Associate Director of Cybersecurity, Physical Security, and AI Governance

Overview

With over 50 years of proven success, ECG, ranked as a Best Midsized Firm to Work For 2025 by Consulting Magazine , is the most experienced healthcare consulting firm in the US. Working exclusively in this space, our people consistently demonstrate their ability to solve challenges for providers and achieve better patient outcomes. Across our eight office locations, we’re seeking individuals who will show the courage to find innovative solutions and make a direct impact on the delivery of healthcare services nationwide.

About ECG

ECG is a national consulting firm that is redefining healthcare together with its clients. We provide a broad range of strategic, financial, operational, and technology-enabled consulting services to the full continuum of care, including hospitals, health systems, medical groups, academic medical centers, children’s hospitals, cancer centers, ambulatory surgery centers, investors, and payers/health plans.

Our work focuses on creating practical, tailored solutions that help clients maximize resources and achieve sustainable results. We value collaboration, integrity, and innovation, and are committed to fostering an inclusive and supportive work environment.

Job Details

Your Opportunity with ECG: Associate Director of Cybersecurity, Physical Security, and Artificial Intelligence (AI) Governance

Reporting to the IT director, the associate director is responsible for defining and advancing the organization’s long‑term approach to cybersecurity, physical security, data governance, and responsible AI use.

This role is heavily strategic and governance focused. The associate director establishes vision, policy, and guardrails; evaluates risk; and provides executive‑level insight—while partnering with IT, data and analytics, facilities, legal, compliance, and business leaders to support execution.

Your Responsibilities May Include

Enterprise Security, Data, and AI Governance Strategy

• Define and maintain a multiyear enterprise strategy spanning:
• Cybersecurity.
• Physical security.
• Data analytics governance (internal data focus, external client data protection).
• AI and automation risk.
• Ensure security, data, and AI considerations are embedded into IT architecture, cloud platforms, analytics initiatives, and application delivery.
• Advise IT leadership on risk, opportunity, and investment priorities related to emerging technologies.
• Translate technical, physical, and AI‑related risks into clear business impact for executive decision‑making.

AI and Data Governance

• Establish and maintain the organization’s AI governance framework, including:
• Acceptable and responsible AI use.
• Data privacy, security, and ethical guardrails.
• Oversight and accountability for AI‑enabled tools.
• Partner with data and analytics teams to define standards for data classification, protection, and analytics platform security.
• Serve as the escalation point for AI‑related risk, misuse, or policy exceptions.
• Balance security needs with business needs in a manner that ensures safe practices while not prohibiting key components of business objectives.

Governance, Policy, and Risk Management

• Own enterprise governance for cybersecurity, physical security, data protection, and AI use within the ECG organization.
• Develop and maintain policies, standards, and control objectives.
• Lead or oversee enterprise risk assessments across cyber, physical, data, and AI domains.
• Align governance practices with recognized frameworks, such as NIST, ISO, and applicable privacy or AI standards.

Cross‑Functional Leadership and Collaboration

• Provide strategic oversight into cybersecurity, physical security, and data governance functions (direct or matrixed).
• Partner closely with IT infrastructure, applications, architecture, data and analytics, HR, legal, and compliance teams.
• Act as the security, data, and AI-governance authority within IT leadership forums.
• Promote a culture of responsible innovation that enables progress while maintaining trust and control.

Investment, Metrics, and Executive Reporting

• Advise IT leadership on security, analytics, and AI investment priorities.
• Define and track KPIs and KRIs related to security posture, data governance maturity, and AI risk.
• Deliver executive‑ready reports on trends, risks, and program effectiveness.

Incident Preparedness and Oversight

• Define enterprise‑level strategies for cyber incidents, physical security events, data breaches, and AI misuse scenarios.
• Ensure leadership readiness for high‑impact incidents.
• Lead post‑incident strategic reviews focused on systemic improvement and governance maturity.

Collaboration with Legal and Compliance

• Partner with SHS and ECG compliance to ensure AI and data governance aligns with regulatory, contractual, privacy, and ethical obligations.
• Codevelop policies addressing acceptable AI use, intellectual property, confidentiality, and third‑party risk.
• Support coordinated responses to AI‑related incidents, audits, or regulatory inquiries.

Qualifications

Required Qualifications

• Bachelor’s degree in information security, computer science, data management, or a related field (or equivalent experience)
• Typically, 7+ years of experience in cybersecurity, risk management, enterprise IT, data governance, or related leadership roles
• Demonstrated experience leading enterprise‑level security strategy and governance
• Strong understanding of:
• Cybersecurity and physical security principles
• Data analytics platforms and data protection
• AI and generative AI risk, governance, and ethical considerations
• Proven ability to communicate complex risk topics to executive audiences

Preferred Qualifications

• Advanced degree (MBA, MS, or equivalent)
• Relevant certifications such as CISSP, CISM, CRISC, CPP, CDMP, or AI-governance credentials
• Experience supporting cloud‑based, analytics‑driven, and AI‑enabled enterprise environments
• Experience presenting to executive leadership or governance committees
• Experience with Microsoft environments (Azure, Fabric)
• Experience with security products, including but not limited to:
• Defender
• Sentinel
• Purview
• Entra
• Azure Web Application Firewall
• Brivo badging system

Job Locations

• Remote
• Travel as needed (approximately 10%)

Schedule

Full time/exempt

What You Can Expect of Us

To reward our driven, innovative, and passionate employees, we’ve built a company culture that’s centered on performance. We offer an attractive compensation package, challenging work, and an entrepreneurial environment where you can take ownership of your career—and get out as much as you put in.

The estimated base salary range for this job is $150000.00 - $175000.00 annually. It represents a good faith estimate of the range that ECG reasonably expects to pay at the time of the job posting. The actual salary paid will vary based on multiple factors, including but not limited to years of experience, special skills, and market changes. This job is eligible to participate in ECG’s annual incentive compensation program, which reflects ECG’s pay-for-performance philosophy. The job is also eligible to participate in ECG’s benefit plans, which include medical, dental, and vision coverage, a 401(k) matching program, unlimited PTO, and other wellness programs.

Apply now and make an impact for years to come.

To begin the recruitment process, please submit your resume via our career site at .

ECG provides equal employment opportunities to all employees and applicants for employment without regard to sex, race, color, religion, national origin, citizenship, ancestry, age, disability, pregnancy, medical condition (cancer and genetic characteristics), genetic information, gender, gender identity or expression, sexual orientation, marital status, military or veteran status, or any other legally protected characteristic. We participate in E-Verify as part of our onboarding process. Having the permanent legal right to work in the United States is a condition of employment. ECG is not currently able to provide assistance to candidates requiring sponsorship or a visa.

#LI-KJ1 #LI-Remote