The Director of Information Security is a Senior Management role leading Collective Health’s Product and Application Security Engineering and Secure Operations (SecOps) teams. The Director of Information Security will also serve formally as the Security Officer for Collective Health.
We are changing US healthcare through the use of technology, and the Director of Information Security leads the team that ensures secure delivery of that technology. Our customers are US employers and their employees and dependents. Our solutions enable better decision-making, resulting in improved health outcomes and counteracting the spiraling costs of US healthcare.
In our first 5 years as a company, we have built a rich solution suite, comprising consumer web and mobile healthcare portals, employer administration portals, data transformation for analytics, and high-volume back-office data processing for claims “adjudication”. This adjudication determines medical claim payments according to complex medical plan rules. Our solution is highly integrated with 3rd party enterprise solutions (HRMS/Ben Admin solutions) and 3rd party medical, dental, pharma, vision solutions, as well as specialist program solutions for maternity, fertility, diabetes, behavioral health, and many other medical domains.
Our data is extremely private (comprising of personal health information or PHI) and must be managed in strict compliance with HIPAA data privacy requirements. Our customers expect our solutions to be extremely highly available (better than 99.9% availability) and we aim for >70% NPS from very highly satisfied users who rely on our systems to navigate the bewildering world of healthcare, insurance and financial claims management. Extremely high data accuracy and security is paramount.
The Director of Information Security will manage our Security Engineering and SecOps team, and work closely in collaboration with leaders in Compliance, Data Privacy and Risk Management. The Director of Information Security will be based in our San Francisco HQ and report to our VP of Cloud Engineering (also in San Francisco). The Director will collaborate with leaders, and influence the roadmaps, of Product Management, Product Engineering and Quality Engineering Managers and Cloud Engineering throughout our development organization to influence positive security posture and adherence to compliance requirements, and will be responsible for the overall security architecture of our Product and Cloud Platforms.
The Director of Information Security will grow Collective Health’s reputation as the place for security engineers to do the best work of their careers, fixing US healthcare’s fundamental problem of spending twice as much per person as other advanced economies, with worse health outcomes. They will foster a culture of collaboration, respect, technical expertise, and very high delivery quality. They will celebrate the Security team’s successes, and drive blameless learning from our failures.
Our Security Team has a company-wide footprint – we interact with almost every employee, understand their workflow and assist them to make it more efficient. As a part of the Security Team, you will help us make our base layer more secure by focusing on architecture, development and operation of network, cloud security and employee systems.
Your Core Responsibilities:
- Develop and drive information security strategy (including Application and Product Security), security governance, architecture, set standards for the Development Organization and liaise with stakeholders across the organization including Compliance, Data Privacy, Risk Management, Operations, Legal and People Operations
- Drive and influence a culture of security compliance and awareness
- Lead and collaborate with team members, understand their processes and workflows, prioritize their ideas and innovations and develop improvements to ensure successful execution
- Define security processes to monitor security risks, gaps and remedial actions to ensure the security of the operations and confidentiality, integrity and availability of data
- Collaborate with and influence cross-functional teams to evaluate and develop recommendation for security architecture, tools and process improvements to prevent threats
- Monitor the effectiveness of IT security controls in accordance with security policies and risk management; drive short and long term improvements to ensure resolution of risks to completion
- Evaluate and develop systems to enhance our security posture while reducing overall digital security risk
- In partnership with Compliance leadership, evolve Security Incident Management processes to ensure threats are continuously identified, investigated and appropriate response measures are instituted
- Maintain and audit IT Infrastructure security
- Lead IT infrastructure integrations with partners from a security perspective
- Oversee and collaborate with team members, understand their processes and workflows, prioritize their ideas and innovations and develop improvements to ensure successful execution.
- Maintain awareness of threat intelligence industry security threats and lead management of security incidents
- Lead technical security experts in the augmentation our Continuous Integration (CI) pipeline to include security testing; collaborate with stakeholders on overall CI/CD vision and implementation strategy
- Oversee execution of code audits on internal, and open source libraries for inclusion in our products
- Assist in the architecture of new products, features, and capabilities
If many or most of the following items apply to you, we'd love to talk!
- 5+ years of experience in a regulated organization (e.g HIPAA compliance - pharma, biotech, health insurance)
- 3-5+ years building or running technical security teams in a senior leadership capacity
- Experience as an accountable “Security Officer” of a regulated environment or organization (e.g. FISMA, HIPAA, PCI-DSS)
- Hands on technical and/or development expertise in Application or Product Security domains including:
- 3+ years Static and Dynamic Analysis Techniques management experience (developing models or executing analysis tooling)
- 3+ years of Java, Ruby, Go, or Python Software Application development management experience
- 3+ years of Web application vulnerabilities discovery or detection management
- Deep understanding of information security principles
- Ability to work effectively and influence groups throughout the organization.
- Relevant network and network security experience (OSI model, firewalls, 802.1x, IPS, IDS, VPN)
- Relevant systems security experience (HIDS, system hardening, cgroups etc)
- Experience automating security incident event monitoring infrastructure
You get extra bonus points for:
- You have contributed to and maintained open source projects
- Experience working with Public Cloud Services (AWS, Azure, etc)
- Familiarity with Service Oriented Architecture and/or micro-services based architecture
- Familiarity with container-based infrastructure orchestration (e.g. Docker, Kubernetes, Meso)
- Experience with NIST security frameworks
- Experience working in Healthcare, Financial, or other regulated environment
- Experience with breaking encryption, authentication, or authorization system flows
We are an equal opportunity employer and value diversity at our company. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status.