Director, Security & Risk

About The Position

Requirements

• 10+ years in information security with 5+ years leading teams or programs (operations, engineering, or GRC).
• 3+ years owning a security roadmap tied to business objectives, budgets, and measurable outcomes.
• Hands-on HIPAA/HITECH experience; familiarity with HITRUST or mapping NIST CSF to HIPAA safeguards.
• Practical expertise in NIST CSF, NIST 800-53, ISO 27001; third-party risk practices (SIG/SIG Lite, SOC 2).
• AWS security (IAM, KMS, Security Hub, GuardDuty, VPC, WAF/Shield, key rotation, least privilege).
• Enterprise IAM/MFA/SSO (Microsoft Entra ID/Azure AD or Okta); strong least-privilege and access review discipline.
• SIEM (Microsoft Sentinel and/or Splunk) content design/tuning, UEBA, runbooks, dashboarding.
• EDR/XDR (Microsoft Defender for Endpoint/CrowdStrike/etc.), hardening/baselines; email security with Mimecast (policies, impersonation protection, URL/attachment sandboxing).
• Operational experience with Netskope (policies, DLP, inline controls, app governance, shadow IT) and M365/Azure Purview DLP.
• Next-gen firewalls (Palo Alto/Fortinet), IDS/IPS, segmentation/zero trust, TLS 1.2+; key management and encryption at rest (AES-256) and in transit.
• Tenable/Qualys/Rapid7; risk-based prioritization (EPSS/CVSS + asset criticality) with defined SLAs across OS, apps, and cloud.
• IR playbooks, tabletop exercises, forensic coordination, BC/DR testing and improvement cycles.
• PowerShell and/or Python for enrichment, response, and reporting.
• Executive-level storytelling; board-ready risk reporting and KPI/OKR management.
• Proven ability to run multi-workstream programs and drive change across IT, Security, Clinical, and Compliance.
• Bachelor's in CS/IT/Cyber or equivalent; CISSP or CISM required (maintained and in good standing).

Nice To Haves

• HITRUST (CCSFP) or ISO 27001 implementation/audit experience.
• HCISPP, CCSP, CISA, or product certs (Palo Alto, Microsoft Defender/Sentinel, Netskope, Mimecast).
• Kubernetes security, container scanning, and IaC scanning (Terraform + Checkov) experience.
• Experience managing $1M+ security portfolios and multi-vendor MSSP ecosystems.
• Developed KPI/OKR programs (MTTD/MTTR, patch compliance, control coverage, phishing risk) with trend reporting.

Responsibilities

• Assess security posture against NIST CSF/HIPAA and peer benchmarks; maintain a multi-year strategy and roadmap.
• Publish and enforce policies/standards; ensure audit readiness and version control.
• Run periodic risk assessments; maintain risk register with accountable owners and due dates.
• Coordinate HIPAA/HITECH compliance with Privacy/Compliance; manage findings to closure.
• Own SIEM content, telemetry coverage, and alert fidelity; manage IDS/IPS and SOC workflows (internal + MSSP).
• Lead vulnerability management (scan cadence, SLAs, change control alignment) and drive remediation with system owners.
• Engineer and optimize controls: firewalls, EDR/XDR, DLP, email security, CASB/SSE, secure web gateway.
• Enforce MFA, privileged access controls, joiner/mover/leaver processes, and periodic access reviews.
• Oversee DLP policies (M365/Netskope) and data classification/handling standards.
• Maintain IR playbooks; run tabletops and post-mortems; coordinate forensics and legal/comms as needed.
• Own BC/DR testing cadence; document results and drive improvements.
• Deliver security awareness (phishing simulations, targeted training) and coaching for secure-by-default patterns.
• Execute TPRM lifecycle, contract security terms, and ongoing monitoring (see Vendor Security Assessment section).
• Own the Third-Party Risk Management (TPRM) program: intake, inherent risk scoring, due diligence, onboarding, continuous monitoring, and offboarding.
• Assess vendors handling PHI/PII/PCI with right-sized depth: SIG/SIG Lite questionnaires, SOC 2 Type II and/or ISO 27001 audit reports, HITRUST where applicable.
• Validate security controls: encryption at rest (AES-256) and in transit (TLS 1.2+), key management (KMS/HSM), vulnerability management cadence, patch SLAs, EDR/AV, logging and monitoring coverage.
• Review application and SDLC security: SAST/DAST results, dependency/OSS scanning (SCA), SBOM availability, pen test reports and remediation proof.
• Identity & Access: SSO (SAML/OIDC), SCIM provisioning, MFA enforcement, role-based access, admin activity logging, least privilege.
• Data Handling & Privacy: data flow diagrams, data residency, subprocessor lists, data retention and secure deletion on termination; DPAs/BAAs in place with breach notification timelines.
• Resilience: documented BCP/DR with tested RTO/RPO; uptime SLAs; incident response plans and evidence of exercises.
• Compliance & Contracting: ensure BAAs (HIPAA), DPAs/CCPA/CPRA, SCCs if applicable; right-to-audit, evidence requests, and remediation SLAs embedded in contracts.
• Ongoing Monitoring: cadence for evidence refresh (e.g., annual SOC 2, pen test summaries), security scorecards, and triggers for reassessment after incidents or major changes.
• Exit Strategy: data return and deletion procedures, assistance during transition, certificate of destruction, and survival clauses for security obligations.
• Own annual plan and budget; develop board-level reporting with KPIs/OKRs and control coverage metrics.
• Provide security architecture reviews and design patterns for new systems, integrations, and clinical solutions.
• Embed security in delivery pipelines and change management; ensure separation of duties and approvals.
• Track emerging threats and best practices; iterate roadmap and mentor the team.