Senior Manager - Information Security, Governance, Risk, Compliance

About Stellar Health

Historically, US Healthcare has relied on a fee-for-service reimbursement system where providers are paid based on the quantity of patient visits and procedures, rather than the quality of health outcomes.

At Stellar Health, we help primary care providers put patient health first. Our platform - a mix of technology, people, and analytics - supports providers at the point of care, delivering real-time patient information, activating practice staff, and empowering providers and care teams with incentives that reward the work they are already doing to keep patients healthy. Using the Stellar App, our web-based, point-of-care tool;

practices receive a simple checklist of recommended actions that support the best quality care. Providers and care teams are then paid monthly for each action they complete, and Payors save money in reduced healthcare costs along the way.

Stellar is a US-based Health-tech backed by Top VCs (General Atlantic, Point
72, & Primary Venture Partners) with an established product & proven operating model. We’ve shown that we make a real difference for physician practices and their patients.

Stellar Health is looking for a Senior Manager - Information Security, Governance, Risk, and Compliance to help prioritize and drive our Information Security program and investments. This role will report to our Senior Director, IT & Security.

We are looking for an individual who is passionate about building, scaling, and maintaining security governance processes that are thoughtfully designed for both external users, customers, auditors, and teammates. You will have the autonomy and authority to approve or reject evidence submissions, accept low-risk exceptions, approve compensating controls, and close audits.

Stellar Health operates in the Health Tech space and is HITRUST R2 certified. This role will help ensure our security program is as effective, organized, and proactive as possible by:

• Reducing the effort to maintain and demonstrate our alignment to HITRUST by maximizing our use of Vanta to automate the collection of evidence, maintain up to date documentation, and deploy continuous testing of controls.
• Aligning with our cross-functional teams as they deliver on their controls and support our security processes, ensuring clarity and accountability for all parties.
• Leading our annual and ongoing risk assessment processes including the managing the risk register and mitigation plans.
• Enabling company growth acceleration by facilitating the strategic and thoughtful completion of customer and vendor security reviews.
• Overseeing incident response processes, supporting documentation, and corrective actions.
• Deploying and managing the third-party vendor management program and processes.
• Oversight of the selection and deployment of security related training across the enterprise.
• Creating and managing dashboards and other materials that keep leadership informed and support Committee and Board meetings.

Within your first month, you should have a solid foundation of our current security posture, controls, and security processes, what is working well and where there are gaps. You will use this foundation to build a longer term roadmap for our GRC efforts.

Additionally, you will:

• Support our interim HITRUST assessment with a focus on open items that could require remediation.
• Review the current GRC tooling environment and produced a plan for enhancements.
• Prioritize a list of improvements to the third party vendor management program.
• Implement improvements to current evidence collection processes and/or automations.
• Facilitated the interim HITRUST assessment with the external auditing firm.
• Implemented 1-2 improvements to the GRC tooling environment.
• Refresh our customer facing trust center.
• Create a remediation plan for HITRUST gaps, if any, including timelines and commitments from business owners.
• Establish a process to review high risk applications and systems with System Owners to ensure they align to any applicable security standards/controls and other security recommendations.

• 8-10 years of security program experience, with 4-5 years of direct experience building and implementing GRC tooling and processes.
• Familiarity and experience helping design controls in AWS cloud environments and infrastructure that meet regulatory commitments.
• Demonstrated experience with Vanta.
• Demonstrated experience with security monitoring tools including:
  • Crowdstrike
  • Panther
  • Defect Dojo
  • AWS native security tooling (Inspector, Config, Security Hub)
• Experience leading audits of security frameworks (e.g. SOC 2 Type 2, ISO 27001, HITRUST). Preference given to those with HITRUST experience.

Stellar offers a carefully curated selection of wellness benefits and perks to our employees:

• Medical, Dental and Vision Benefits
• Flexible PTO
• Universal Paid Family Leave
• Company sponsored One Medical memberships and Citibike memberships
• Medical Travel Benefits
• A monthly wellness stipend that gives…