Director, Information Security

Outset Medical

5h•$218,000 - $295,000

About The Position

Outset is seeking a hands-on information security leader to drive our cybersecurity and technology risk management program. This individual will be responsible for developing and enforcing security policies, managing governance, risk, and compliance (GRC) activities, executing security operations, and leading strategic projects to advance our security posture. In this role, you will collaborate cross-functionally with software engineering, IT Infrastructure, quality, regulatory, legal and other key stakeholders to continuously evolve and strengthen our cybersecurity program. This role requires a passion for protecting company assets and a strategic mindset to design and implement scalable security solutions. The ideal candidate will bring deep expertise in both on-premises and cloud security, including insights into cloud native security solutions for Microsoft 365 and AWS platforms. We’re looking for a leader with exceptional problem-solving skills, high attention to detail, strong organizational acumen, and a proven track record of building enterprise-grade security programs. This is a high-impact opportunity to shape the security foundation of Outset’s mission-driven organization – one that is reimagining dialysis and working to catalyze change for patients who deserve better.

Requirements

10+ years of industry experience in an information security function; leadership experience preferred.
B.S. or M.S. in Computer Science, Information Security, or a related field.
Professional security certifications such as CISSP, CISM, CISA, CCSP, or CEH (or equivalent). Additional certifications like Microsoft Certified: Cybersecurity Architect or AWS Certified Security – Specialty are a plus.
Proven experience leading organizations through security certifications and audits, including SOC 2, HIPAA, FIPS, and HITRUST.
Demonstrated expertise with cloud security tools and telemetry platforms including experience with AWS (CloudTrail, IAM, Incognito, GuardDuty) and Microsoft 365 (Defender, Entra ID, Purview, Sentinel).
Strong knowledge of risk assessment tools, technologies, and methodologies.
Exceptional written and verbal communication skills, with the ability to influence technical and non-technical stakeholders.
Experience in highly regulated industries.

Nice To Haves

Experience in FDA regulated industries, specifically Medical Device, is strongly preferred.
Experience in customer-facing technical roles, with the ability to translate complex security concepts into business-aligned recommendations.
Experience planning, researching, and developing security policies, standards, and procedures.
Hands-on experience implementing enterprise security capabilities such as identity and access management (IAM), data loss prevention (DLP), endpoint detection and response (EDR), extended detection and response (XDR), security information and event management (SIEM), and security orchestration, automation and response (SOAR).
Familiarity with mobile code, malware analysis, and endpoint protection technologies.
Proficiency in deploying logging and monitoring tools at scale, with an emphasis on automation and event-driven response.
Expertise in designing secure networks, systems, and application architectures.
Experience with disaster recovery planning, digital forensics, and incident response tools and techniques.

Responsibilities

Serve as the Security Lead and Subject Matter Expert (SME) for all environments, including cloud infrastructure, and on-premises systems.
Continuously assess and evolve the organization’s security posture—driving program maturity through strategic assessments, road mapping, stakeholder alignment, and project execution.
Monitor the external threat landscape to identify emerging attack vectors, vulnerabilities, and adversary tactics—translating threat intelligence into actionable insights that inform security strategy, initiatives and controls.
Ensure security practices and controls align with regulatory requirements, including FDA and HIPAA, and fulfill the requirements and obligations of the HIPAA security officer.
Support commercial functions by responding to customer cybersecurity due diligence questionnaires and security assessments—articulating Outset’s security posture, controls, and compliance practices directly to Customers.
Lead the vendor security risk assessment process—evaluating third-party partners for compliance with Outset’s security standards, identifying potential risks, and ensuring appropriate controls are in place.
Conduct technical evaluations of system architecture with a focus on security design and compliance, leveraging frameworks such as NIST CSF and NIST SP 800-53.
Provide strategic leadership in identifying, assessing, and mitigating information security risks; ensure alignment with internal policies and external standards.
Monitor emerging threats and lead the organization’s response to security incidents, serving as the primary control point and convening the Incident Response Team to investigate, contain, and resolve events.
Develop, maintain, and enforce enterprise cybersecurity policies, standards, and procedures, ensuring alignment with regulatory requirements, industry frameworks, and organizational risk tolerance.
Influence technology and architecture decisions as a key member of the IT leadership team.