Head of IT & Security

About The Position

Requirements

• 8+ years of relevant security experience, including 3+ years in a security leadership role where you were materially building the program, not maintaining it.
• Has built (not inherited) a security program from a near-zero baseline at least once.
• Has owned a recurring external audit cycle end-to-end (e.g., SOC 2, ISO, PCI, HITRUST) — designed evidence collection, mapped controls, ran the auditor relationship, and made the next cycle materially easier than the last.
• Software engineering background. Can read a pull request, evaluate cloud configurations, and push back on Engineering with technical substance.
• Experience hiring and developing senior security or IT individual contributors.
• Hands-on experience with security tools and technologies such as SIEM, MDR, IDS/IPS, WAF, DLP, and vulnerability scanners.
• You've reshaped how a company engages with auditors, regulators, or customer security teams — moved questionnaires to Trust Centers, audits from manual to automated, or vendor reviews from one-off projects to continuous programs.
• You drive sustained operational change in functions you don't manage.
• You treat engineering velocity as a security input. Slow shipping creates security risk too.
• You can frame risk for a Board-level audience and for an engineering audience in the same week.
• First-principles thinker.
• Writes. NexHealth runs on documents; verbal-first operators struggle here.
• Comfortable being the ranking voice on policy and risk.

Responsibilities

• Own NexHealth's security governance, compliance, and IT programs end-to-end.
• Serve as named Information Security Officer and Privacy Officer for SOC 2 and HIPAA — own the policy manual (40+ documents), audit liaison relationship with A-LIGN, control mapping across overlapping regimes, and evidence collection pipelines.
• Set security standards across application security, vulnerability management, cloud security (AWS), audit logging, and access controls — driving the technical program through Engineering via influence, not direct authority.
• Build, hire, and develop the IT and workforce security program: endpoints, identity, SaaS administration, phishing simulations, role-specific training modules, and facilities security.
• Own vendor security: intake, classification, assessment, BAA execution, ongoing oversight, and customer-facing trust artifacts including Trust Center and subprocessor disclosure.
• Lead incident response in Officer capacity; partner with outside counsel on breach determinations, own IR tracking, and run annual tabletop exercises.
• Own the risk register, risk acceptance decisions, privacy operations (DSARs, data subject rights, privacy complaints), BC/DR plan, and cyber insurance relationship.
• Hire a Staff-level IT IC within year one and grow the function from there.

Benefits

• Stock options
• Unlimited paid time off policy
• Up to 100% coverage on medical, vision and dental insurance
• Full Medical, Dental, and Vision (up to 100% covered)
• 401K and commuter benefits
• Flexible PTO