Deputy Director of IT Risk & Compliance at Massachusetts Bay Transportation Authority, MA

About the Department

The Deputy Director of IT Risk & Compliance Management provides strategic and operational leadership over enterprise technology risk, compliance, and governance functions across the MBTA. The role safeguards information assets by operationalizing security and privacy control frameworks, orchestrating supply chain and vendor risk diligence, and translating risk posture between executive-level dashboards and actionable remediation plans. The Deputy Director fosters a high-performance culture of security awareness, drives policy governance, and serves as a trusted advisor to senior leadership on emerging risks spanning legacy, cloud, DevOps, and Operational technology environments.

Position Duties

• Direct the risk management lifecycle—identification, assessment, response, monitoring—for IT and OT systems, ensuring alignment with NIST CSF, NIST 800-53, ISO 27001, CIS, and applicable privacy mandates (e.g., MA 201 CMR 17.00, GDPR, CCPA).
• Maintain an authoritative inventory (Risk Register) of business, technology, regulatory, contractual, and organizational security related risks; oversee continuous control testing and issue management.
• Design and run a robust Supply-Chain Risk Management (SCRM) program, including third-party onboarding, due-diligence assessments (SOC 2, ISO 27001, PCI DSS, FedRAMP, CMMC), and ongoing performance monitoring.
• Coordinate with Procurement and Legal to embed security clauses and right-to-audit provisions in contracts.
• Develop, socialize, and maintain MBTA information security and privacy policies; drive adoption through targeted awareness campaigns, phishing simulations, and organization-wide training.
• Evangelize a Security-First mindset via townhalls, brownbag sessions, and executive briefings.
• Administer and optimize GRC portals (e.g., ServiceNow, Archer) for control catalogues, risk registers, exception management, and board-level metrics.
• Integrate vulnerability, incident, and asset data to deliver end-to-end traceability from findings to remediation and residual risk reporting.
• Produce concise, data-driven dashboards and briefings for the CISO, CIO, Board, and federal regulators (TSA, FTA, DHS/CISA).
• Present program status, risk trending, and budget justification in publics peaking forums, executive committees, and industry conferences.
• Lead, mentor, and develop a diverse team of risk analysts and compliance specialists; cultivate psychological safety, accountability, and continuous learning.
• Champion collaboration across Operations, Engineering, Legal, Audit, and Finance to embed security into MBTA’s technology and business roadmaps.
• Evaluate emerging threats, technologies, and regulatory changes; recommend process enhancements, automation, and tooling (e.g., IRM workflows, AI assisted control testing).
• Serve as primary interface for internal/external auditors and regulatory bodies; coordinate evidence collection, track remediation commitments, and attest to control effectiveness.
• Perform all other duties and projects that may be assigned.

Supervision

• Manage a team of engineers and administrators.

Minimum Qualifications

• Bachelor’s degree from an accredited institution in Computer Science or a related field.
• Five (5) years of progressive IT risk, compliance, or cybersecurity governance experience within large, complex environments.
• Two (2) years of supervisory, managerial, and/or leadership experience.
• Demonstrated implementation of NIST 800-53/CSF, ISO 27001/27701, CIS Controls, ITIL, COBIT, and privacy regulations.
• Working knowledge of network, cloud (AWS/Azure), DevOps pipelines, legacy on-prem systems, security tooling (SIEM, EDR, IAM), and vulnerability management platforms.
• Handson administration of GRC suites (ServiceNow GRC, Archer, Origami, Armis, Nazomi) and phishing training platforms (KnowBe4, Proofpoint, Cofense).
• Exceptional verbal and written communication, publics peaking, and executive level presentation skills.
• At least one of: CRISC, CISM, CISSP, CISA; willingness to achieve additional certifications as needed.

Other Qualifications

• A High School Diploma or GED with an additional seven (7) years of directly related experience substitutes for the bachelor’s degree requirement. 
• An Associate’s Degree from an accredited institution and an additional three (3) years of directly related experience substitutes for the bachelor’s degree requirement.
• A Master’s Degree in a related subject substitutes for two (2) years of general experience. 
• A nationally recognized certification, or statewide/professional certification in a related field substitutes for one year of experience.

Preferred Experience and Skills

• Seven (7) or more years of progressive IT risk, compliance, or cybersecurity governance experience within large, complex environments.
• Three (3) or more years in a supervisory/leadership capacity.
• Additional credentials (e.g., CGEIT, CCSP, ISO 27001 Lead Auditor, PMP).
• Experience with federal critical infrastructure directives (TSA SD 1580/82202201C, NIST SP 80082).
• Exposure to operational technology (OT) environments and rail/transit systems.
• Record of thought leadership through conference speaking, publication, or standards body participation.
• Strategic thinker with a hands-on, results driven approach.
• Analytical mindset and quantitative skills; comfort with ambiguity and rapid change.
• Demonstrated integrity, ethical judgement, and commitment to public service.
• Ability to inspire teamwork, inclusivity, and a culture of continuous improvement.