Security Program Manager

Function Health•Canada, KS

11h

About The Position

Function Health is building a lean, automation-first compliance program that is agile enough to adapt to both security and privacy requirements. From SOC 2 and HIPAA to CCPA and beyond, the program must be ready to respond to whatever the task demands. This requires an individual who can see the totality of the problem and not just a piece of it. As a Security Program Manager, you'll support and execute our compliance operations, partner with cross-functional teams to enable compliant product growth and unblock business deals, and help ensure our controls and policies scale with the business. This role is hands-on and impact-driven: you'll be a key contributor to audit readiness, run day-to-day compliance and privacy operations, and help Function meet the trust expectations of our members, partners, and regulators.

Requirements

4–7 years of experience in compliance, GRC, or risk management, ideally in SaaS or healthtech.
Strong knowledge of SOC 2 and HIPAA; familiarity with privacy frameworks such as GDPR, CCPA/CPRA, or HITRUST.
Experience supporting audits end-to-end and preparing documentation for external parties.
Experience coordinating across functions (Engineering, IT, Legal, Ops) to implement and sustain controls.
Ability to connect regulatory requirements to business context and communicate tradeoffs clearly to technical and non-technical stakeholders.
Familiarity with compliance automation tools (Vanta, Tugboat Logic, ConductorOne) and cloud environments (Okta, GCP, GitHub).
Strong communication skills; able to draft policies, auditor-facing documentation, and compliance summaries.
Ability to work cross-functionally to support secure, compliant patterns without slowing down business goals.

Nice To Haves

experience with healthcare data protection or supporting privacy programs in regulated industries.

Responsibilities

Execute SOC 2 Type II and HIPAA compliance operations, including evidence collection, control testing, and audit readiness.
Coordinate audit activities with auditors, external assessors, and internal stakeholders under the direction of compliance leadership.
Maintain and update a unified control framework that maps SOC 2, HIPAA, and future frameworks (e.g., HITRUST).
Drive vendor and third-party risk management, including onboarding reviews, risk assessments, and BAA/DPA tracking.
Understand privacy obligations (HIPAA Privacy Rule, GDPR, state laws) and design solutions with a privacy-first focus.
Partner with Sales and Legal to support business deals, including security questionnaires and contractual agreements.
Execute quarterly compliance rituals: access reviews, risk register updates, policy acknowledgments, and training compliance.
Translate regulatory requirements into engineer-friendly tickets, policy updates, and compliance summaries.
Identify and implement opportunities for automation in compliance workflows (evidence collection, access certifications, vendor reviews).
Coordinate privacy operations, including data retention, deletion, and handling of member data requests.
Build awareness across the business so compliance and privacy are seen as enablers, not blockers.