

Associate Director, Cybersecurity Governance, Risk & Compliance
About the role
Staff - Non Union Job Category M&P - Excluded M&P Job Profile XMP - Information Systems & Technology, Level G Job Title Associate Director, Cybersecurity Governance, Risk & Compliance Department OCIO | Chief Information Security Office Compensation Range $13,137.75 - $20,502.83 CAD Monthly The Compensation Range is the span between the minimum and maximum base salary for a position. The midpoint of the range is approximately halfway between the minimum and the maximum and represents an employee that possesses full job knowledge, qualifications and experience for the position. In the normal course, employees will be hired, transferred or promoted between the minimum and midpoint of the salary range for a job. Posting End Date July 26, 2026 Note: Applications will be accepted until 11:59 PM on the Posting End Date. This position is subject to the satisfactory completion of required background checks Job End Date Ongoing This position is subject to the satisfactory completion of required background checks. At UBC, we believe that attracting and sustaining a diverse workforce is key to the successful pursuit of excellence in research, innovation, and learning for all faculty, staff and students. Our commitment to employment equity helps achieve inclusion and fairness, brings rich diversity to UBC as a workplace, and creates the necessary conditions for a rewarding career. At UBC, we believe that attracting and sustaining a diverse workforce is key to the successful pursuit of excellence in research, innovation, and learning for all faculty, staff and students. Our commitment to employment equity helps achieve inclusion and fairness, brings rich diversity to UBC as a workplace, and creates the necessary conditions for a rewarding career. JOB SUMMARY The Associate Director, Cybersecurity Governance, Risk and Compliance oversees the portfolio of services delivered as part of the Compliance and Risk Assessment team of the UBC Privacy & Information Security Management (PrISM) initiative. The function reports directly to the Chief Information Security Officer (CISO) and to the Executive Director, Safety and Risk Services and ensures cybersecurity risks are understood and communicated to institutional leadership in collaboration with the leaders within the CIO & CISO’s portfolio, and those of the Enterprise Risk Management team. The role establishes and sustains second-line risk management processes and leads the Risk and Compliance team in optimizing risk assessment practices and improving institutional visibility of cybersecurity and privacy related risks as well as training and compliance. The Associate Director is responsible for overseeing the activities related to assessing and reporting on compliance with Policy SC 14 and the associated Rules, identifying risks and gaps, prioritizing the risks and maintaining an institutional IT risk register for communicating these risks to the appropriate governance bodies. The register will support the CIO and CISO in establishing the annual activities for the CISO team and the broader UBC IT and distributed IT units. The Associate Director will support the Enterprise Risk Management team in reporting on key risks to the Executive and the Board. The Associate Director is responsible for assessing the priority of the risks, and recommending ownership for cybersecurity and privacy related risks including external risks related to third party suppliers, and emerging risks such as digital resilience, and AI assisted attacks. The compliance reports and the risk register will provide the CIO and Executive Leadership with a structured view of risk exposures across the University to inform future initiatives, priorities and subsequent investments. The Associate Director and their team provides compliance advisory services pertaining to the standards set out in Policy SC 14 and associated Rules, as well as supporting the Office of University Counsel by managing the Privacy Impact Assessment process under the guidance of the Legal Counsel responsible for Privacy while supporting the institution’s capacity to innovate responsibly. The function provides independent risk insight and advisory services related to the impact of technology. The Privacy and Information Security Management Risk and Compliance team delivers risk and compliance services in established areas such as Privacy Impact Assessments, Security Threat Risk Assessments, Information Security Compliance, awareness and training. While progressively expanding their knowledge of or integrating with (as appropriate and subject to the decision of the CIO and advice of Enterprise Risk and Assurance) additional priority domains including artificial intelligence and supply chain risk. Through coordinated intake, assessment and advisory services, the function improves process efficiency while strengthening the institution’s understanding of technology-related risk. The function provides advisory, risk analysis, investigation and compliance services spanning major technology transformation initiatives, emerging technology domains and key operational areas as agreed thorough agreement between Enterprise Risk and Assurance and the CIO. Working closely with Enterprise Risk and Assurance, the CIO portfolio, Cybersecurity, Enterprise Data Governance, Architecture, University Counsel and key service units, the function supports the consistent application of risk-informed practices across UBC operations. These activities help embed proportionate risk and compliance practices aligned with institutional priorities and informed by the evolving technology risk register. ORGANIZATIONAL STATUS The Associate Director has a dual reporting relationship, to the Chief Information Security Officer (CISO) and to the Executive Director, Safety and Risk Services. The role works closely with Enterprise Risk and Assurance to integrate technology risk insights into the Institutional Risk Register and enterprise risk governance processes, and with the CIO portfolio to ensure technology risk insights support institutional technology strategy and decision-making. The Associate Director collaborates extensively with Cybersecurity teams, the CIO’s portfolio in areas such as Enterprise Architecture, Enterprise Data Governance, Enterprise Digital Transformation and other areas within Legal Counsel, Records Management, Access and Privacy, Procurement, and other teams and governance functions across the University. The role interacts with senior leadership, project sponsors, operational teams, and governance committees to ensure technology risk considerations are clearly understood and effectively addressed. WORK PERFORMED Technology Risk Governance Leads the teams responsible for identifying, interpreting and communicating privacy and information security related risks across the University. Develops and maintains the practices and processes to identify and address significant privacy and information security risks relating to UBC electronic information and systems. Leads the development of a risk register aligned with Enterprise Risk Management processes. Translate operational technology risk information into clear institutional insights for the CIO and executive leadership and governance bodies as appropriate. Provide strategic risk advice to leadership regarding institutional exposure to technology risks including cybersecurity, system resilience, third‑party dependencies, and emerging technologies as they relate to privacy and information security Technology Risk Assessment and Advisory Oversees the enterprise Privacy Impact and Security Threat Risk Assessment services, ensuring the processes and practices are continually streamlined and improved. Provides privacy and cybersecurity risk advisory services and methodologies to complex digital initiatives, technology-enabled transformation programs, and major institutional technology investments. Supports Enterprise Risk and Assurance in leading thematic technology risk reviews. Provide advisory services under the direction of the CIO and Enterprise Risk and Assurance in assessing risks associated with emerging technologies including artificial intelligence, advanced analytics, and digital platforms as they relate to privacy and information security. Leads the activities related to the development of institutional responses to technology related risk where mitigation requires a coordinated response beyond the scope of Information technology (e.g. supply chain). Compliance and Governance Direct the Information Security Compliance Support Program and related risk‑based compliance initiatives. Ensure technology risk and compliance activities remain aligned with institutional policy frameworks, risk appetite and evolving regulatory expectations. Leads the development of governance processes and practices at the local level with Faculties and Amin Units to ensure IT risk assessment and management processes remain efficient, consistent, and supportive operational and project delivery across the university. Participate in the development of UBC-wide rules pertaining to the Use, Management, and Security of UBC Electronic Information and Systems. Leadership and Organizational Development Lead and mentor a multidisciplinary team delivering technology risk and compliance services. Foster collaboration across governance, risk, and technology communities to strengthen institutional decision-making. CONSEQUENCE OF ERROR This role is critical to ensuring that the University understands the gaps and resulting exposure associated with the management of information technology. Failure to effectively identify, interpret, or communicate technology-related risks will result in privacy or cybersecurity breaches, expose the University to significant operational disruption, cybersecurity incidents, regulatory non-compliance, financial loss, or reputational damage. Sound judgment and strong governance leadership are required to ensure risks are appropriately understood and addressed. SUPERVISION RECEIVED Works independently under the direction of the Executive Director, Safety and Risk Services (SRS) and the Chief Information Security Officer, with close interaction with the Associate Vice President & Chief Information Officer and Chief Enterprise Risk and Assurance Officer. SUPERVISION GIVEN The Director will direct, mentor and supervise a multidisciplinary team of privacy and information security analysts/advisors. May occasionally supervise and direct contract workers or students. MINIMUM QUALIFICATIONS Master's degree in a relevant discipline. Minimum of eleven years of related experience including at least five years of managerial experience plus four years of specialized experience in the design and implementation of major computer systems, or the equivalent combination of education and experience. - Willingness to respect diverse perspectives, including perspectives in conflict with one’s own - Demonstrates a commitment to enhancing one’s own awareness, knowledge, and skills related to equity, diversity, and inclusion PREFERRED QUALIFICATIONS Master's degree in a relevant discipline. Minimum 10 years of progressive leadership experience in technology risk, cybersecurity governance, enterprise risk management, or related fields. Experience developing or operating risk management frameworks aligned with recognized standards such as NIST, ISO 27001/27002, COBIT, or similar. The following professional designations and experience are desired: - IIA Certification in Risk Management Assurance (CRMA) - Certified in the Governance of Enterprise Information Technology (CGEIT) - ISACA Certified in Risk and Information Systems Control (CRISC) - ISACA Certified Information Systems Auditor (CISA) - Project Management Professional (PMP) Minimum of 9 years’ experience or the equivalent combination of education and experience. - Minimum of 10 years of management experience - Experience in a higher education institution - Extensive experience of risk management, information governance and information security frameworks such as COBIT and ISO 27002 - Self-motivated with a strong commitment to providing high quality services, together with a thorough understanding and awareness of information governance and security best practices and the ability to translate them into meaningful and value added University-wide and local solutions - Demonstrates knowledge of Freedom of Information and Protection of Privacy Act (FIPPA) as it relates to implementing 'reasonable security arrangements' over personal information under the University's control or in its custody - Holds in depth knowledge of the University's information security policies - High level of interpersonal skills used to lead, enthuse, motivate, influence, and educate others to drive change across the University - Excellent verbal and written communication skills and the ability to communicate effectively at all levels. - Ability to identify problems and develop solutions through the involvement of appropriate stakeholders. - Able to work under pressure and manage priorities appropriately - Positive attitude towards learning and development, demonstrated by a record of continuing professional development The University of British Columbia is a global centre for research and teaching, consistently ranked among the top 20 public universities globally. A large part of what makes us unique is the community of engaged students, faculty, and staff who are collectively committed to shaping a better world. Recognized as a leading employer in British Columbia and Canada, UBC supports inspired students, faculty and staff on their journey of discovery, and challenges them to realize their greatest potential. New ideas, changing infrastructure, innovative technology, and fresh approaches are opening up possibilities for the future of research, teaching, and work. Are you ready to embrace the future together? Equity and diversity are essential to academic excellence. An open and diverse community fosters the inclusion of voices that have been underrepresented or discouraged. We encourage applications from members of groups that have been marginalized on any grounds enumerated under the B.C. Human Rights Code, including sex, sexual orientation, gender identity or expression, racialization, disability, political belief, religion, marital or family status, age, and/or status as a First Nation, Metis, Inuit, and/or Indigenous person. All qualified candidates are encouraged to apply; however Canadians and permanent residents will be given priority. If you have any accommodation or accessibility needs during the job application process, please contact the Centre for Workplace Accessibility at workplace.accessibility@ubc.ca.