Director, IT & Cybersecurity Audit

Purpose:

The Director leads UPMC's IT & Cybersecurity Internal Audit function, setting strategy and overseeing risk-based audits across enterprise IT, cybersecurity, privacy, cloud, identity & access management, third-party digital risk, and emerging technologies. Reporting to the Chief Audit Officer, this role owns the IT & Cybersecurity audit universe and annual plan, drives continuous risk assessment, delivers high-impact advisory work, and provides clear, actionable reporting to leadership. The Director builds a high-performing team, advances audit methodologies (data analytics, automation, continuous auditing), and partners constructively with IT, Security, and business leaders while maintaining independence to strengthen technology risk management and resilience.

Responsibilities:

Licensure, Certifications, and Clearances:

• Strategy & Technology Risk Oversight
• Develop and execute IT & Cybersecurity audit strategy and annual plan aligned to enterprise priorities and threat landscape.
• Maintain an audit universe covering IT, cybersecurity, cloud, applications/SDLC, data privacy, third-party risk, infrastructure, and emerging technologies (e.g., AI/ML, automation).
• Ensure audit practices align with regulatory and industry frameworks (HIPAA, HITECH, HITRUST, PCI-DSS, GDPR, NIST, ISO).
• Provide assurance and advisory services on emerging risks and technology governance.
• Audit Delivery & Quality
• Lead planning, fieldwork, and reporting for IT & Cybersecurity audits and special projects; ensure compliance with IIA standards and departmental methodology.
• Elevate audit quality through root-cause analysis, control design/effectiveness testing, and actionable remediation plans.
• Implement data analytics and continuous auditing to increase coverage and insight.
• Collaborate on integrated audits with other Internal Audit disciplines.
• Stakeholder Engagement
• Deliver concise, risk-based insights to Internal Audit leadership and senior executives.
• Maintain trusted relationships with IT, Cybersecurity, and business technology leaders; influence remediation and risk prioritization while preserving independence.
• Coordinate with ERM, Compliance, and Data Analytics teams on risk identification and thematic reporting.
• Participate in post-incident reviews to provide independent guidance and lessons learned.
• People Leadership & Culture
• Recruit, develop, and retain IT & Cybersecurity audit talent; provide coaching, career paths, and succession planning.
• Foster a culture of curiosity, accountability, and continuous improvement; promote modern audit skills (cloud, cyber, analytics, AI).
• Set clear goals, deliver timely feedback, and recognize excellence.
• Tools, Innovation & Methodology
• Champion adoption and optimization of audit technology platforms (e.g., AuditBoard, TeamMate) for planning, workpapers, and issue tracking.
• Standardize audit programs and templates aligned to recognized frameworks.
• Advance innovation through automation, scripting, and analytics to enable continuous auditing and deeper risk insights.
• Bachelor's degree in Information Systems, Computer Science, Cybersecurity, Engineering, Accounting, Business, or related field.
• Master's degree (e.g., Information Assurance, Cybersecurity, Analytics, MBA) is preferred.
• 7 years progressive experience in IT audit, cybersecurity, or technology risk.
• 2 years managerial or supervisory experience required.
• Demonstrated leadership of complex audits across cloud, cybersecurity, applications/SDLC, infrastructure/operations, and data/privacy domains.
• Experience engaging executive leadership; proven ability to translate technical risk into business impact.
• Healthcare experience and familiarity with HIPAA/HITECH/HITRUST and clinical/operational technologies (preferred), or strong ability to quickly learn healthcare environments.
• Deep knowledge of security and control frameworks (e.g., NIST CSF, ISO 27001/27002, COBIT,HITRUST,ITIL); familiarity with SOC 1/2 criteria.
• Proficiency in cloud security, identity & access, network/infrastructure, DevSecOps/SDLC, data protection, logging/monitoring, and incident response.
• Strong data analytics skills (SQL, scripting, BI/visualization) and experience with continuous auditing/monitoring.
• Excellent communication: executive briefings, report writing, and storytelling with risk-based clarity.
• High integrity, professional skepticism, and sound judgment; able to challenge and influence constructively.
  
  

Required (at least one): CISA, CISSP, CISM, CRISC, CIA, CPA, CCSK/CCSP, CEH, AWS/Azure/GCP security certifications.

• Act 34
  
  

UPMC is an Equal Opportunity Employer/Disability/Veteran