Key skills
CloudSaaSLeadershipRisk ManagementProduct ManagementCommunicationRemote WorkPenetration Testing
About this role
Role Overview
- Lead and mature our governance, risk, and compliance program, aligned to NIST CSF 2.0 and our enterprise risk framework.
- Own overall strategy and execution for data security (encryption, backups, DSPM, data lifecycle controls) in close partnership with Product, Engineering, and Infrastructure.
- Serve as the primary infosec leader for PCI-DSS Level 1, HITRUST, SOC 2, and SOX ITGC coordination, ensuring evidence (including penetration testing), narratives, and controls are consistent and efficient.
- Partner with product and engineering teams to embed security into software development lifecycles, roadmap planning, and quarterly business reviews.
- Govern & guide Third Party Risk Management (TPRM) objectives.
- Act as a matrixed leader, influencing teams you don’t directly manage while providing clear, actionable guidance to executives, developers, and staff.
- Function as backup to the CISO for key decisions, stakeholders, and external meetings with customers, auditors, and regulators.
Requirements
- Bachelor's Degree required, advanced degree preferred
- Certifications CISSP, CISM, CISA, CRISC, PCI ISA/QSA, or similar preferred
- Experience in healthcare, health IT, payments, or other highly regulated data environments where PCI, HITRUST, SOX, and SOC 2 interact.
- Prior role as Head of GRC, or Security & Compliance lead for a Level 1 service provider or HITRUST-certified organization.
- 12+ years in information security, with 7+ years in leadership roles across at least two of: GRC, data security, security architecture/engineering, or security assurance.
- Significant experience in a product-driven, software development company (e.g., SaaS, cloud platform, or software publisher), working closely with Product Management and Engineering organizations.
- Deep, hands-on experience leading multiple full cycles of all of the following in a cloud/SaaS or otherwise regulated environment: PCI DSS Level 1 service provider RoC with a QSA (scoping, control design, evidence strategy, remediation management).
- HITRUST CSF readiness and certification/validated assessment.
- SOX ITGC engagement in a consultative/coordination capacity with Finance/Internal Audit (not necessarily full program ownership).
- SOC 2 Type II audits against the Trust Services Criteria.
- Strong technical fluency in: Data security architectures (encryption at rest/in transit, tokenization, KMS/HSM, DLP, logging/monitoring).
- Cloud and SaaS security concepts relevant to PCI/HITRUST/SOC 2 environments.
- Demonstrated ability to design and evaluate controls, not just document them, and to work directly with engineers on implementation details.
- Exceptional written and verbal communication skills, including direct experience presenting to senior executives and boards on security posture, risk, and audit outcomes.
- Proven effectiveness in a highly matrixed organization, influencing cross-functional stakeholders and resolving conflicting priorities.
Tech Stack
- Cloud
Benefits
- Remote First: 100% Remote work + home office expense reimbursements+ monthly reimbursement for cell phone, internet and wellness.
- Top of market rewards: Competitive compensation
- Take time when you need time: Flexible PTO + company holidays
- Top class healthcare benefits: Variety of healthcare benefits for you and your family (and your pets!) starting day one
- Care about your families: Generous top-up for parental leave benefits
- Support personal development: Continuing education and professional certification reimbursement
- Connecting in person: Various offsite events and activities for team to connect and meet in person, to support team building and engagement.
- Giveback to community: Local in-person volunteer events, and give back programs to our communities.
- Recognition and perks: We have a company wide recognition tool (Phireworks) to celebrate milestones, recognize achievements and strengthen your bond with your teams. You can accumulate points and redeem them for a wide catalogue of items!
- Diversity and inclusive environment: At Phreesia, all employees are encouraged to bring their authentic self to work, feel supported and perform at their best. We have a variety of Employee Resources Groups (ERGs) which bring together individuals from a wide range of backgrounds, experiences and perspectives, and seek to foster a sense of shared community and empowerment for employees who share a common social identity, such as gender, race, ethnicity, and sexual orientation. Opportunity to join an Employee Resource Group.