Senior Lead, Cybersecurity Policy & Compliance

Job Description Summary :

Reporting to the Chief Information Officer and serving on the IT Senior Leadership Team, the Senior Lead for Cybersecurity Policy and Compliance ("Senior Lead") will serve as the organization's leading subject matter expert on cybersecurity. The successful candidate will be responsible for maintaining a cybersecurity policy that is flexible enough to meet the demands of a national research center, but concrete enough to provide enforceable, actionable guidance to all the organization's staff, including administrative staff, educators, researchers, IT staff, and others.

The Senior Lead is responsible for developing, implementing, managing, and evolving the organization's cybersecurity policies, standards, guidelines, and procedures. This individual will ensure adherence to relevant laws, regulations, industry standards, organizational policies, funder requirements, and internal requirements. The Senior Lead will provide expert guidance on compliance matters and drive the maturity of the cybersecurity compliance program, working in collaboration with the organization's Research Security program, Office of General Counsel, and Contracts Office.

This role requires a deep understanding of federal cybersecurity frameworks and regulatory landscapes. The Senior Lead must be able to translate complex technical requirements into clear policies, take firm action with respect to compliance, and ensure that those actions do not disrupt research, educational, operational activities, and / or other mission-facing activities.

In addition to policy and compliance responsibilities, the Senior Lead will direct a small team that manages specific cybersecurity-related services and programs such as audit preparation & response, vendor security & privacy assessments, data preservation, cybersecurity aspects of legal holds, annual cybersecurity training, phishing simulation, and related cybersecurity services and programs.

Critically, the Senior Lead will serve as the point person for all cybersecurity incident responses, working closely with the Cybersecurity Operations group, which reports separately into UCAR's IT Operations unit. During any incident response situations, the Senior Lead will be expected to coordinate and direct the activities of the Cybersecurity Operations group, serving as a temporary matrixed manager for the duration of the incident.

Position Details : Visa Sponsored Job :

No

Relocation Assistance Eligible :

Yes

Job Location : Boulder, Colorado

Position Type & Term :

Full time, Regular

Compensation Range :

Salary Range : $137,229 - $171,537

• Final salary and rates are based on education, experience, skills relevant to the role.

Application Notes

Job Location : Boulder, Colorado

Job Type : Hybrid, 3 days / week minimum requirement in Boulder office

Position Type & Term : Full-Time, Regular

Application Deadline : This position will be posted until 11 : 59 PM MT on Sunday, November 9, 2025.

Required application materials : (preferably uploaded as a PDF) :

Background Checks : Conducted for candidates selected for hire. Learn more .

Work Location : Regardless of flexible work arrangements, UCAR requires ALL positions to be performed within the U.S., excluding U.S. Territories.

What You Will Do

Here is a brief summary of what one would expect to be generally responsible for in this role.

Key Responsibilities :

Policy & Standard Development :

Lead the development, review, and continuous improvement of cybersecurity policies, standards, baselines, and guidelines in alignment with various frameworks (e.g., CMMC, NIST CSF, FISMA, TrustedCI, CUI, ISO 27001, ISO 27701) and regulatory requirements (e.g., GDPR, CCPA, HIPAA, PCI DSS).

Ensure policies are clear, concise, actionable, and effectively communicated across the organization.

Establish and maintain a policy lifecycle management process, including regular reviews and updates.

Compliance Management :

Oversee and manage the organization's compliance with cybersecurity regulations, laws, and internal policies.

Conduct regular compliance assessments, gap analyses, and risk assessments to identify areas of non-compliance and recommend remediation strategies.

Develop and implement remediation plans for audit findings and compliance gaps.

Act as a primary point of contact for internal and external audits related to cybersecurity, ensuring timely and accurate responses.

Prepare and maintain audit documentation, evidence, and reports.

Advisory & Consultation :

Provide expert advice and guidance to various business units, IT teams, and leadership on cybersecurity policy and compliance matters.

Translate complex technical security requirements into understandable business language for stakeholders.

Participate in security architecture reviews and project initiatives to ensure policy and compliance considerations are integrated from the outset.

Program Maturity & Governance :

Contribute to the strategic development and maturity of the overall cybersecurity compliance program, working closely with the Research Security Program and the Office of General Counsel..

Develop and report on key performance indicators (KPIs) and metrics related to policy adherence and compliance posture.

Foster a culture of security awareness and compliance throughout the organization.

Risk Management Integration :

Collaborate with risk management teams to ensure cybersecurity risks are adequately identified, assessed, and mitigated through policy and control implementation.

Ensure policies align with the organization's risk appetite and tolerance levels.

Stakeholder Engagement :

Collaborate effectively with legal, internal audit, external auditors, IT operations, development teams, and business units.

Present findings, recommendations, and compliance status to senior leadership.

Team Leadership & Mentorship :

Proven ability to lead, mentor, and inspire technical teams while collaborating cross-functionally with diverse stakeholders.

Expected to provide mentorship, thought leadership, and guidance to the Cybersecurity Operations team in IT Operations

Will lead specific projects or initiatives related to policy and compliance.

Directly manages a small team of cybersecurity specialists responsible for the delivery of several cybersecurity-related services.

Who We'd Love To Join Our Team

Successful candidates will ensure their application materials speak to the following criteria :

Education and Experience

(Required) :

Education : Bachelor's degree in Cybersecurity, Information Technology, Computer Science, or a related field. Master's degree preferred. Extensive proven experience may substitute for a degree.

Minimum of 8 years of progressive experience in cybersecurity, with a strong focus on policy, compliance, and governance roles.

Proven experience in developing, implementing, and managing cybersecurity policies and standards within a complex organizational environment.

Extensive experience with common cybersecurity frameworks (e.g., NIST CSF, ISO 27001, COBIT, CIS Controls).

Demonstrated experience in managing compliance with regulatory requirements (e.g., GDPR, CCPA, HIPAA, PCI DSS, SOX, CMMC, etc.).

4+ years of Security Compliance or Audit related experience.

FedRAMP or DoD auditing (Third Party Assessment Organization) or implementation experience.

NIST 800-53, NIST 800-171, and CMMC experience.

Experience leading or significantly contributing to internal and external audits.

Knowledge, Skills, and Abilities

Desired :

Strong problem-solving skills and the ability to drive initiatives independently.

Adaptability to evolving regulatory environments and organizational priorities.

Commitment to fostering a collaborative and inclusive team culture.

Exceptional communication skills, with the ability to clearly convey complex cybersecurity concepts to non-technical and technical audiences as well as senior leadership.

Desired but not Required Certifications :

CISSP (Certified Information Systems Security Professional) is strongly preferred

CISM (Certified Information Security Manager)

CRISC (Certified in Risk and Information Systems Control)

CISA (Certified Information Systems Auditor)

Relevant certifications related to specific regulations (e.g., HIPAA Security Specialist, PCI DSS QSA).

Risk based position : A pre-employment screening is conducted in conjunction with an offer for employment. This screening may involve verifying or reviewing any of the following relevant information : restricted parties screening, employment verification, performance records of internal candidates, education verification, reference checks, verification of professional licenses, certifications, and Motor Vehicle Records. UCAR complies with the Fair Credit Reporting Act (FCRA).

Benefits Overview

UCAR affirms its commitment to employees through competitive benefits . In addition to medical, dental, vision, retirement, and life insurance, UCAR offers a variety of programs focused on work-life balance and professional, and personal development. These include :

Tuition Assistance, time off allowance to attend classes, and other professional development opportunities.

UCAR contributes 10% of your eligible pay into your retirement account; 100% fully vested on day one.

Starting minimum accrual of 20 days of personal time off each year (prorated for less than full-time positions).

10 paid holidays.

12 weeks of paid parental leave.

Short-term medical leave paid at 100% of your regular salary.

EcoPass for local Colorado residents to use the Denver and Boulder-area transit system at no cost.

Commitment to Job Application Fairness

Applicants are not required to provide age or age-related information and may redact information related to age, date of birth, or dates of attendance at or graduation from an educational institution from any submissions during the initial application process.

Some Final Considerations

At NSF NCAR| UCAR | UCP , you will work alongside a dedicated team of professionals conducting critical research and community outreach to solve complex Earth system science problems including climate change, air pollution, extreme weather, floods, drought, wildfires, and space weather, all with the goal of improving human life and reducing economic loss. Each of us, from scientists to the professionals who support their work, serves the public and a collaborative community of scientists in our mission to understand the complex processes that make up the Earth system, from the ocean floor to the Sun's core.

Flexible Work

At UCAR, we are committed to supporting our mission by giving staff the flexibility to find the schedule and location that works best to maintain their own work-life circumstances and reach their full potential as professionals. Many positions within our organization are eligible for fully on-site, hybrid (three days per week) and / or flexible work hours.

Equal Opportunity Employer

UCAR is committed to providing equal opportunity for all employees and applicants for employment and does not discriminate on the basis of race, age, creed, color, religion, national origin or ancestry, sex, gender, disability, veteran status, genetic information, sexual orientation, gender identity or expression, or pregnancy.Whatever your intersection of identities, you are welcome at UCAR.

Export Control

All positions are required to comply with U.S. export compliance regulations and work location requirements regarding access to facilities and research systems.

Work Location

UCAR requires ALL positions to be performed within the U.S., excluding U.S. Territories.

AI Software

ChatGPT and similar AI software are powerful tools that are changing theway society receives, processes, and leverages information promptly. While we acknowledge its benefits and do not restrict leveraging it with job applications, we highly encourage a majority of the applicant material to be original work.