Director of Information Security & Privacy Compliance

Médecins Sans Frontières


Doctors Without Borders/Médecins Sans Frontières (MSF) is an international humanitarian organization that delivers impartial medical care to people affected by conflict, epidemics, disasters, or exclusion from health care in over 70 countries.

We welcome candidates who bring a wide variety of backgrounds and experiences to join us in working toward MSF’s common mission.


This role manages the information security and privacy compliance team within the Executive Office of MSF-USA. Will manage the Information Security Officer and the Data Protection Officer. This role will report directly to the Deputy Executive Director of MSF-USA.



The Director of Risk and Compliance manages the Information Security and Privacy portfolios at MSF-USA. The Director will supervise the Information Security Officer and Data Protection Officer (which will be a new full-time role at MSF-USA). MSF-USA is looking for someone who can take leadership in the areas of Risk Management, Governance and Compliance. Our preferred candidate should be able to assess MSF-USA’s risk landscape and work with leadership to collaborate on relevant compliance and remediation roadmaps.

The candidate must ensure that MSF USA is compliant with the legal framework applicable to data protection as intended by local applicable Data Privacy and Information security regulations.

The Director of Information Security and Privacy compliance will lead our newly formed Information Security and Privacy Compliance team and is responsible for managing compliance staff within the Executive Office at MSF-USA.

Work closely with leadership across the organization to design, develop and improve information security and data protection policies across the organization.

Most of the responsibilities of this role are to support the operational activities of MSF-USA in a standard HQ setting. There may be future opportunities to support international coordination work in these information security and privacy areas.

Provide guidance to the lead Information Security Engineer and IT operation teams and ensure the implementation of controls is risk-based and in alignment with chosen. Lead and define information security compliance framework and align with the Information Security & IT operations teams to ensure its implementation.


Qualifications and Responsibilities

The Portfolio for this role covers the groups below, but candidates will be able to shape and structure the portfolio according to emerging organizational priorities and risks. MSF-USA is looking for someone who can work in technical areas as well as provide leadership and strategic thinking in a complex organization. If you are a candidate with strong managerial experience and may have some shortcoming in any specific technical area – we are still interested in hearing from you.

– Risk Management (40%)

Conduct security & data privacy risk assessments for different assessment initiatives to understand the overall risk management framework at MSF-USA

Ensure that data protection impact assessments are performed when appropriate (e.g., major system or product developments etc.).

Support Third-Party Risk Management program to address third-party and supplier risks.

Monitor the data privacy and information security program maturity and constantly changing cybersecurity threat environment and asses the risk that poses to the organization.

Update procedures and internal guidance where necessary relating to the processing of personal information.

Assist with the design and implementation of remediation plans, procedures, audits, and enhancements.

Works effectively with business units to facilitate information security and privacy risk assessment and risk management processes, and empowers them to own and accept the level of risk they deem appropriate for their specific risk appetite

Track, remediate and report on information risks and guide risk reduction through the risk register enabling GRC system

– Governance (30%)

Develops an information security vision and strategy that is aligned to organizational priorities and enables and facilitates the organization’s business objectives, and ensures senior stakeholder buy-in and mandate

Develops, implements, and monitors a strategic, comprehensive information security and privacy program to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy, and recovery of information assets owned, controlled or/and processed by the organization

Draft policies and standards guided by CCPA, GDPR, PCI, NSIT CSF, ISO/IEC 27001 and ISO 27002

– Compliance (20%)

Ensure the established information security controls, standards, policies, and procedures are adhered to and kept up to date.

Lead PCI-DSS complaint attestations in alignment with the external QSA team

Develop information security KRI & KPI metrics and provide recommendations on the type of actions to be taken to enhance security measures and to ensure continuous improvement of the information security frameworks

Proactively manage and track information security-related risks and corresponding action plans with due dates to ensure that issues are resolved in an efficient and timely manner.

-Incident Response (10%)

Develops and oversees effective disaster recovery policies and standards to align with the enterprise business continuity management (BCM) program goals.

Coordinates the development of the implementation of incident response plans and procedures to ensure that business-critical services are recovered in the event of a security event; provides direction, support, and in-house consulting in these areas



  • Bachelor’s degree in a technical discipline or equivalent
  • 6 years of experience in an Information Security, data privacy or risk management role
  • Experience creating or maturing staff development programs, within or outside cybersecurity
  • Ability to effectively manage positive/productive relationships with internal and external stakeholders.
  • Ability to convey complex security and privacy compliance concepts to non-technical audiences (e.g. senior and executive management, internal customers)
  • Understanding of regulations such as PCI, HIPAA, and data privacy laws
  • Strong leadership abilities, with the ability to develop and guide team members and external parties and work with minimal supervision
  • Experience collaborating with legal, audit, and compliance staff
  • Experience developing and maintaining policies, procedures, standards, and guidelines
  • Proficiency in performing risk, business impact, control, and vulnerability assessments, and in defining remediation strategies
  • Understanding of system vulnerabilities, attack surfaces, attack vectors and tactics used in modern cyber attacks


  • Hands-on experience with IT governance, and in-depth knowledge of information security & privacy standards (ISO 27001, COBIT, NIST, ITIL) & legislative/regulatory instruments (SOC 2, SOX, FIPPA, PCI, MITS, GDPR, CCPA, EU-US privacy shield, NYS, NYDFS etc.).
  • Certified Information Systems Security Professional (CISSP), Certified Information Security Auditor (CISA), CDPSE, CIPM, CRISC, GIAC or related
  • Experience in incident response and investigation

Expected to work in a hybrid work environment with the ability to come into either the NYC office or regional hub (Washington, DC or Bay Area, California) a minimum of 2 times a week.

We offer a generous comprehensive benefits package inclusive of Wellness initiatives to support a healthy work life balance

No phone calls or emails please. Only shortlisted candidates will be contacted

Application Deadline: March 31, 2023

Your Safety Matters: Vaccination and booster against COVID-19 is a requirement at MSF – USA

Equal Employment Opportunity and Non-Discrimination:

MSF-USA is committed to building a diverse, unbiased, and inclusive workforce. MSF-USA is an equal opportunity employer; we recruit, hire, train, promote, develop, and provide other conditions of employment without regard to a person’s gender identity or expression, sexual orientation, race, religion, age, national origin, disability, marital status, pregnancy status, veteran status, genetic information, or any other differences consistent with applicable laws. This includes providing reasonable accommodation for disabilities, or religious beliefs and practices. Members of communities historically underrepresented in the Humanitarian Aid sector are encouraged to apply.

If you have a disability of some kind and are interested in applying for employment and need special accommodations to use our website to apply for a position, please contact Human Resources by emailing us: [email protected]. Reasonable accommodation requests are considered on a case-by-case basis

How to apply

Deadline: 31 Mar 2023