Director of IT & Security, CISO

Team: Leadership

Location: Remote

Commitment: Full Time

Workplace Type: remote

Salary:

Job Responsibilities

• Security Strategy & Leadership:  Own end-to-end information security strategy across cloud, application, infrastructure, and corporate environments. Define a pragmatic security roadmap aligned to business risk, regulatory requirements, and engineering velocity. Serve as the executive owner for security posture, risk management, and incident response. Act as a trusted advisor to the CTO and executive team on security, risk, and operational tradeoffs.
• Security Engineering & DevSecOps: Drive a DevSecOps-first operating model, embedding security into CI/CD pipelines, infrastructure as code, and developer workflows. Partner deeply with engineering leadership to make security scalable, automated, and measurable. Lead threat modeling, secure design reviews, and risk assessments for new platform initiatives. Champion policy-as-code, guardrails, and automation over manual process.
• Cloud, Application & Infrastructure Security: Own security architecture and operations for a primarily AWS-based environment. Lead application security programs, including secure SDLC, dependency scanning, SAST/DAST, penetration testing, and vulnerability management. Own identity and access management strategy with Okta as the backbone. Ensure strong detection, alerting, and response across endpoints and cloud workloads (e.g., CrowdStrike, RAD).
• Security Operations & Incident Response:  Build and run effective security operations, including monitoring, investigation, incident response, and post-incident learning. Lead incident response for both security and IT incidents, serving as the calm point of accountability. Run tabletop exercises and continuously improve response playbooks. Manage vendor relationships, including CrowdStrike, Flashpoint, RAD, and Okta.
• Corporate IT & Enterprise Systems: Own corporate IT strategy and execution, focused on reliability, security, and employee productivity. Lead end-user computing, device management, endpoint security, identity lifecycle management, and access controls. Oversee IT systems, including identity, email, collaboration tools, endpoint management, and SaaS access governance. Drive automation and standardization across onboarding, offboarding, access management, and device lifecycle. Partner with People Ops, Legal, and Finance on IT processes, audits, and vendor management.
• Compliance, Risk & Healthcare Context: Own healthcare-related security and compliance programs (e.g., HIPAA, SOC 2). Translate regulatory requirements into practical, engineering-friendly controls. Lead third-party risk management and vendor security reviews. Support customer security reviews and serve as an executive point of contact on security matters.
• Team Leadership & Culture: Build, lead, and mentor a high-performing team spanning security engineering, security operations, and IT. Create a culture where security and IT are seen as enablers, not blockers. Establish clear ownership, measurable outcomes, and high operational standards. Be visible, decisive, and calm under pressure.

Required Skills & Experience

• 10+ years in information security, IT, or related technical leadership roles, including 5+ years of people management, ideally in healthcare technology SaaS.
• Proven experience leading security engineering, security operations, and corporate IT in a cloud-native SaaS environment.
• Direct experience in healthcare or other highly regulated industries.
• Track record of successfully implementing DevSecOps practices.
• Deep hands-on experience securing AWS environments.
• Strong understanding of endpoint security, identity systems, and modern SaaS IT stacks.
• Practical knowledge of tools such as CrowdStrike, Okta, Flashpoint, RAD, and related platforms.
• Strong foundation in application security, cloud security, and infrastructure as code.
• Strong collaborator with engineering, platform, and operations teams.
• Clear, direct communicator who can articulate risk without theatrics.
• Comfortable making tradeoffs and prioritizing based on real-world risk.
• Builder mindset with a bias toward automation and scale.

Preferred Skills & Experience

• Proven experience securing autonomous agentic loops and tool-calling frameworks. Deep understanding of Indirect Prompt Injection and designing "Human-in-the-Loop" guardrails for agent-driven actions.
• Technical expertise in securing the Model Context Protocol (MCP), specifically regarding context isolation, sandboxing, and identity propagation between LLMs and private data sources.
• Direct experience migrating security programs to Vanta or similar automated GRC platforms. Ability to architect "continuous compliance" by integrating cloud, identity, and developer tools for automated evidence collection.
• Hands-on application of the NIST AI RMF, OWASP Top 10 for LLMs, etc within a production environment.

Software Platform / Tools

• Required: Crowdstrike, AWS, Okta
• Preferred: Vanta