Jobs · Finance · Utah

Governance, Risk & Compliance Lead

Xenter · Draper, UT · Today
On-siteFinanceFull-time

About the role

Xenter is advancing a new generation of medical technologies aimed at improving diagnostic accuracy and treatment efficiency. The company's connected clinical intelligence platform aims to enhance access to advanced diagnostic tools and reduce the total cost of care. Reporting to the Chief Risk and Information Security Officer (CRISO), the GRC Lead will oversee security, compliance, and privacy assurance.

Responsibilities

  • Own the certification roadmap — define and execute the path to HITRUST CSF, ISO/IEC 27001, SOC 2 Type II, and ISO/IEC 42001, including readiness assessments, gap remediation, and external audit management.

  • Build a unified control framework — maintain a single control set mapped across HITRUST, ISO 27001/27701, SOC 2, HIPAA, FDA premarket and postmarket cybersecurity guidance, and state and international privacy laws, so evidence is collected once and reused everywhere.

  • Design scalable controls — favor controls that enable velocity rather than create friction, scale with company growth, and reduce audit burden through automation and evidence reuse.

  • Partner with legal counsel — build the program alongside our privacy, security, and compliance legal counsel, ensuring policies, controls, and practices stay within the confines of the regulatory requirements that apply to us.

  • Run the risk program — stand up enterprise risk management: risk register, risk treatment, third-party and vendor risk, and product security risk in partnership with quality and regulatory teams.

  • Write and operationalize policies — author the policy library, select and administer compliance automation tooling, and drive continuous control monitoring and evidence collection.

  • Secure a diverse technology footprint — partner with engineering across very different surfaces: cloud infrastructure, a consumer mobile app, silicone manufacturing operations, and edge computing hardware living on hospital networks.

  • Be the face of trust to hospitals — lead responses to hospital security reviews, customer security questionnaires, MDS2 forms, and BAA negotiations; make it easy for health systems to say yes to Xenter.

  • Lead privacy — own HIPAA compliance, GDPR, CCPA and other state privacy law obligations for our consumer app, data mapping, and privacy impact assessments.

  • Govern AI responsibly — establish AI governance under ISO/IEC 42001 in partnership with our data science and product teams as AI capabilities ship in our products.

  • Build the human layer — run security awareness training, incident response exercises, and business continuity and disaster recovery planning and testing.

  • Scale the team — define the GRC hiring plan, recruit and mentor analysts and managers, and report program health, risk posture, and certification progress to executive leadership.

Requirements

  • 7+ years in information security, compliance, or GRC, with 3+ years leading framework implementations end to end — not just maintaining programs someone else built.

  • You have taken an organization through first-time HITRUST CSF certification and/or ISO 27001 certification, plus SOC 2 Type II; working familiarity with ISO/IEC 42001 or a strong point of view on AI governance.

  • Healthcare or medical device industry experience strongly preferred, including HIPAA, FDA cybersecurity guidance (e.g., Section 524B premarket requirements), and the realities of hospital IT security review.

  • Comfort operating across cloud (AWS/Azure), mobile, embedded and edge devices, and manufacturing environments — you can hold a credible conversation with each of those engineering teams.

  • A track record of being an early or first GRC hire: building from zero, staying hands-on, then hiring and leading a team as the company grows.

  • Clear, confident communication with executives, auditors, engineers, and hospital CISOs alike.

Qualifications
  • One or more of the following (or equivalent) is a strong plus: CISSP, CISM, CISA, CRISC, HITRUST CCSFP, ISO/IEC 27001 Lead Implementer or Lead Auditor, CGRC, CCSP/CCSK, CIPP or CIPM.

Location

This role is based full-time in our Draper, Utah office. We build physical products alongside the teams that design, manufacture, and support them, and this role works best shoulder to shoulder with those teams.

Similar jobs