Lead and mature our governance, risk, and compliance program, aligned to NIST CSF 2.0 and our enterprise risk framework.
Own overall strategy and execution for data security (encryption, backups, DSPM, data lifecycle controls) in close partnership with Product, Engineering, and Infrastructure.
Serve as the primary infosec leader for PCI-DSS Level 1, HITRUST, SOC 2, and SOX ITGC coordination, ensuring evidence (including penetration testing), narratives, and controls are consistent and efficient.
Partner with product and engineering teams to embed security into software development lifecycles, roadmap planning, and quarterly business reviews.
Govern & guide Third Party Risk Management (TPRM) objectives.
Act as a matrixed leader, influencing teams you don’t directly manage while providing clear, actionable guidance to executives, developers, and staff.
Function as backup to the CISO for key decisions, stakeholders, and external meetings with customers, auditors, and regulators.
Certifications CISSP, CISM, CISA, CRISC, PCI ISA/QSA, or similar preferred
Experience in healthcare, health IT, payments, or other highly regulated data environments where PCI, HITRUST, SOX, and SOC 2 interact.
Prior role as Head of GRC, or Security & Compliance lead for a Level 1 service provider or HITRUST-certified organization.
12+ years in information security, with 7+ years in leadership roles across at least two of: GRC, data security, security architecture/engineering, or security assurance.
Significant experience in a product-driven, software development company (e.g., SaaS, cloud platform, or software publisher), working closely with Product Management and Engineering organizations.
Deep, hands-on experience leading multiple full cycles of all of the following in a cloud/SaaS or otherwise regulated environment: PCI DSS Level 1 service provider RoC with a QSA (scoping, control design, evidence strategy, remediation management).
HITRUST CSF readiness and certification/validated assessment.
SOX ITGC engagement in a consultative/coordination capacity with Finance/Internal Audit (not necessarily full program ownership).
SOC 2 Type II audits against the Trust Services Criteria.
Strong technical fluency in: Data security architectures (encryption at rest/in transit, tokenization, KMS/HSM, DLP, logging/monitoring).
Cloud and SaaS security concepts relevant to PCI/HITRUST/SOC 2 environments.
Exceptional written and verbal communication skills, including direct experience presenting to senior executives and boards on security posture, risk, and audit outcomes.
Proven effectiveness in a highly matrixed organization, influencing cross-functional stakeholders and resolving conflicting priorities.
Tech Stack
Cloud
Benefits
100% Remote work + home office expense reimbursements
Competitive compensation
Flexible PTO + 8 company holidays
Monthly reimbursement for cell phone + internet + wellness
100% Paid 12-week parental leave to our U.S. employees, as well as a generous parental benefit to our employees in Canada
Variety of insurance coverage for people (and pets!)
Continuing education and professional certification reimbursement