecurity governance with HHSC strategic objectives and regulatory obligations.
• Lead and oversee ATO and ATO renewal processes for HHSC systems and applications.
• Coordinate with system owners, ISSOs, assessors, auditors, and Authorizing Officials.
• Validate ATO artifacts including SSPs, SARs, POA&Ms, and RBDs.
• Facilitate executive risk acceptance and authorization decisions.
• Direct lifecycle management of POA&Ms for remediation of security findings.
• Review and validate SARs, compensating controls, and residual risk statements.
• Monitor remediation progress and escalate overdue or systemic risk items.
• Oversee development and maintenance of SSPs aligned with NIST and MARS-E.
• Ensure SSPs accurately reflect system boundaries, implemented controls, and operating environments.
• Provide authoritative guidance on control documentation standards.
• Direct cybersecurity risk management for vendors and third-party service providers.
• Review vendor security artifacts including TxRAMP packages, SOC reports, security questionnaires, and contract clauses.
• Provide cybersecurity risk input into procurement, contract negotiations, and renewals.
• Ensure vendor risks are mitigated or formally accepted.
• Lead insider risk governance in collaboration with IAM, SOC, HR, Legal, and Privacy.
• Assess risks related to privileged access, user behavior, and data handling.
• Ensure insider risk decisions and investigations are properly documented.
• Oversee development, review, and lifecycle tracking of RBD documentation.
• Ensure risk acceptance decisions are documented, approved, and periodically reassessed.
• Provide audit-defensible evidence of executive risk decisions.
• Direct cybersecurity tabletop exercises and scenario-based simulations.
• Coordinate participation across technical, legal, privacy, and executive teams.
• Track lessons learned and corrective actions.
• Oversee security awareness and role-based training compliance.
• Monitor completion metrics and audit reporting.
• Promote agency-wide cybersecurity culture.
• Serve as senior liaison to internal audit, external auditors, DIR, CMS, and oversight entities.
• Direct preparation of compliance evidence and audit responses.
• Ensure GRC documentation is audit-ready and defensible.
• Lead development, maintenance, and enforcement of HHSC cybersecurity policies, standards, and procedures.
• Ensure agency security policies remain aligned with evolving federal, state, DIR, and regulatory requirements.
• Coordinate policy exception requests and ensure approved exceptions are documented through Risk-Based Decisions (RBDs).
• Oversee continuous security control monitoring strategies in coordination with SOC, Infrastructure, and Application teams.
• Ensure security metrics, risk indicators, and compliance status are reported to CISO leadership on a recurring basis.
• Identify emerging threats and systemic risk trends and recommend mitigation strategies.
• Partner with Data Governance and Privacy Offices to ensure data classification, protection, and privacy controls are integrated into risk decisions.
• Ensure privacy risks (PII/PHI) are considered in SSPs, SARs, vendor risk reviews, and RBDs.
• Coordinate cybersecurity risk input into Business Impact Analyses (BIA), Disaster Recovery (DR), and Business Continuity (BCP) planning.
• Validate recovery strategies and backup controls align with system risk and availability requirements.
• Provide risk-based input into cybersecurity funding requests, exceptional items (EI), and technology investment proposals.
• Support workforce planning and capability development for GRC functions.
• Provides strategic direction and oversight to GRC managers, analysts, and support staff.
• Assigns work, reviews performance, and ensures staff development.
• Coordinates cross-functional teams and working groups.
• Perform other job-related duties as assigned by the Chief Information Security Officer (CISO), Deputy CISO, or agency executive leadership to support mission requirements, emerging regulatory mandates, or agency priorities.

Benefits

• comprehensive benefits package includes 100% paid employee health insurance for full-time eligible employees, a defined benefit pension plan, generous time off benefits, numerous opportunities for career advancement and more