Associate Director, Application Risk and Compliance

The Associate Director, Application Risk & Compliance, provides strategic oversight and defines the validation and risk management frameworks required to ensure the security, data privacy, and integrity of the NYU enterprise application ecosystem in alignment with best practices and NYU’s Global Information Security Program. Act as a primary partner to Institutional Solutions Group (ISG) application portfolio leads, ensuring that application ecosystems, controls, and processes are aligned with University policies, standards, and procedures. Operationalize and oversee the implementation of application security and data privacy controls, identifying and assessing potential security and privacy risks across diverse technology stacks to ensure an integrated approach to risk management. Develop and implement standardized playbooks, templates, and tools to improve application security and data privacy effectiveness. Validate that required controls are effectively in place across all ISG application portfolios. Aggregate risk data and provide comprehensive compliance reports and dashboards to executive leadership. Serve as a consultant and partner to application portfolio leads, facilitating the delivery of secure foundations through proactive collaboration. Serve as a liaison between the Global Office of Information Security (GOIS) and application teams to facilitate the system certification process, ensuring all systems and applications consistently enforce institutional standards throughout their lifecycle.

Required Education:
Bachelor's Degree in Computer Science, Business, or related major

Preferred Education:
Master's Degree in Computer Science, Business or related field

Required Experience:
5+ years of progressive experience in information security, IT risk management, or IT compliance. Direct experience with secure software development lifecycles (S-SDLC), application security frameworks, and technical vulnerability management (e.g., OWASP Top 10). Proven history of conducting IT risk assessments, developing risk mitigation strategies, and overseeing compliance against institutional or federal standards. Experience operationalizing data protection standards and interpreting privacy regulations such as GDPR, HIPAA, or FERPA in a technical environment.

Preferred Experience:
Significant experience in higher education or in a large, distributed, and global organization. Experience serving as a primary security or compliance liaison for multiple diverse technical portfolios. Significant experience in higher education or in a large, distributed, and global organization.

Required Skills, Knowledge and Abilities:
Deep understanding of applications security risks (OWASP Top 10), secure software development lifecycles, secure application integration standards, and common vulnerabilities across modern (cloud-native, AI-integrated) and legacy application stacks. Proficiency in modern identity and access management standards. Experience establishing automated 'Joiner-Mover-Leaver' workflows and centralized access review processes. Strong ability to interpret federal and state regulations (e.g., FERPA, HIPAA, GDPR) and translate them into actionable technical controls for application developers. Demonstrated ability to act as a consultative partner to technical leads while effectively presenting risk-based data and dashboards to non-technical executive leadership. Technical proficiency in leveraging CI/CD security integrations and automation tools to automate and simplify compliance for distributed teams. Proven ability to balance security requirements with business speed, using sound judgment to determine when to grant a waiver versus when to escalate a 'blocker' to leadership. Demonstrated ability to think strategically. Must be able to work well in a changing, ambiguous environment and practice creative problem-solving. Possess effective verbal and written communication skills. Demonstrated public speaking ability. Skilled at stakeholder and audience engagement at multiple levels. Demonstrated ability to excel in a fast-paced environment with competing priorities, while remaining flexible and proactive. Ability to accurately and consistently meet deadlines. Ability to build consensus among diverse constituencies. Ability to work effectively with technical teams to achieve desired outcomes. Ability to demonstrate tact and diplomacy in difficult situations. Demonstrated ability to work effectively with a diverse population within a multicultural environment. Established experience in information systems operational strategies by evaluating trends; establishing critical measurements, determining productivity, quality, and customer service strategies.

Preferred Skills, Knowledge and Abilities:
Advanced professional credentials such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), or Certified in Risk and Information Systems Control (CRISC). Deep technical familiarity with secure coding practices and emerging technologies like AI and cloud-native security. Familiarity with GitHub Advanced Security (GHAS) features, including CodeQL, Secret Scanning, and Dependabot. Ability to configure GitHub Actions to automate security testing and enforce policy-as-code requirements within the developer workflow.

In compliance with NYC's Pay Transparency Act, the annual base salary range for this position is USD $175,000.00 to USD $195,000.00. New York University considers factors such as (but not limited to) scope and responsibilities of the position, candidate's work experience, education/training, key skills, internal peer equity, as well as, market and organizational considerations when extending an offer. This pay range represents base pay only and excludes any additional items such as incentives, bonuses, clinical compensation, or other items.

NYU aims to be among the greenest urban campuses in the country and carbon neutral by 2040. Learn more at nyu.edu/nyugreen.

NYU is an Equal Opportunity Employer and is committed to a policy of equal treatment and opportunity in every aspect of its recruitment and hiring process without regard to age, alienage, caregiver status, childbirth, citizenship status, color, creed, disability, domestic violence victim status, ethnicity, familial status, gender and/or gender identity or expression, marital status, military status, national origin, parental status, partnership status, predisposing genetic characteristics, pregnancy, race, religion, reproductive health decision making, sex, sexual orientation, unemployment status, veteran status, or any other legally protected basis. All interested persons are encouraged to apply at all levels.