Senior/Staff TPM, Security Risk
About the role
The Security Risk Program Manager will build and mature Grow Therapy's security risk program, driving audit readiness, shaping executive risk reporting, and partnering closely with teams across Legal, Compliance, Engineering, and Product.
Responsibilities
- Build and mature Grow's enterprise security risk management program, including risk identification, assessment, prioritization, remediation tracking, and maintaining a comprehensive risk register that informs business decisions.
- Lead the charge on AI risk management, supporting the company's internal foundations pillar focused on building company-wide infrastructure for AI adoption.
- Own the third-party/vendor security risk management program, streamlining review workflows to support business velocity while ensuring robust security oversight of partners and vendors.
- Drive audit readiness and external certifications (SOC 2, HIPAA-aligned assessments, HITRUST readiness) in close partnership with Legal and Compliance, reducing repeat findings and improving remediation timelines.
- Develop and deliver executive-level risk reporting and readouts that translate technical and security risks into clear business impact, enabling leadership to make informed, risk-aware tradeoffs as the company scales.
- Partner proactively across Security Engineering, Product, Engineering, and Operations to embed security and risk awareness into planning and decision-making cycles—positioning security as a strategic enabler rather than a gatekeeper.
Requirements
Deep experience building and operating security or enterprise risk management programs (not just managing projects), strong knowledge of healthcare security, privacy, and compliance frameworks (HIPAA, SOC 2, HITRUST), exceptional stakeholder management and communication skills, structured approach to prioritization, documentation, and cross-functional alignment.
Qualifications
- Bachelor's degree in Computer Science, Information Security, or related field.
- Minimum of 5 years of experience in a similar role.
- Experience scaling risk programs at high-growth or pre-IPO tech companies.
- Prior ownership of vendor risk programs.
- Familiarity with GRC tooling and automation.
Skills
- Strong understanding of cybersecurity principles and best practices.
- Experience with risk assessment methodologies and frameworks.
- Excellent project management and stakeholder management skills.
- Ability to communicate complex technical concepts to non-technical stakeholders.
Benefits
Comprehensive health coverage, parental leave, financial wellness, meal and home office support, time off to recharge, wellness and development, mental and physical health support, pet insurance discounts, commuter benefits, and global travel assistance.
Pay
The base compensation range for this position is $152,000–$189,750 USD Annually. The base compensation for this role will vary depending on several factors, including relevant experience, qualifications, and the candidate's working location.
Schedule
This is a hybrid role with the expectation to work onsite from our NYC or San Francisco hub locations three days per week (Tuesday, Wednesday, and Thursday) and travel 2–3 times per year (e.g., company and department offsites).