Director, Security & Risk
About the role
The Director, Security & Risk owns the enterprise security program end-to-end—strategy, roadmap, execution, and continuous improvement. This leader assesses the current posture, monitors industry and threat trends, and drives the must-do initiatives that protect every layer of the environment (cloud, network, endpoints, identity, apps, data).
Responsibilities
Strategy & Governance
- Assess security posture against NIST CSF/HIPAA and peer benchmarks;
- maintain a multi-year strategy and roadmap.
- Publish and enforce policies/standards;
- ensure audit readiness and version control.
Risk Management & Compliance
- Run periodic risk assessments;
- maintain a risk register with accountable owners and due dates.
- Coordinate HIPAA/HITECH compliance with Privacy/Compliance;
- manage findings to closure.
Security Operations & Engineering
- Own SIEM content, telemetry coverage, and alert fidelity;
- manage IDS/IPS and SOC workflows (internal + MSSP).
- Lead vulnerability management (scan cadence, SLAs, change control alignment) and drive remediation with system owners.
- Engineer and optimize controls: firewalls, EDR/XDR, DLP, email security, CASB/SSE, secure web gateway.
Identity, Access, and Data
- Enforce MFA, privileged access controls, joiner/mover/leaver processes, and periodic access reviews.
- Oversee DLP policies (M365/Netskope) and data classification/handling standards.
Incident Response, Continuity, and Resilience
- Maintain IR playbooks; run tabletops and post-mortems; coordinate forensics and legal/comms as needed.
- Own BC/DR testing cadence; document results and drive improvements.
Awareness & Culture
- Deliver security awareness (phishing simulations, targeted training) and coaching for secure-by-default patterns.
Third-Party / Vendor Security
- Execute TPRM lifecycle, contract security terms, and ongoing monitoring (see Vendor Security Assessment section).
- Own the Third-Party Risk Management (TPRM) program: intake, inherent risk scoring, due diligence, onboarding, continuous monitoring, and offboarding.
- Assess vendors handling PHI/PII/PCI with right-sized depth: SIG/SIG Lite questionnaires, SOC 2 Type II and/or ISO 27001 audit reports, HITRUST where applicable.
- Validate security controls: encryption at rest (AES-256) and in transit (TLS 1.2+), key management (KMS/HSM), vulnerability management cadence, patch SLAs, EDR/AV, logging and monitoring coverage.
- Review application and SDLC security: SAST/DAST results, dependency/OSS scanning (SCA), SBOM availability, pen test reports and remediation proof.
- Identity & Access: SSO (SAML/OIDC), SCIM provisioning, MFA enforcement, role-based access, admin activity logging, least privilege.
- Data Handling & Privacy: data flow diagrams, data residency, subprocessor lists, data retention and secure deletion on termination; DPAs/BAAs in place with breach notification timelines.
- Resilience: documented BCP/DR with tested RTO/RPO; uptime SLAs; incident response plans and evidence of exercises.
- Compliance & Contracting: ensure BAA (HIPAA), DPA/CCPA/CPRA, SCCs if applicable; right-to-audit, evidence requests, and remediation SLAs embedded in contracts.
- Ongoing Monitoring: cadence for evidence refresh (e.g., annual SOC 2, pen test summaries), security scorecards, and triggers for reassessment after incidents or major changes.
- Exit Strategy: data return and deletion procedures, assistance during transition, certificate of destruction, and survival clauses for security obligations.
Budgeting
- Own annual plan and budget;
- develop board-level reporting with KPIs/OKRs and control coverage metrics.
Architecture & Projects
- Provide security architecture reviews and design patterns for new systems, integrations, and clinical solutions.
- Embed security in delivery pipelines and change management; ensure separation of duties and approvals.
Continuous Improvement
- Track emerging threats and best practices; iterate roadmap and mentor the team.
Experience:
- 10+ years in information security with 5+ years leading teams or programs (operations, engineering, or GRC).
Roadmap Ownership:
- 3+ years owning a security roadmap tied to business objectives, budgets, and measurable outcomes.
Healthcare:
- Hands-on HIPAA/HITECH experience; familiarity with HITRUST or mapping NIST CSF to HIPAA safeguards.
Frameworks:
- Practical expertise in NIST CSF, NIST 800-53, ISO 27001; third-party risk practices (SIG/SIG Lite, SOC 2).
Cloud:
- AWS security (IAM, KMS, Security Hub, GuardDuty, VPC, WAF/Shield, key rotation, least privilege).
Identity:
- Enterprise IAM/MFA/SSO (Microsoft Entra ID/Azure AD or Okta); strong least-privilege and access review discipline.
Detection & Response:
- SIEM (Microsoft Sentinel and/or Splunk) content design/tuning, UEBA, runbooks, dashboarding.
Endpoint & Email Security:
- EDR/XDR (Microsoft Defender for Endpoint/CrowdStrike/etc.), hardening/baselines; email security with Mimecast (policies, impersonation protection, URL/attachment sandboxing).
SSE/CASB & DLP:
- Operational experience with Netskope (policies, DLP, inline controls, app governance, shadow IT) and M365/Azure Purview DLP.
Network & Data Protection:
- Next-gen firewalls (Palo Alto/Fortinet), IDS/IPS, segmentation/zero trust, TLS 1.2+; key management and encryption at rest (AES-256) and in transit.
Vulnerability & Patch:
- Tenable/Qualys/Rapid7; risk-based prioritization (EPSS/CVSS + asset criticality) with defined SLAs across OS, apps, and cloud.
Incident Response & Resilience:
- IR playbooks, tabletop exercises, forensic coordination, BC/DR testing and improvement cycles.
Automation:
- PowerShell and/or Python for enrichment, response, and reporting.
Communication:
- Executive-level storytelling; board-ready risk reporting and KPI/OKR management.
Leadership:
- Proven ability to run multi-workstream programs and drive change across IT, Security, Clinical, and Compliance.
Education/Certs:
- Bachelor’s in CS/IT/Cyber or equivalent; CISSP or CISM required (maintained and in good standing).
- HITRUST (CCSFP) or ISO 27001 implementation/audit experience.
- HCISPP, CCSP, CISA, or product certs (Palo Alto, Microsoft Defender/Sentinel, Netskope, Mimecast).
- Kubernetes security, container scanning, and IaC scanning (Terraform + Checkov) experience.
- Experience managing $1M+ security portfolios and multi-vendor MSSP ecosystems.
- Developed KPI/OKR programs (MTTD/MTTR, patch compliance, control coverage, phishing risk) with trend reporting.