Associate Director, Information Security & Compliance

Associate Director, Information Security & Compliance

Join to apply for the Associate Director, Information Security & Compliance role at MCG Health.

At MCG, we lead the healthcare community to deliver patient‑focused care. We have a mission‑driven team of talented physicians and technical experts developing our evidence‑based content and innovating our products to accelerate improvements in healthcare. If you are driven to enhance the US healthcare system, MCG is eager to have you join our team. We cultivate a work environment that nurtures personal and professional growth, and this is a thrilling time to become a part of our organization.

With dynamic roles that offer meaningful impact, you'll be able to fully realize your potential. Plus, you'll enjoy world‑class benefits and the security, stability, and resources of our parent company, Hearst, with over 100 years of experience.

The Associate Director, Information Security & Compliance is a security engineering leader who enables our teams to ship quickly and safely and ensures the integrity of our deployed products. You will build paved roads and guardrails – codified as Infrastructure as Code (IaC), Policy as Code, and automated controls – so MCG's SaaS products meet HIPAA/HITRUST while improving developer velocity. Partnering with Product, Engineering, and IT, you'll integrate security into CI/CD, automate audit evidence, and turn security into an accelerator for frequent, reliable releases.

• Build secure‑by‑default platforms
• Define and own "paved roads" (golden paths) for service creation, deployment, and runtime with embedded controls
• Express controls as code:
  IaC (Terraform), Policy‑as‑Code (Rego, Azure Policy as Code), Compliance‑as‑Code (automated evidence collection)
• Embed security in the software lifecycle
• Partner with engineering to shift left via CI/CD: SAST, SCA, container scanning, IaC scanning, DAST, SBOM, break‑glass processes with audit trails
• Integrate lightweight threat modeling into backlog/PRs; maintain secure coding standards and reference implementations
• Automate compliance & audit readiness
• Maintain HIPAA & HITRUST through continuous controls monitoring and automated evidence pipelines; reduce manual audit work with repeatable proofs
• Create and maintain relevant documentation to support FedRAMP certification efforts
• Harden cloud & runtime
• Own CSPM/CNAPP baselines, least‑privilege access IAM, network isolation, KMS/secret stores, container hardening, supply‑chain security
• Operational resilience
• Define vulnerability SLAs risk‑based by asset criticality; drive time to patch with automation and safe rollout patterns
• Lead incident response readiness: playbooks, tabletop exercises, automated detections, and post‑incident learning loops
• AI & Data Protections
• Govern data use and model safety for AI features (prompt/response logging controls, PII/PHI handling, third‑party risk reviews) without slowing delivery
• Partnership & Leadership
• Coach engineers; measure and report outcomes (DORA + security KPIs). Foster a blameless, data‑driven culture where secure choices are the easiest choices

• Bachelor’s degree in Information Security, Computer Science, or related field required.
• 6+ years of experience in product/application security, compliance, or risk management for SaaS.
• 2+ years of team or functional leadership experience required.
• Demonstrated success enabling frequent deployments in regulated environments (HIPAA/HITRUST/FedRAMP) and proven experience HIPAA and HITRUST controls required.
• Practical experience integrating security into CI/CD and operating SAST/SCA/DAST, and container/IaC scanners
• Excellent judgment, communication, and stakeholder management.
• Proven collaborator with Product/Engineering/IT with a track record of delivering automation

• Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), or equivalent certification required.

• Demonstrated ability to earn and maintain customer trust preferred.
• Experience with Policy as Code (OPA/Conftest/Sentinel) and compliance/automation pipelines…