Chief Information Security Officer

Chief Information Security Officer (CISO)

Location: Remote / Hybrid (US)

Reports to: COO

The Chief Information Security Officer (CISO) is responsible for establishing, executing, and continuously improving the organization’s enterprise information security, privacy, and risk management program. This role is critical to ensuring the confidentiality, integrity, and availability of healthcare data—including PHI—while enabling rapid software innovation in a regulated pharmacy and healthcare technology environment.

The CISO will lead security strategy across HITRUST CSF, SOC 2 (Type I & II), HIPAA/HITECH, and aligned frameworks (NIST 800‑53, NIST CSF), with a strong focus on secure software development lifecycle (SSDLC), cloud security, audit readiness, and customer trust.

• Define and execute the enterprise information security strategy aligned to business growth, product roadmap, and regulatory requirements
• Serve as the executive owner of cybersecurity risk management, reporting regularly to executive leadership and the Board
• Establish security policies, standards, and metrics aligned with HITRUST CSF, SOC 2, HIPAA, and NIST frameworks
• Own and lead HITRUST certification (initial and recertification), including control design, evidence management, assessor engagement, and gap remediation
• Lead SOC 2 Type II audits, including Trust Services Criteria (Security, Availability, Confidentiality, Privacy)
• Oversee HIPAA/HITECH compliance and third‑party risk management for customers, partners, and vendors
• Translate audit and risk findings into actionable remediation plans without slowing business execution

• Embed security into all phases of the software development lifecycle (SDLC), including:
• Threat modeling
• SAST/DAST and dependency scanning
• Secure code reviews and change management
• Partner closely with Engineering, Dev Ops, and Product teams to enable “secure‑by‑design” pharmacy and healthcare applications
• Define and enforce security controls for CI/CD pipelines and cloud‑native environments (AWS/Azure/GCP)

• Own incident response planning, tabletop exercises, breach response, and regulatory notification processes
• Oversee vulnerability management, penetration testing, and continuous monitoring programs
• Ensure operational readiness for security events affecting pharmacy operations, customer systems, or patient data

• Act as executive security liaison for customers, payers, auditors, prospects, and partners
• Support enterprise sales cycles with security documentation, compliance narratives, and customer risk reviews
• Drive trust differentiation through strong external assurance (HITRUST, SOC
  2) without creating sales friction

• Build and lead a high‑performing security, GRC, and risk organization
• Mentor technical and non‑technical stakeholders on healthcare cybersecurity best practices
• Foster a culture where security enables innovation rather than blocks it

• 10+ years of progressive experience in information security, including senior leadership roles
• Deep hands‑on experience leading HITRUST CSF and SOC 2 audits in healthcare or healthcare SaaS environments
• Strong understanding of:
• HIPAA / HITECH
• NIST 800‑53 / NIST CSF
• Secure SDLC and Dev Sec Ops
• Proven ability to operate effectively with engineering, audit, legal, and executive teams

• Experience in Pharmacy Management Systems (PMS), EHR, payer platforms, or healthcare SaaS
• Familiarity with cloud security architectures and zero‑trust models
• CISSP, CISM, CCSK, or similar certifications
• Experience supporting large healthcare customers, PBMs, payers, and CMS‑regulated environments

• Successful and repeatable HITRUST and SOC 2 audit outcomes
• Security embedded into product lifecycle without slowing delivery
• Reduced customer security friction and accelerated enterprise sales
• Strong executive and Board‑level visibility into cybersecurity risk