Director, Security & Compliance

Qualified Health•Palo Alto, CA

5d•$190,000 - $235,000•Hybrid

About The Position

The Director of Security & Compliance will own the security and compliance program for a growing health tech company that handles protected health information across 15+ health system partners. This is the most consequential security leadership role you'll find at a company this size. Let's be direct about what you're walking into: we're building a security program that matches the scale and ambition of our business. The operational security work — vendor intakes, IAM, MDM, compliance certification — needs a dedicated leader who can drive it with the urgency and rigor it deserves. The board and our health system partners expect a security posture that matches the trust they place in us. You'll drive HITRUST certification, build the ongoing compliance program, manage a small but growing security team, and represent the company's security posture to the board, investors, partners, and regulators. This is a build role — you're creating program infrastructure from the ground up, not inheriting a mature program. If you've spent your career wanting to own a security program at a mission-driven company where security actually matters (not just compliance theater), this is it.

Requirements

Bachelor's degree in Computer Science, Engineering, Data Science, Mathematics, or related technical field
8+ years in information security, with 3+ years in a leadership role
Healthcare security experience required: HIPAA, HITRUST (i1 or r2), understanding of PHI handling requirements
Hands-on GRC experience — you've built compliance programs, not just advised on them
Enough technical depth to guide a security engineer on vulnerability management, infrastructure security, and secure architecture

Nice To Haves

Experience with IAM platforms (Okta, Azure AD/Entra), MDM solutions, and endpoint security
Board and executive communication experience — you can present security posture to non-technical investors
Prior experience in a growth-stage startup or fast-scaling company where the security program was being built, not maintained
CISSP, CISM, or HCISPP certification
Experience managing vendor security assessments at scale (dozens of vendors across a growing company)
Builder Mentality: You're excited by the prospect of creating a security program from the ground up — writing the first version of policies, standing up the first compliance automation, building the first incident response plan
Pragmatic Risk Management: You know how to prioritize security investments based on actual risk, not just compliance checklists — and you can articulate that prioritization to a board
Executive Communication: You translate security posture into business language that resonates with investors, board members, and health system partners
Team Development: You'll build and develop a small security team — your ability to hire, develop, and retain these team members is critical
Healthcare Sensibility: You understand that in healthcare, security isn't about protecting the company — it's about protecting patients whose data we handle. That responsibility is personal to you.

Responsibilities

Own the end-to-end security and compliance program: strategy, roadmap, execution
Drive HITRUST certification and establish the ongoing recertification program
Build and manage a security team
Own the company's security posture in all external contexts: board reporting, investor due diligence, partner audits, client security questionnaires
Manage IAM strategy and governance across company systems
Own the vendor security intake and assessment program
Publish and maintain security policies, procedures, and incident response plans
Drive the security scan and remediation coordination process with core engineering
Manage the relationship with our outsourced IT support vendor
Own MDM/device management strategy and compliance