IT Compliance & Risk Lead

Pay- $120,000 PER YEARKey ResponsibilitiesThe following areas define day-to-day ownership and decision rights for this role.Compliance Program Ownership - Own HIPAA and PCI-DSS compliance end-to-end. Run audit cycles, manage evidence collection, and maintain control narratives. Track applicable state privacy and breach notification laws (e.g., CCPA/CPRA, NY SHIELD) and manage SOC 2 obligations as the business expands.Policy & Governance - Develop, maintain, and enforce IT policies, standards, and procedures aligned to NIST CSF, HIPAA Security Rule, and PCI-DSS. Translate framework requirements into practical, operational controls.Risk Management - Maintain the enterprise risk register. Conduct regular risk assessments, prioritize threats, track remediation, and report risk posture to leadership on a defined cadence.SOC Partner Oversight - Manage the relationship with Nuvia’s managed SOC partner. Review and route alerts, validate that remediations close the loop, and ensure SOC reporting feeds the compliance program and audit evidence.Vulnerability & Patch Oversight - Track vulnerabilities surfaced by the SOC and internal scans. Drive remediation to closure within regulatory SLAs (e.g., the PCI-DSS 30-day window for high-risk findings). Coordinate annual penetration testing.Incident Response Coordination - Partner with the SOC on containment and investigation. Lead post-incident review, document findings, coordinate breach notification obligations under HIPAA and applicable state laws, and maintain a current IR plan.Access & Identity Governance - Define IAM policy and least-privilege standards. Conduct quarterly access reviews. Ensure provisioning and deprovisioning are timely, documented, and audit-ready.Vendor & Third-Party Risk - Maintain the vendor risk inventory. Run security and privacy assessments on new vendors handling sensitive data. Ensure contracts include appropriate security, privacy, and BAA terms.Security Awareness & Training - Run annual security awareness training, monthly phishing simulations, and role-based training for high-risk teams. Track completion and report metrics to leadership.First-Year PrioritiesThis Is a Foundational Hire. Your First Twelve Months Will Focus On Standing Up The Program, Not Optimizing One That Already Exists. Expected PrioritiesStand up and operationalize the enterprise risk register, anchored by a baseline HIPAA Security Risk Analysis.Build the vendor risk inventory, validate BAA coverage across all PHI-handling vendors, and set a refresh cadence.Establish quarterly user access reviews across critical clinical, financial, and administrative systems.Codify the incident response plan and run at least one tabletop exercise with the SOC partner.Stand up annual security awareness training and a monthly phishing simulation program.Performance MetricsSuccess in this role is measured by Nuvia’s ability to meet its regulatory obligations, manage risk, and operate a compliance program that holds up under audit.Audit Outcomes - No Material Findings - External audits (HIPAA, PCI-DSS, SOC 2) Risk Register Closure 90%+ - Risks remediated within agreed SLAVuln Remediation - 30-Day SLA - High-risk findings (PCI-DSS-aligned)Training Completion - 95%+ - Annual security awarenessQualitative Outcomes ExpectedExternal audits (HIPAA, PCI-DSS, SOC 2) close with no material findings.A current, accurate, board-readable risk register that drives prioritization across IT and the business.The SOC partnership produces actionable findings, and findings consistently drive remediation to closure.A complete vendor risk inventory, refreshed annually, with up-to-date BAAs and security terms.Improved employee security hygiene, reflected in declining phishing simulation click rates.Compliance and risk requirements considered up-front in new projects and technology decisions, not retrofitted.Qualifications Education & ExperienceBachelor's degree in Cybersecurity, Information Systems, Risk Management, IT, or equivalent experience.4–7 years of experience in IT compliance, GRC, audit, or risk management roles.Hands-on experience leading or coordinating an external audit (HIPAA, PCI-DSS, SOC 2).Experience managing or partnering with a managed SOC, MSSP, or MDR provider.Experience working with Legal, HR, Finance, and executive stakeholders on security and risk topics.Technical Skills - Skills are tiered. Primary skills are required; preferred skills are familiarity-level — enough to oversee the SOC partner and translate their work into compliance evidence.Primary/Required:GRC Platforms (Vanta, Drata, AuditBoard), Audit Evidence Management, Risk Register Tools, Policy Authoring, IAM Governance & Access Reviews, Vendor Risk ManagementPreferred/Familiarity:SIEM / Log Review (for SOC oversight), EDR / Endpoint Tooling Familiarity, Cloud Compliance (AWS / Azure), Vulnerability Management Workflows, Penetration Testing Coordination, Data Privacy ToolingCompliance Frameworks & Standards - HIPAA and PCI-DSS are load-bearing for Nuvia’s clinical and payment operations. NIST CSF guides the program. Other frameworks below are nice-to-have based on candidate background or future business needs.Primary/Required: HIPAAPCI-DSSNIST CSFPreferred/Familiarity:SOC 2 Type IIState Privacy & Breach LawsCIS Controls ISO 27001GDPR (as applicable)Soft Skills & BehaviorsPreferred/Familiarity:Risk-based thinkerClear communicatorTranslates risk to businessDetail-orientedCalm under pressureCross-functional collaboratorVendor managementAudit-ready mindsetProactive mindsetPreferred CertificationsPrimary/Required:CISA (Information Systems Auditor)CRISC (Risk & Information Systems)CompTIA Security+Preferred/Familiarity:CHC (Certified in Healthcare Compliance)CIPP / US (Privacy)ISO 27001 Lead AuditorCISSP (preferred for senior candidates)CISM (preferred for senior candidates)