Deputy Director of IT Risk & Compliance jobs in United States
cer-icon
Apply on Employer Site
company-logo

MBTA · 9 hours ago

Deputy Director of IT Risk & Compliance

positionBoston, MA
timeFull-time
remoteOnsite
seniorityLead/Staff, Director/Executive
date5+ years exp

MBTA is committed to providing a safe and accessible transit system, and they are seeking a Deputy Director of IT Risk & Compliance Management to lead their enterprise technology risk and compliance efforts. This role involves safeguarding information assets, operationalizing security frameworks, and serving as an advisor to senior leadership on emerging risks across various technology environments.

AutomotiveLogisticsPublic TransportationTransportationTravel
check
Growth OpportunitiesbadNo H1Bnote

Responsibilities

Direct the risk management lifecycle—identification, assessment, response, monitoring—for IT and OT systems, ensuring alignment with NIST CSF, NIST 800-53, ISO 27001, CIS, and applicable privacy mandates (e.g., MA 201 CMR 17.00, GDPR, CCPA)
Maintain an authoritative inventory (Risk Register) of business, technology, regulatory, contractual, and organizational security related risks; oversee continuous control testing and issue management
Design and run a robust Supply-Chain Risk Management (SCRM) program, including third-party onboarding, due-diligence assessments (SOC 2, ISO 27001, PCI DSS, FedRAMP, CMMC), and ongoing performance monitoring
Coordinate with Procurement and Legal to embed security clauses and right-to-audit provisions in contracts
Develop, socialize, and maintain MBTA information security and privacy policies; drive adoption through targeted awareness campaigns, phishing simulations, and organization-wide training
Evangelize a Security-First mindset via townhalls, brownbag sessions, and executive briefings
Administer and optimize GRC portals (e.g., ServiceNow, Archer) for control catalogues, risk registers, exception management, and board-level metrics
Integrate vulnerability, incident, and asset data to deliver end-to-end traceability from findings to remediation and residual risk reporting
Produce concise, data-driven dashboards and briefings for the CISO, CIO, Board, and federal regulators (TSA, FTA, DHS/CISA)
Present program status, risk trending, and budget justification in publics peaking forums, executive committees, and industry conferences
Lead, mentor, and develop a diverse team of risk analysts and compliance specialists; cultivate psychological safety, accountability, and continuous learning
Champion collaboration across Operations, Engineering, Legal, Audit, and Finance to embed security into MBTA’s technology and business roadmaps
Evaluate emerging threats, technologies, and regulatory changes; recommend process enhancements, automation, and tooling (e.g., IRM workflows, AI assisted control testing)
Serve as primary interface for internal/external auditors and regulatory bodies; coordinate evidence collection, track remediation commitments, and attest to control effectiveness
Perform all other duties and projects that may be assigned

Qualification

IT risk managementNIST 800-53ISO 27001GRC administrationCybersecurity governanceCloud (AWS/Azure)Vendor risk managementPhishing trainingPublic speakingAnalytical mindsetTeam leadershipCommunication skillsIntegrity

Required

Bachelor's degree from an accredited institution in Computer Science or a related field
Five (5) years of progressive IT risk, compliance, or cybersecurity governance experience within large, complex environments
Two (2) years of supervisory, managerial, and/or leadership experience
Demonstrated implementation of NIST 800-53/CSF, ISO 27001/27701, CIS Controls, ITIL, COBIT, and privacy regulations
Working knowledge of network, cloud (AWS/Azure), DevOps pipelines, legacy on-prem systems, security tooling (SIEM, EDR, IAM), and vulnerability management platforms
Handson administration of GRC suites (ServiceNow GRC, Archer, Origami, Armis, Nazomi) and phishing training platforms (KnowBe4, Proofpoint, Cofense)
Exceptional verbal and written communication, publics peaking, and executive level presentation skills
At least one of: CRISC, CISM, CISSP, CISA; willingness to achieve additional certifications as needed

Preferred

Seven (7) or more years of progressive IT risk, compliance, or cybersecurity governance experience within large, complex environments
Three (3) or more years in a supervisory/leadership capacity
Additional credentials (e.g., CGEIT, CCSP, ISO 27001 Lead Auditor, PMP)
Experience with federal critical infrastructure directives (TSA SD 1580/82202201C, NIST SP 80082)
Exposure to operational technology (OT) environments and rail/transit systems
Record of thought leadership through conference speaking, publication, or standards body participation
Strategic thinker with a hands-on, results driven approach
Analytical mindset and quantitative skills; comfort with ambiguity and rapid change
Demonstrated integrity, ethical judgement, and commitment to public service
Ability to inspire teamwork, inclusivity, and a culture of continuous improvement

Benefits

Accrued paid sick leave
A monthly transportation pass, based on the city from which the intern / co-op commutes to work, at no cost

Company

MBTA

twittertwittertwitter
Glassdoor3.8
company-logo
The Massachusetts Bay Transportation Authority, often referred to as the MBTA or simply The T, is the public operator of most bus, subway, commuter rail and ferry systems in the greater Boston, Massachusetts, area.
dateFounded in 1964
location
Boston, Massachusetts, USA
people-size5001-10000 employees
web-link
http://mbta.com

Funding

Current Stage
Late Stage

Leadership Team

leader-logo
Barbara Bates
Deputy CFO Capital
linkedin
leader-logo
Mary Ann O'Hara, CPA
Chief Financial Officer
linkedin

Recent News

Boston Herald
Crime down 14% on MBTA from last year
2026-01-03
Boston Herald
‘Budget extra time’: MBTA schedules January subway, commuter rail closures
2025-12-30
Boston Herald
MBTA sees strongest ridership numbers since pandemic
2025-12-02
Company data provided by crunchbase