Senior Lead, Cybersecurity Policy & Compliance

Visa Sponsored Job:

Relocation Assistance Eligible:

Job Location:

Position Type & Term:

Salary Range: $137,229 - $171,537*

*Final salary and rates are based on education, experience, skills relevant to the role.

Job Location: Boulder, Colorado

Job Type: Hybrid, 3 days/week minimum requirement in Boulder office

Position Type & Term: Full-Time, Regular

Application Deadline: This position will be posted until 11:59 PM MT on Sunday, November 9, 2025.

Required application materials: (preferably uploaded as a PDF):

• Resume/CV
• Cover Letter- Please address how your skills and experience meet the needs of this position (for more information, please refer to the Key Responsibilities and Knowledge, Skills, and Abilities sections of this job posting).ADDITIONALLY, please share specific examples of (1) your experience working with executive leadership, and (2) working in environments with distributed authority. Cover Letters that do not address the above will not be submitted for further consideration.

Background Checks: Conducted for candidates selected for hire. Learn more.
Work Location: Regardless of flexible work arrangements, UCAR requires ALL positions to be performed within the U.S., excluding U.S. Territories.

Here is a brief summary of what one would expect to be generally responsible for in this role.

Key Responsibilities:

Policy & Standard Development:

• Lead the development, review, and continuous improvement of cybersecurity policies, standards, baselines, and guidelines in alignment with various frameworks (e.g., CMMC, NIST CSF, FISMA, TrustedCI, CUI, ISO 27001, ISO 27701) and regulatory requirements (e.g., GDPR, CCPA, HIPAA, PCI DSS).

• Ensure policies are clear, concise, actionable, and effectively communicated across the organization.

• Establish and maintain a policy lifecycle management process, including regular reviews and updates.

Compliance Management:

• Oversee and manage the organization's compliance with cybersecurity regulations, laws, and internal policies.

• Conduct regular compliance assessments, gap analyses, and risk assessments to identify areas of non-compliance and recommend remediation strategies.

• Develop and implement remediation plans for audit findings and compliance gaps.

• Act as a primary point of contact for internal and external audits related to cybersecurity, ensuring timely and accurate responses.

• Prepare and maintain audit documentation, evidence, and reports.

Advisory & Consultation:

• Provide expert advice and guidance to various business units, IT teams, and leadership on cybersecurity policy and compliance matters.

• Translate complex technical security requirements into understandable business language for stakeholders.

• Participate in security architecture reviews and project initiatives to ensure policy and compliance considerations are integrated from the outset.

Program Maturity & Governance:

• Contribute to the strategic development and maturity of the overall cybersecurity compliance program, working closely with the Research Security Program and the Office of General Counsel..

• Develop and report on key performance indicators (KPIs) and metrics related to policy adherence and compliance posture.

• Foster a culture of security awareness and compliance throughout the organization.

Risk Management Integration:

• Collaborate with risk management teams to ensure cybersecurity risks are adequately identified, assessed, and mitigated through policy and control implementation.

• Ensure policies align with the organization's risk appetite and tolerance levels.

Stakeholder Engagement:

• Collaborate effectively with legal, internal audit, external auditors, IT operations, development teams, and business units.

• Present findings, recommendations, and compliance status to senior leadership.

Team Leadership & Mentorship:

• Proven ability to lead, mentor, and inspire technical teams while collaborating cross-functionally with diverse stakeholders.

• Expected to provide mentorship, thought leadership, and guidance to the Cybersecurity Operations team in IT Operations

• Will lead specific projects or initiatives related to policy and compliance.

• Directly manages a small team of cybersecurity specialists responsible for the delivery of several cybersecurity-related services.

Successful candidates will ensure their application materials speak to the following criteria:
Education and Experience

(Required):

• Education: Bachelor's degree in Cybersecurity, Information Technology, Computer Science, or a related field. Master's degree preferred. Extensive proven experience may substitute for a degree.

• Minimum of 8 years of progressive experience in cybersecurity, with a strong focus on policy, compliance, and governance roles.

• Proven experience in developing, implementing, and managing cybersecurity policies and standards within a complex organizational environment.

• Extensive experience with common cybersecurity frameworks (e.g., NIST CSF, ISO 27001, COBIT, CIS Controls).

• Demonstrated experience in managing compliance with regulatory requirements (e.g., GDPR, CCPA, HIPAA, PCI DSS, SOX, CMMC, etc.).

• 4+ years of Security Compliance or Audit related experience.

• FedRAMP or DoD auditing (Third Party Assessment Organization) or implementation experience.

• NIST 800-53, NIST 800-171, and CMMC experience.

• Experience leading or significantly contributing to internal and external audits.

Knowledge, Skills, and Abilities

Desired:

• Strong problem-solving skills and the ability to drive initiatives independently.

• Adaptability to evolving regulatory environments and organizational priorities.

• Commitment to fostering a collaborative and inclusive team culture.

• Exceptional communication skills, with the ability to clearly convey complex cybersecurity concepts to non-technical and technical audiences as well as senior leadership.

Desired but not Required Certifications:

• CISSP (Certified Information Systems Security Professional) is strongly preferred

• CISM (Certified Information Security Manager)

• CRISC (Certified in Risk and Information Systems Control)

• CISA (Certified Information Systems Auditor)

• Relevant certifications related to specific regulations (e.g., HIPAA Security Specialist, PCI DSS QSA).

Risk based position: A pre-employment screening is conducted in conjunction with an offer for employment. This screening may involve verifying or reviewing any of the following relevant information: restricted parties screening, employment verification, performance records of internal candidates, education verification, reference checks, verification of professional licenses, certifications, and Motor Vehicle Records. UCAR complies with the Fair Credit Reporting Act (FCRA).

UCAR affirms its commitment to employees through competitive benefits. In addition to medical, dental, vision, retirement, and life insurance, UCAR offers a variety of programs focused on work-life balance and professional, and personal development. These include:

• Tuition Assistance, time off allowance to attend classes, and other professional development opportunities.

• UCAR contributes 10% of your eligible pay into your retirement account; 100% fully vested on day one.

• Starting minimum accrual of 20 days of personal time off each year (prorated for less than full-time positions).

• 10 paid holidays.

• 12 weeks of paid parental leave.

• Short-term medical leave paid at 100% of your regular salary.

• EcoPass for local Colorado residents to use the Denver and Boulder-area transit system at no cost.

Applicants are not required to provide age or age-related information and may redact information related to age, date of birth, or dates of attendance at or graduation from an educational institution from any submissions during the initial application process.

At NSF NCAR| UCAR | UCP, you will work alongside a dedicated team of professionals conducting critical research and community outreach to solve complex Earth system science problems including climate change, air pollution, extreme weather, floods, drought, wildfires, and space weather, all with the goal of improving human life and reducing economic loss. Each of us, from scientists to the professionals who support their work, serves the public and a collaborative community of scientists in our mission to understand the complex processes that make up the Earth system, from the ocean floor to the Sun's core.

Flexible Work

At UCAR, we are committed to supporting our mission by giving staff the flexibility to find the schedule and location that works best to maintain their own work-life circumstances and reach their full potential as professionals. Many positions within our organization are eligible for fully on-site, hybrid (three days per week) and/or flexible work hours.

Equal Opportunity Employer

UCAR is committed to providing equal opportunity for all employees and applicants for employment and does not discriminate on the basis of race, age, creed, color, religion, national origin or ancestry, sex, gender, disability, veteran status, genetic information, sexual orientation, gender identity or expression, or pregnancy.Whatever your intersection of identities, you are welcome at UCAR.

Export Control

All positions are required to comply with U.S. export compliance regulations and work location requirements regarding access to facilities and research systems.

Work Location

UCAR requires ALL positions to be performed within the U.S., excluding U.S. Territories.

AI Software

ChatGPT and similar AI software are powerful tools that are changing theway society receives, processes, and leverages information promptly. While we acknowledge its benefits and do not restrict leveraging it with job applications, we highly encourage a majority of the applicant material to be original work.