Director, Technology Risk & Controls

Job Description Summary

For over forty years, HarbourVest has been home to a committed team of professionals with an entrepreneurial spirit and a desire to deliver impactful solutions to our clients and investing partners. As our global firm grows, we continue to add individuals who seek a collaborative, open-door culture that values diversity and innovative thinking.

In our collegial environment that’s marked by low turnover and high energy, you’ll be inspired to grow and thrive. Here, you will be encouraged to build on your strengths and acquire new skills and experiences.

We are committed to fostering an environment of inclusion that promotes mutual respect among all employees. Understanding and valuing these differences optimizes the potential of both the individual and the firm.

HarbourVest is an equal opportunity employer.

This position will be a hybrid work arrangement. You will receive 18 remote workdays per quarter to use at your discretion, subject to manager approval. For example, you may choose to work in the office 4 days per week and take one remote day weekly (typically 13 weeks per quarter), leaving 5 additional remote days to be used as needed.

We are seeking a Director, Technology Risk And Controls to own the the firm’s IT control environment and handle the technology scope of our SOC 1 certification. This role is responsible for modernizing IT controls to align with cloud-first infrastructure, SaaS platforms, DevOps practices, and evidence collection supported by automated processes.

In addition to SOC 1 ownership, this leader will play a key role in strengthening cybersecurity governance, policy management, risk assessments, and board-level reporting. The Director will work closely with IT, Information Security, Accounting, Legal, Compliance, Vendor Management, Enterprise Risk, and external auditors to ensure the technology and cybersecurity control framework remains effective, scalable, modern and aligned with evolving global regulatory and threat landscapes.

SOC 1 & IT Controls Ownership

• Oversee the IT portion of the SOC 1 program, including ITGCs, automated controls, key reports, and system boundaries.

• Serve as the primary liaison with external auditors for all technology-related SOC 1 matters.

• Lead annual prioritisation, risk assessments, walkthroughs, testing coordination, and remediation tracking.

• Redesign IT controls to reflect modern tooling, cloud infrastructure, SaaS platforms, and automation.

• Implement scalable, automated approaches to auditor evidence collection and continuous control monitoring.
   

• Improve and maintain IT guidelines, criteria, and protocols to ensure compliance with industry regulations and standards.

• Embed automation and system-generated evidence into control processes to reduce manual audit burden.

• Develop dashboards and reporting to provide insight into control performance and deficiencies.

• Drive continuous improvement of the organization’s IT risk and control framework.

• Expertise in the various common cyber security frameworks (ISO27001, NIST CSF & 800-53 etc.)
   

Cybersecurity Governance & Risk Management

• Lead regular cybersecurity risk assessments and control reviews to identify emerging threats and vulnerabilities.

• Partner with Security Operations to evaluate findings and help develop practical mitigation strategies.

• Lead all aspects of and report efficiency of the cybersecurity program using defined targets and metrics.

• Stay ahead of evolving cybersecurity threats, regulatory expectations, and industry standards, and support implementation of vital updates.
   

• Assist the CISO in preparing quarterly cybersecurity and technology risk updates for the Board of Directors.

• Develop clear, executive-ready reporting that translates technical risk into business impact.

• Provide structured updates on SOC 1 status, audit findings, remediation progress, and risk trends.
   

• Shown expertise leading SOC 1 (Type I and Type II) certification efforts within a financial services organization.

• Good experience crafting and operationalizing cybersecurity and IT control policies, standards, and procedures aligned to industry guidelines and regulatory requirements.

• Demonstrable ability to modernize control environments through automation and cloud-native tooling.

• Deep understanding of ITGCs, identity and access management, running system alterations, cloud security, vendor risk, and security operations.

• Executive-level communication skills with the ability to convey sophisticated cybersecurity concepts to technical and non-technical collaborators.

• Proactive attitude capable of knowing the latest cybersecurity trends and evolving regulatory expectations.

• Strong relationship-building skills across Technology, Legal, Compliance, Enterprise Risk, Vendor Management, and business teams.

• Hands-on leadership approach balancing strategy and execution.
   

• BS in Computer Science, Information Security, or equivalent work experience

• One or more of the following certifications is required: CISA (Certified Information Systems Auditor), CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager)
   

• 5-10 years of relevant work experience

• Minimum 5 years of experience managing staff in this field
  #LI-Hybrid

Salary Range

This USD base salary range represents only one component of total compensation for this role and is provided in accordance with local requirements. This role is eligible for a discretionary annual bonus, which is determined based on individual and overall firm performance. In addition to salary and bonus, total compensation may include eligibility for long-term reward programs and a comprehensive total rewards package that may include retirement, health, insurance, paid time off, and wellness programs. Our total rewards offerings are influenced by several business factors, and eligibility for certain components will vary by position and geography. Please note the posted ranges do not apply outside the U.S. and should not be converted to other currencies as a proxy for compensation in other countries.