Information Security Officer

About The Position

Requirements

• Bachelor’s degree in information systems, Computer Science, Engineering, or a related technical field, or a minimum of four (4) years of experience in lieu of degree.
• 7+ years of progressive experience in information security, with at least 3 years in a security program leadership role
• Previous experience guiding an organization through successful assessments in SOC 2 and/or HITRUST R2 is required
• Deep expertise in healthcare security and privacy regulations, particularly HIPAA Security Rule requirements
• Hands-on experience achieving and maintaining HITRUST CSF certification and SOC 2 Type II attestation
• Strong working knowledge of NIST frameworks (800-53, 800-171, Cybersecurity Framework) and FedRAMP
• Proven track record implementing technical security controls and managing a comprehensive security program—not just documenting them
• Experience with cloud security (AWS, Azure, or GCP) and modern DevSecOps practices
• Demonstrated ability to use metrics and data analysis to drive security program improvements
• Excellent communication skills—able to translate technical risk into business terms for executives and board members
• Relevant certifications: CISSP, CISM, HCISPP, HITRUST CCSFP, or equivalent

Nice To Haves

• Experience in a high-growth healthcare technology or digital health environment
• First-hand experience building security programs or security-first architectures
• Experience with GRC platforms and security automation tools
• Other duties as assigned

Responsibilities

• Build and Lead a Proactive Security Program
• Design, implement, and continuously improve Bloom's information security program with a prevention-first mindset leveraging the strong foundation already constructed as the basis for continued success
• Evaluate, refine, and enforce security policies, standards, and procedures that are practical, actionable, and aligned with business operations
• Conduct regular risk assessments and threat modeling to identify vulnerabilities before exploitation, helping the organization deliver to our customers with maximum results
• Lead tabletop exercises, penetration testing, and red team activities to stress-test our defenses
• Build, operate, and monitor the security program to ensure our information security processes are in place and effectively educate all stakeholders on the practices, procedures, and policies, while ensuring the security processes meet or exceed our organizational requirements
• Own Compliance Across Multiple Frameworks
• Serve as the primary owner for HIPAA, HITRUST, and SOC 2 Type II compliance oversight, filings, and assessor coordination
• Maintain deep working knowledge of NIST standards (800-53, CSF), FedRAMP requirements, and emerging healthcare security regulations to anticipate changes needed to achieve excellence
• Translate regulatory requirements into engineering specifications and operational procedures
• Manage audit relationships, risk management, evidence collection, and remediation tracking
• Keep us audit-ready year-round—not scrambling before assessments
• Implement Security Controls
• Partner with Engineering, IT, and DevOps to embed security controls into infrastructure, applications, and workflows
• Architect and deploy technical safeguards: access controls, encryption, network segmentation, endpoint protection, and monitoring systems
• Automate security processes wherever possible—manual controls don't scale
• Evaluate and implement security tools and technologies that fit our environment and risk profile
• Drive Decisions with Data
• Define and track key security metrics and KPIs that measure program effectiveness, not just activity
• Build dashboards and reporting mechanisms that give leadership visibility into our security posture
• Use data to prioritize investments, justify resources, and demonstrate ROI on security initiatives
• Benchmark against industry standards and drive continuous improvement through measurable goals
• Foster a Security-First Culture
• Develop and deliver security awareness training that changes behavior, not just checks a box
• Serve as an advisor and resource for teams across Bloom on secure design and operations
• Lead incident response when needed—but measure success by how rarely we need to

Benefits

• Bloom operates with a people-first culture, which means listening to our employees to provide the benefits that mean the most to them.
• Our competitive compensation, comprehensive health coverage, long-term growth opportunities, and remote work environment are among the reasons that many of our employees have been with us since the beginning of our business.
• BeBloom™, our proprietary employee training and engagement program, helps you learn our business model and immerse yourself in everything our culture offers from day 1.
• From virtual live events to mentorship and leadership programs and employee-led councils, there are countless opportunities to get involved, build connections, and share your voice – because at Bloom, the real you belongs here.