Program Manager, Security

Posting Date

04/03/2026

2000 16th Street, Denver, Colorado, 80202, United States of America

Overview

The Program Manager, IT Risk & Audit, is an individual contributor responsible for driving enterprise‑level governance, regulatory compliance, and risk management programs across DaVita’s IT and Security landscape. This role ensures consistent execution of IT risk processes, supports internal and external audits, leads partner‑facing due diligence activities, advances governance programs, and manages the operational cadence of key security initiatives.

This role is program‑oriented — focused on the lifecycle of risk, from contracting to decommissioning, ensuring governance, compliance, and risk processes flow predictably across the enterprise.

Key Responsibilities

Governance & Program Management

• Own and manage core governance programs including policy lifecycle management, standards updates, cross‑functional alignment, and coordination with Security, Privacy, Compliance, Legal, and IT.
• Facilitate governance working groups and steering committees, ensuring agendas, documentation, decisions, and follow‑up actions are executed consistently.
• Track and report on program‑level OKRs, compliance posture, and audit activity for leadership and committee reporting cycles.
  
  

Lifecycle Risk Management

• Oversee end‑to‑end IT risk lifecycle management, ensuring risks are appropriately evaluated and managed from:
• Contracting and procurement (BAA reviews, contract language alignment, partner due diligence)
• Solution onboarding and implementation
• Operational monitoring and oversight
• System changes, exceptions, and remediation activities
• System retirement/decommissioning
• Maintain governance controls across each lifecycle stage to ensure consistency, documentation quality, and regulatory alignment.
  

Exception Management

• Coordinate the intake, evaluation, documentation, approval routing, and tracking of security and compliance exceptions.
• Maintain an enterprise‑wide exception repository, ensuring exceptions have defined compensating controls, expiration dates, and remediation plans.
• Partner with control owners, IT teams, and leadership to ensure exception backlogs are prioritized and resolved within expected timelines.
  
  

Regulatory, Audit & Compliance Support

• Coordinate SOX, HIPAA, internal audit, external audit, and regulatory assessment activities across Security, IT Overwatch, ERS, Privacy, Legal, and Finance.
• Manage audit readiness activities, evidence collection, documentation updates, and remediation follow‑through (MAPs/CAPs).
• Track audit findings, ensuring gaps are formally logged, assigned, monitored, and closed according to internal SLAs and regulatory expectations.
  
  

Enterprise Risk Assessment Support

• Support the enterprise risk assessment process, including review of IT and cybersecurity risk assessments, validation of risk scoring, and confirmation of mitigation strategies.
• Track risk‑based findings and gaps across the enterprise, ensuring they remain visible, actionable, and progress toward closure is monitored.
• Provide program‑level reporting on enterprise risk themes, recurring control gaps, and opportunities for systemic improvements.
  
  

Third‑Party & Partner Assessments

• Lead completion of partner questionnaires, payor and regulatory due diligence forms, RFP/RFI security sections, and vendor assessments.
• Review BAAs and data‑flow related documentation to ensure alignment with DaVita’s privacy and security requirements.
• Maintain reusable artifacts (response libraries, program overviews, diagrams, certifications) to streamline intake and partner interactions.
  
  

Training, Awareness & Communications

• Partner with Training & Awareness to design, deliver, and update annual and targeted security/compliance training modules.
• Develop internal communications for governance updates, policy changes, audit cycles, and enterprise compliance initiatives.
• Contribute to phishing simulations, education campaigns, and security culture efforts across the Village.
  
  

Cross‑Functional Program Execution

• Support enterprise initiatives such as:
• AI governance and intake workflows
• Security maturity assessments and roadmap development
• Risk register program operations
• Metrics dashboards and executive‑ready reporting
• Help operationalize repeatable workflows, templates, intake processes, documentation standards, and program controls.
  

Stakeholder Engagement & Communication

• Act as a primary liaison among IT, Security, Privacy, Internal Audit, Legal, Compliance, Procurement, and business partners.
• Translate complex regulatory, security, and risk concepts into clear, actionable guidance for diverse audiences.
• Prepare concise, executive‑ready materials that support leadership decision‑making.
  
  

Qualifications

Required

• 5 years of IT risk, audit, compliance, or security governance experience.
• Strong knowledge of SOX, HIPAA, NIST, ISO, and typical IT control frameworks.
• Excellent writing skills for audit responses, security questionnaires, governance documentation, and leadership reporting.
• Proven program management, cross‑functional coordination, and organizational skills.
• Ability to manage multiple complex workstreams with high accountability.
  
  

Preferred

• Healthcare, regulated‑industry, or enterprise‑scale experience.
• BAAs, RFP/RFI processes, partner assessments, or vendor governance experience.
• Certifications (CISA, CRISC, CISM, CISSP, PMP).
  
  

Success Factors

• Highly dependable operator with strong ownership.
• Builds trust and rapport across IT, Security, Audit, Legal, and business stakeholders.
• Communicates directly, clearly, and professionally — especially with senior leaders.
• Embodies DaVita’s values and Leading the DaVita Way behaviors.
  
  

What We’ll Provide

More than just pay, our DaVita Rewards package connects teammates to what matters most. Teammates are eligible to begin receiving benefits on the first day of the month following or coinciding with one month of continuous employment. Below are some of our benefit offerings.

• Comprehensive benefits: Medical, dental, vision, 401(k) match, paid time off, PTO cash out
• Support for you and your family: Family resources, EAP counseling sessions, access Headspace®, backup child and elder care, maternity/paternity leave and more
• Professional development programs: DaVita offers a variety of programs to help strong performers grow within their career and also offers on-demand virtual leadership and development courses through DaVita’s online training platform StarLearning.
  
  

At DaVita, we strive to be a community first and a company second. We want all teammates to experience DaVita as "a place where I belong." Our goal is to embed belonging into everything we do in our Village, so that it becomes part of who we are. We are proud to be an equal opportunity workplace and comply with state and federal affirmative action requirements. Individuals are recruited, hired, assigned and promoted without regard to race, national origin, religion, age, color, sex, sexual orientation, gender identity, disability, protected veteran status, or any other protected characteristic.

This position will be open for a minimum of three days.

The Salary Range for the role is $91,000.00 - $133,700.00/year.

For location-specific minimum wage details, see the following link: DaVita.jobs/WageRates

Compensation for the role will depend on a number of factors, including a candidate’s qualifications, skills, competencies and experience. DaVita offers a competitive total rewards package, which includes a 401k match, healthcare coverage and a broad range of other benefits. Learn more at https://careers.davita.com/benefits

Colorado Residents: Please do not respond to any questions in this initial application that may seek age-identifying information such as age, date of birth, or dates of school attendance or graduation. You may also redact this information from any materials you submit during the application process. You will not be penalized for redacting or removing this information.