Director, Security Governance, Risk & Compliance

Position Summary

Papa Johns is seeking a highly experienced and strategic Director of Security, Risk & Compliance to manage our global cyber security risk efforts.  Reporting directly to the CISO, this role owns the frameworks, processes, and controls that ensure the organization meets its obligations to payment card brands, regulators, customers, and franchise partners — while enabling the business to operate efficiently and grow confidently.

The Director serves as the primary liaison to external auditors, Qualified Security Assessors (QSAs), legal counsel, privacy, and regulators. Internally, this role is the connective tissue between the security program and the rest of the business — translating technical risks into business language, driving accountability for control ownership across IT, Development and Operations, and ensuring the CISO has the compliance posture and metrics data needed for Board reporting.

In a franchised QSR environment, this role carries a unique complexity: compliance obligations extend beyond corporate walls into franchise-operated locations, third-party technology platforms, and international markets. The Director must be skilled at influencing without direct authority — building compliance programs that franchise partners will adopt, not just acknowledge.

Key Responsibilities

PCI DSS Compliance Program

• Own end-to-end PCI DSS v4.0 compliance program — including scoping, gap assessment, remediation roadmap, evidence collection, and coordination with the external Qualified Security Assessor (QSA).
• Maintain and continuously update the cardholder data environment (CDE) scope documentation; ensure network segmentation controls supporting CDE isolation are validated annually.
• Manage all PCI DSS reporting obligations: Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) as applicable, Attestation of Compliance (AOC), and payment brand submissions.
• Lead the organization's transition to PCI DSS v4.0 customized approach where applicable — including targeted risk analysis documentation for any controls using the customized approach.
• Coordinate PCI DSS obligations across franchise locations — developing franchise-appropriate compliance guidance, assessment tools, and training materials that account for franchisee-owned technology environments.
• Stay current on PCI SSC guidance, bulletins, and FAQ updates; brief the CISO on implications for the program and recommend adjustments proactively.

Enterprise Risk Management

• Own and maintain the enterprise information security risk register — ensuring risks are identified, assessed, documented, assigned to owners, and tracked through treatment.
• Conduct formal risk assessments for significant technology changes, new vendor engagements, major projects, and annual program reviews.
• Develop and maintain a risk quantification approach that translates technical risks into financial exposure terms suitable for CISO and Board-level reporting.
• Present the risk posture quarterly to the CISO, including top risks, treatment status, residual risk acceptance decisions, and emerging risk areas.
• Facilitate risk acceptance decisions with appropriate business owners; ensure residual risk acceptances are documented, reviewed, and time bounded.
• Own the cyber insurance program — managing the renewal process, assessing coverage adequacy against current risk profile, and coordinating incident notification obligations with Legal and the CISO.

Security Policy & Governance Framework

• Own the enterprise information security policy framework — maintaining a complete, current, and internally consistent set of policies, standards, procedures, and guidelines.
• Establish and operate a policy governance process: defined review cycles, version control, stakeholder approval workflows, and employee acknowledgment tracking.
• Develop and enforce security standards for areas including data classification, acceptable use, third-party access, encryption, patch management, and incident notification.
• Ensure policies are appropriately tiered — corporate-level policies cascading to franchise-appropriate operational guidance that is practical for restaurant environments.
• Partner with Legal and HR on policy intersections including acceptable use, employee privacy, and disciplinary procedures for policy violations.

Third-Party & Vendor Risk Management

• Own the third-party risk management (TPRM) program — establishing vendor security assessment requirements, risk tiering methodology, and ongoing monitoring processes.
• Conduct or oversee security assessments of critical vendors including POS technology providers, digital ordering platforms, loyalty program vendors, cloud service providers, and payment processors.
• Maintain a vendor risk register with current assessment status, identified risks, contractual security requirements, and remediation tracking.
• Ensure security and data protection requirements are embedded in vendor contracts — working with Legal and Procurement on standard security addenda and data processing agreements.
• Manage the annual vendor re-assessment cycle; escalate high-risk findings to the CISO with recommended treatment options.

Security Awareness & Training

• Own the enterprise security awareness program — ensuring all employees receive appropriate, engaging, and role-relevant security training.
• Design training content appropriate for diverse audiences: corporate staff, restaurant-level employees (including high-turnover hourly workers), franchise operators, and technology vendors.
• Manage the phishing simulation program in coordination with the IR/SOC team — tracking click rates, reporting trends to the CISO, and using results to target additional training.
• Ensure training meets PCI DSS annual requirements for all personnel with access to cardholder data environments.
• Track training completion rates and report to the CISO; escalate persistent non-compliance through appropriate management channels.

Audit Management & Regulatory Engagement

• Serve as the primary coordinator for all internal and external security audits and assessments — including PCI DSS QSA audits, SOX IT control assessments, and any regulatory examinations.
• Manage the audit lifecycle: scheduling, evidence collection, stakeholder preparation, finding responses, and remediation tracking.
• Build and maintain the evidence management system — ensuring audit artifacts are organized, version-controlled, and accessible for recurring assessments.
• Develop and maintain relationships with the external QSA, internal audit function, and Legal counsel to ensure aligned, efficient audit processes.