Director, IT & Cybersecurity Audit
UPMC Senior Communities, Pittsburgh, PA, United States
Purpose:
The Director leads UPMC's IT & Cybersecurity Internal Audit function, setting strategy and overseeing risk-based audits across enterprise IT, cybersecurity, privacy, cloud, identity & access management, third-party digital risk, and emerging technologies. Reporting to the Chief Audit Officer, this role owns the IT & Cybersecurity audit universe and annual plan, drives continuous risk assessment, delivers high-impact advisory work, and provides clear, actionable reporting to leadership. The Director builds a high-performing team, advances audit methodologies (data analytics, automation, continuous auditing), and partners constructively with IT, Security, and business leaders while maintaining independence to strengthen technology risk management and resilience.
Responsibilities:
1) Strategy & Technology Risk Oversight Develop and execute IT & Cybersecurity audit strategy and annual plan aligned to enterprise priorities and threat landscape. Maintain an audit universe covering IT, cybersecurity, cloud, applications/SDLC, data privacy, third-party risk, infrastructure, and emerging technologies (e.g., AI/ML, automation). Ensure audit practices align with regulatory and industry frameworks (HIPAA, HITECH, HITRUST, PCI-DSS, GDPR, NIST, ISO). Provide assurance and advisory services on emerging risks and technology governance. 2) Audit Delivery & Quality
Lead planning, fieldwork, and reporting for IT & Cybersecurity audits and special projects; ensure compliance with IIA standards and departmental methodology. Elevate audit quality through root-cause analysis, control design/effectiveness testing, and actionable remediation plans. Implement data analytics and continuous auditing to increase coverage and insight. Collaborate on integrated audits with other Internal Audit disciplines. 3) Stakeholder Engagement
Deliver concise, risk-based insights to Internal Audit leadership and senior executives. Maintain trusted relationships with IT, Cybersecurity, and business technology leaders; influence remediation and risk prioritization while preserving independence. Coordinate with ERM, Compliance, and Data Analytics teams on risk identification and thematic reporting. Participate in post-incident reviews to provide independent guidance and lessons learned. 4) People Leadership & Culture
Recruit, develop, and retain IT & Cybersecurity audit talent; provide coaching, career paths, and succession planning. Foster a culture of curiosity, accountability, and continuous improvement; promote modern audit skills (cloud, cyber, analytics, AI). Set clear goals, deliver timely feedback, and recognize excellence. 5) Tools, Innovation & Methodology
Champion adoption and optimization of audit technology platforms (e.g., AuditBoard, TeamMate) for planning, workpapers, and issue tracking. Standardize audit programs and templates aligned to recognized frameworks. Advance innovation through automation, scripting, and analytics to enable continuous auditing and deeper risk insights. Qualifications:
Bachelor's degree in Information Systems, Computer Science, Cybersecurity, Engineering, Accounting, Business, or related field. Master's degree (e.g., Information Assurance, Cybersecurity, Analytics, MBA) is preferred. 7 years progressive experience in IT audit, cybersecurity, or technology risk. 2 years managerial or supervisory experience required. Demonstrated leadership of complex audits across cloud, cybersecurity, applications/SDLC, infrastructure/operations, and data/privacy domains. Experience engaging executive leadership; proven ability to translate technical risk into business impact. Healthcare experience and familiarity with HIPAA/HITECH/HITRUST and clinical/operational technologies (preferred), or strong ability to quickly learn healthcare environments. Deep knowledge of security and control frameworks (e.g., NIST CSF, ISO 27001/27002, COBIT,HITRUST,ITIL); familiarity with SOC 1/2 criteria. Proficiency in cloud security, identity & access, network/infrastructure, DevSecOps/SDLC, data protection, logging/monitoring, and incident response. Strong data analytics skills (SQL, scripting, BI/visualization) and experience with continuous auditing/monitoring. Excellent communication: executive briefings, report writing, and storytelling with risk-based clarity. High integrity, professional skepticism, and sound judgment; able to challenge and influence constructively. Licensure, Certifications, and Clearances: Required (at least one): CISA, CISSP, CISM, CRISC, CIA, CPA, CCSK/CCSP, CEH, AWS/Azure/GCP security certifications. Act 34
UPMC is an Equal Opportunity Employer/Disability/Veteran
Responsibilities:
1) Strategy & Technology Risk Oversight Develop and execute IT & Cybersecurity audit strategy and annual plan aligned to enterprise priorities and threat landscape. Maintain an audit universe covering IT, cybersecurity, cloud, applications/SDLC, data privacy, third-party risk, infrastructure, and emerging technologies (e.g., AI/ML, automation). Ensure audit practices align with regulatory and industry frameworks (HIPAA, HITECH, HITRUST, PCI-DSS, GDPR, NIST, ISO). Provide assurance and advisory services on emerging risks and technology governance. 2) Audit Delivery & Quality
Lead planning, fieldwork, and reporting for IT & Cybersecurity audits and special projects; ensure compliance with IIA standards and departmental methodology. Elevate audit quality through root-cause analysis, control design/effectiveness testing, and actionable remediation plans. Implement data analytics and continuous auditing to increase coverage and insight. Collaborate on integrated audits with other Internal Audit disciplines. 3) Stakeholder Engagement
Deliver concise, risk-based insights to Internal Audit leadership and senior executives. Maintain trusted relationships with IT, Cybersecurity, and business technology leaders; influence remediation and risk prioritization while preserving independence. Coordinate with ERM, Compliance, and Data Analytics teams on risk identification and thematic reporting. Participate in post-incident reviews to provide independent guidance and lessons learned. 4) People Leadership & Culture
Recruit, develop, and retain IT & Cybersecurity audit talent; provide coaching, career paths, and succession planning. Foster a culture of curiosity, accountability, and continuous improvement; promote modern audit skills (cloud, cyber, analytics, AI). Set clear goals, deliver timely feedback, and recognize excellence. 5) Tools, Innovation & Methodology
Champion adoption and optimization of audit technology platforms (e.g., AuditBoard, TeamMate) for planning, workpapers, and issue tracking. Standardize audit programs and templates aligned to recognized frameworks. Advance innovation through automation, scripting, and analytics to enable continuous auditing and deeper risk insights. Qualifications:
Bachelor's degree in Information Systems, Computer Science, Cybersecurity, Engineering, Accounting, Business, or related field. Master's degree (e.g., Information Assurance, Cybersecurity, Analytics, MBA) is preferred. 7 years progressive experience in IT audit, cybersecurity, or technology risk. 2 years managerial or supervisory experience required. Demonstrated leadership of complex audits across cloud, cybersecurity, applications/SDLC, infrastructure/operations, and data/privacy domains. Experience engaging executive leadership; proven ability to translate technical risk into business impact. Healthcare experience and familiarity with HIPAA/HITECH/HITRUST and clinical/operational technologies (preferred), or strong ability to quickly learn healthcare environments. Deep knowledge of security and control frameworks (e.g., NIST CSF, ISO 27001/27002, COBIT,HITRUST,ITIL); familiarity with SOC 1/2 criteria. Proficiency in cloud security, identity & access, network/infrastructure, DevSecOps/SDLC, data protection, logging/monitoring, and incident response. Strong data analytics skills (SQL, scripting, BI/visualization) and experience with continuous auditing/monitoring. Excellent communication: executive briefings, report writing, and storytelling with risk-based clarity. High integrity, professional skepticism, and sound judgment; able to challenge and influence constructively. Licensure, Certifications, and Clearances: Required (at least one): CISA, CISSP, CISM, CRISC, CIA, CPA, CCSK/CCSP, CEH, AWS/Azure/GCP security certifications. Act 34
UPMC is an Equal Opportunity Employer/Disability/Veteran