Hi, we're Oscar. We're hiring a Senior Manager, Security Governance, Risk, and Compliance to join our Security team.

About the role

In this role, you will be responsible for leading and managing a cross-functional team charged with the development and maintenance of Oscar’s Information Security policies, cybersecurity risk management, and compliance efforts in a highly regulated industry. You will identify opportunities to automate processes critical to meeting and exceeding Oscar’s compliance obligations to our regulators across a variety of frameworks. The GRC team works across a wide variety of stakeholders across the Oscar organization, and serves as an interpreter of technical controls for those various teams to identify effective means of implementing and demonstrating compliance. You will be involved in shaping and driving Oscar’s GRC strategies through proactive measures and continuous improvement, and a demonstrated curiosity on continuously evolving our approaches.

You will report into the Chief Information Security Officer.

Work Location:

Oscar is a blended work culture where everyone, regardless of work type or location, feels connected to their teammates, our culture and our mission.

If you live within commutable distance to our New York City office (in Hudson Square), our Tempe office (off the 101 at University Dr), or our Los Angeles office (in Marina Del Rey), you will be expected to come into the office at least two days each week. Otherwise, this is a remote / work-from-home role.

You must reside in one of the following states: Alabama, Arizona, California, Colorado, Connecticut, Florida, Georgia, Illinois, Iowa, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Virginia, Washington, or Washington, D.C. Note, this list of states is subject to change. #LI-Remote

Pay Transparency:

The base pay for this role is: $158,400 - $207,900 per year. You are also eligible for employee benefits, participation in Oscar’s unlimited vacation program, company equity grants, and annual performance bonuses.

Responsibilities

Lead a team of cross-functional Governance, Risk, and Compliance (GRC) experts including guiding, mentoring and coaching the team
Develop medium and long term strategies to improve the effectiveness and efficiency of the GRC program
Lead collaboration across engineering and governance functions to ensure common awareness and understanding of the what and why of various GRC requirements
Act as the primary liaison between other risk management and compliance teams at Oscar and interpret their needs of the cybersecurity program
Lead compliance efforts providing guidance and technical expertise in relation to the cybersecurity requirements related to SOX (Sarbanes-Oxley), MAR (Market Abuse Regulation), PCI (Payment Card Industry Data Security Standard), CMS EDE (Centers for Medicare & Medicaid Services Enhanced Direct Enrollment), HIPAA (Health Insurance Portability and Accountability Act), NYDFS (New York Department of Financial Services), SOC2, HITRUST, and other relevant security and regulatory frameworks
Manage and lead maturity assessments against cybersecurity requirements and Oscar’s current control inventory to identify areas of deficiency and potential GAPs to achieve certification or to successfully complete the audit cycle
Manage the team responsible for Oscar’s Security inventory for audit artifacts to ensure continuity in audits and efficient response to client and regulator requests. Manage and coordinate periodic assessments, audits, and reviews to assess compliance with regulatory requirements with a focus on Cybersecurity controls and artifacts.
Stay up to date on the latest cybersecurity regulations, policy and news to ensure Oscar’s security program documents upcoming requirements and areas in which enhancements to process are required for alignment with the standard.
Design, develop, and manage third-party risk management processes, including vendor assessments, due diligence, and ongoing monitoring to identify inherent and residual cybersecurity risks for tracking, monitoring and corrective action planning.
Manage and lead the development and maintenance of cybersecurity governance, risk, and compliance policies, procedures, and standards in alignment with industry best practices and regulatory requirements with the ability to discern Oscar’s technical operations to align with the requirements dictated in policy in an effort to flag areas of deficiency or areas which require enhancement to align with current operating practices.
Create and deliver cybersecurity training programs and awareness campaigns to educate employees and stakeholders about relevant topics and concepts related to key cybersecurity risks (i.e. Insider Threats, Data Handling and Phishing).
Compliance with all applicable laws and regulations
Other duties as assigned

Qualifications

Bachelor's degree or years of equivalent experience
5+ years of experience related to risk management
4+ years of experience related to project management
Experience developing GRC programs in a cloud and SaaS environment.

Bonus Points

Prior work experience in or understanding of security challenges specific to the healthcare or health insurance industries
Prior experience managing individual contributors.

This is an authentic Oscar Health job opportunity. Learn more about how you can safeguard yourself from recruitment fraud here.

At Oscar, being an Equal Opportunity Employer means more than upholding discrimination-free hiring practices. It means that we cultivate an environment where people can be their most authentic selves and find both belonging and support. We're on a mission to change health care -- an experience made whole by our unique backgrounds and perspectives.

Pay Transparency: Final offer amounts, within the base pay set forth above, are determined by factors including your relevant skills, education, and experience. Full-time employees are eligible for benefits including: medical, dental, and vision benefits, 11 paid holidays, paid sick time, paid parental leave, 401(k) plan participation, life and disability insurance, and paid wellness time and reimbursements.

Reasonable Accommodation: Oscar applicants are considered solely based on their qualifications, without regard to applicant’s disability or need for accommodation. Any Oscar applicant who requires reasonable accommodations during the application process should contact the Oscar Benefits Team (accommodations@hioscar.com) to make the need for an accommodation known.

California Residents: For information about our collection, use, and disclosure of applicants’ personal information as well as applicants’ rights over their personal information, please see our Notice to Job Applicants.

Apply for this Job

* Required

First Name *

Last Name *

Email *

Phone *

Location (City) *

Resume/CV *

Dropbox

(File types: pdf, doc, docx, txt, rtf)

Cover Letter

Dropbox

(File types: pdf, doc, docx, txt, rtf)

Are you authorized to work lawfully in the United States for Oscar? *

Do you now, or will you in the future, require sponsorship for employment visa status (e.g., H-1B visa status, etc.) to work legally for Oscar in the United States? *

Do you acknowledge the work location expectations listed on this job posting? *

The work location expectations for this role is listed in the job postings under “Work Location”. This section includes any onsite related expectations and residency requirements.

Oscar Health is authorized to do business in many, but not all, states. If you are not located in or willing to relocate to a state where Oscar is registered, you will not be eligible for employment. The approved states for this role are listed in the job posting.

LinkedIn Profile

Website

How did you hear about this job?

Voluntary Self-Identification

For government reporting purposes, we ask candidates to respond to the below self-identification survey. Completion of the form is entirely voluntary. Whatever your decision, it will not be considered in the hiring process or thereafter. Any information that you do provide will be recorded and maintained in a confidential file.

As set forth in Oscar Health’s Equal Employment Opportunity policy, we do not discriminate on the basis of any protected group status under any applicable law.

Gender

Are you Hispanic/Latino?

Please identify your race

Race & Ethnicity Definitions

If you believe you belong to any of the categories of protected veterans listed below, please indicate by making the appropriate selection. As a government contractor subject to the Vietnam Era Veterans Readjustment Assistance Act (VEVRAA), we request this information in order to measure the effectiveness of the outreach and positive recruitment efforts we undertake pursuant to VEVRAA. Classification of protected categories is as follows:

A "disabled veteran" is one of the following: a veteran of the U.S. military, ground, naval or air service who is entitled to compensation (or who but for the receipt of military retired pay would be entitled to compensation) under laws administered by the Secretary of Veterans Affairs; or a person who was discharged or released from active duty because of a service-connected disability.

A "recently separated veteran" means any veteran during the three-year period beginning on the date of such veteran's discharge or release from active duty in the U.S. military, ground, naval, or air service.

An "active duty wartime or campaign badge veteran" means a veteran who served on active duty in the U.S. military, ground, naval or air service during a war, or in a campaign or expedition for which a campaign badge has been authorized under the laws administered by the Department of Defense.

An "Armed forces service medal veteran" means a veteran who, while serving on active duty in the U.S. military, ground, naval or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985.

Veteran Status

Voluntary Self-Identification of Disability

Form CC-305

Page 1 of 1

OMB Control Number 1250-0005

Expires 04/30/2026

Why are you being asked to complete this form?

We are a federal contractor or subcontractor. The law requires us to provide equal employment opportunity to qualified people with disabilities. We have a goal of having at least 7% of our workers as people with disabilities. The law says we must measure our progress towards this goal. To do this, we must ask applicants and employees if they have a disability or have ever had one. People can become disabled, so we need to ask this question at least every five years.

Completing this form is voluntary, and we hope that you will choose to do so. Your answer is confidential. No one who makes hiring decisions will see it. Your decision to complete the form and your answer will not harm you in any way. If you want to learn more about the law or this form, visit the U.S. Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

How do you know if you have a disability?

A disability is a condition that substantially limits one or more of your “major life activities.” If you have or have ever had such a condition, you are a person with a disability. Disabilities include, but are not limited to:

Alcohol or other substance use disorder (not currently using drugs illegally)
Autoimmune disorder, for example, lupus, fibromyalgia, rheumatoid arthritis, HIV/AIDS
Blind or low vision
Cancer (past or present)
Cardiovascular or heart disease
Celiac disease
Cerebral palsy
Deaf or serious difficulty hearing
Diabetes
Disfigurement, for example, disfigurement caused by burns, wounds, accidents, or congenital disorders
Epilepsy or other seizure disorder
Gastrointestinal disorders, for example, Crohn's Disease, irritable bowel syndrome
Intellectual or developmental disability
Mental health conditions, for example, depression, bipolar disorder, anxiety disorder, schizophrenia, PTSD
Missing limbs or partially missing limbs
Mobility impairment, benefiting from the use of a wheelchair, scooter, walker, leg brace(s) and/or other supports
Nervous system condition, for example, migraine headaches, Parkinson’s disease, multiple sclerosis (MS)
Neurodivergence, for example, attention-deficit/hyperactivity disorder (ADHD), autism spectrum disorder, dyslexia, dyspraxia, other learning disabilities
Partial or complete paralysis (any cause)
Pulmonary or respiratory conditions, for example, tuberculosis, asthma, emphysema
Short stature (dwarfism)
Traumatic brain injury

Disability Status

PUBLIC BURDEN STATEMENT: According to the Paperwork Reduction Act of 1995 no persons are required to respond to a collection of information unless such collection displays a valid OMB control number. This survey should take about 5 minutes to complete.

Enter the verification code sent to to confirm you are not a robot, then submit your application.

Security Code *

This application was flagged as potential bot traffic. To resubmit your application, turn off any VPNs, clear the browser's cache and cookies, or try another browser. If you still can't submit it, contact our support team through the help center.