Jobs · Sales

Director, Security & Risk

Equality Health · United States · 1 wk ago
RemoteRemoteSalesFull-time

About the role

The Director, Security & Risk owns the enterprise security program end-to-end—strategy, roadmap, execution, and continuous improvement. This leader assesses the current posture, monitors industry and threat trends, and drives the must-do initiatives that protect every layer of the environment (cloud, network, endpoints, identity, apps, data).

Responsibilities

  • Strategy & Governance

    • Assess security posture against NIST CSF/HIPAA and peer benchmarks;
    • maintain a multi-year strategy and roadmap.
    • Publish and enforce policies/standards;
    • ensure audit readiness and version control.
  • Risk Management & Compliance

    • Run periodic risk assessments;
    • maintain a risk register with accountable owners and due dates.
    • Coordinate HIPAA/HITECH compliance with Privacy/Compliance;
    • manage findings to closure.
  • Security Operations & Engineering

    • Own SIEM content, telemetry coverage, and alert fidelity;
    • manage IDS/IPS and SOC workflows (internal + MSSP).
    • Lead vulnerability management (scan cadence, SLAs, change control alignment) and drive remediation with system owners.
    • Engineer and optimize controls: firewalls, EDR/XDR, DLP, email security, CASB/SSE, secure web gateway.
  • Identity, Access, and Data

    • Enforce MFA, privileged access controls, joiner/mover/leaver processes, and periodic access reviews.
    • Oversee DLP policies (M365/Netskope) and data classification/handling standards.
  • Incident Response, Continuity, and Resilience

    • Maintain IR playbooks; run tabletops and post-mortems; coordinate forensics and legal/comms as needed.
    • Own BC/DR testing cadence; document results and drive improvements.
  • Awareness & Culture

    • Deliver security awareness (phishing simulations, targeted training) and coaching for secure-by-default patterns.
  • Third-Party / Vendor Security

    • Execute TPRM lifecycle, contract security terms, and ongoing monitoring (see Vendor Security Assessment section).
    • Own the Third-Party Risk Management (TPRM) program: intake, inherent risk scoring, due diligence, onboarding, continuous monitoring, and offboarding.
    • Assess vendors handling PHI/PII/PCI with right-sized depth: SIG/SIG Lite questionnaires, SOC 2 Type II and/or ISO 27001 audit reports, HITRUST where applicable.
    • Validate security controls: encryption at rest (AES-256) and in transit (TLS 1.2+), key management (KMS/HSM), vulnerability management cadence, patch SLAs, EDR/AV, logging and monitoring coverage.
    • Review application and SDLC security: SAST/DAST results, dependency/OSS scanning (SCA), SBOM availability, pen test reports and remediation proof.
    • Identity & Access: SSO (SAML/OIDC), SCIM provisioning, MFA enforcement, role-based access, admin activity logging, least privilege.
    • Data Handling & Privacy: data flow diagrams, data residency, subprocessor lists, data retention and secure deletion on termination; DPAs/BAAs in place with breach notification timelines.
    • Resilience: documented BCP/DR with tested RTO/RPO; uptime SLAs; incident response plans and evidence of exercises.
    • Compliance & Contracting: ensure BAA (HIPAA), DPA/CCPA/CPRA, SCCs if applicable; right-to-audit, evidence requests, and remediation SLAs embedded in contracts.
    • Ongoing Monitoring: cadence for evidence refresh (e.g., annual SOC 2, pen test summaries), security scorecards, and triggers for reassessment after incidents or major changes.
    • Exit Strategy: data return and deletion procedures, assistance during transition, certificate of destruction, and survival clauses for security obligations.
  • Budgeting

    • Own annual plan and budget;
    • develop board-level reporting with KPIs/OKRs and control coverage metrics.
  • Architecture & Projects

    • Provide security architecture reviews and design patterns for new systems, integrations, and clinical solutions.
    • Embed security in delivery pipelines and change management; ensure separation of duties and approvals.
  • Continuous Improvement

    • Track emerging threats and best practices; iterate roadmap and mentor the team.

    Requirements

    • Experience:

      • 10+ years in information security with 5+ years leading teams or programs (operations, engineering, or GRC).
    • Roadmap Ownership:

      • 3+ years owning a security roadmap tied to business objectives, budgets, and measurable outcomes.
    • Healthcare:

      • Hands-on HIPAA/HITECH experience; familiarity with HITRUST or mapping NIST CSF to HIPAA safeguards.
    • Frameworks:

      • Practical expertise in NIST CSF, NIST 800-53, ISO 27001; third-party risk practices (SIG/SIG Lite, SOC 2).
    • Cloud:

      • AWS security (IAM, KMS, Security Hub, GuardDuty, VPC, WAF/Shield, key rotation, least privilege).
    • Identity:

      • Enterprise IAM/MFA/SSO (Microsoft Entra ID/Azure AD or Okta); strong least-privilege and access review discipline.
    • Detection & Response:

      • SIEM (Microsoft Sentinel and/or Splunk) content design/tuning, UEBA, runbooks, dashboarding.
    • Endpoint & Email Security:

      • EDR/XDR (Microsoft Defender for Endpoint/CrowdStrike/etc.), hardening/baselines; email security with Mimecast (policies, impersonation protection, URL/attachment sandboxing).
    • SSE/CASB & DLP:

      • Operational experience with Netskope (policies, DLP, inline controls, app governance, shadow IT) and M365/Azure Purview DLP.
    • Network & Data Protection:

      • Next-gen firewalls (Palo Alto/Fortinet), IDS/IPS, segmentation/zero trust, TLS 1.2+; key management and encryption at rest (AES-256) and in transit.
    • Vulnerability & Patch:

      • Tenable/Qualys/Rapid7; risk-based prioritization (EPSS/CVSS + asset criticality) with defined SLAs across OS, apps, and cloud.
    • Incident Response & Resilience:

      • IR playbooks, tabletop exercises, forensic coordination, BC/DR testing and improvement cycles.
    • Automation:

      • PowerShell and/or Python for enrichment, response, and reporting.
    • Communication:

      • Executive-level storytelling; board-ready risk reporting and KPI/OKR management.
    • Leadership:

      • Proven ability to run multi-workstream programs and drive change across IT, Security, Clinical, and Compliance.
    • Education/Certs:

      • Bachelor’s in CS/IT/Cyber or equivalent; CISSP or CISM required (maintained and in good standing).

      Preferred Skills & Qualifications

      • HITRUST (CCSFP) or ISO 27001 implementation/audit experience.
      • HCISPP, CCSP, CISA, or product certs (Palo Alto, Microsoft Defender/Sentinel, Netskope, Mimecast).
      • Kubernetes security, container scanning, and IaC scanning (Terraform + Checkov) experience.
      • Experience managing $1M+ security portfolios and multi-vendor MSSP ecosystems.
      • Developed KPI/OKR programs (MTTD/MTTR, patch compliance, control coverage, phishing risk) with trend reporting.

Similar jobs

Director, Safety & Security

Kenan Advantage GroupGreater Birmingham, Alabama Area· 3 days ago
Information Technologyapply on paycomonline.net

Director, Safety & Security

Kenan Advantage GroupGreater Birmingham, Alabama Area· 4 days ago
Information Technologyapply on paycomonline.net

Director, Safety and Security

Georgia Production Partnership (GPP)Atlanta, GA· 5 days ago
Information Technology$120k–$172k/yrapply on productions.com