Chief Information Security Officer

Chief Information Security Officer (CISO)Location: Remote / Hybrid (US)Reports to: COOIndustry: Healthcare TechnologyRole SummaryThe Chief Information Security Officer (CISO) is responsible for establishing, executing, and continuously improving the organization’s enterprise information security, privacy, and risk management program. This role is critical to ensuring the confidentiality, integrity, and availability of healthcare data—including PHI—while enabling rapid software innovation in a regulated pharmacy and healthcare technology environment.The CISO will lead security strategy across HITRUST CSF, SOC 2 (Type I & II), HIPAA/HITECH, and aligned frameworks (NIST 800-53, NIST CSF), with a strong focus on secure software development lifecycle (SSDLC), cloud security, audit readiness, and customer trust.Key ResponsibilitiesSecurity Strategy & GovernanceDefine and execute the enterprise information security strategy aligned to business growth, product roadmap, and regulatory requirementsServe as the executive owner of cybersecurity risk management, reporting regularly to executive leadership and the BoardEstablish security policies, standards, and metrics aligned with HITRUST CSF, SOC 2, HIPAA, and NIST frameworksCompliance, Audit & Risk ManagementOwn and lead HITRUST certification (initial and recertification), including control design, evidence management, assessor engagement, and gap remediationLead SOC 2 Type II audits, including Trust Services Criteria (Security, Availability, Confidentiality, Privacy)Oversee HIPAA/HITECH compliance and third-party risk management for customers, partners, and vendorsTranslate audit and risk findings into actionable remediation plans without slowing business executionSecure Software Development Lifecycle (SSDLC)Embed security into all phases of the software development lifecycle (SDLC), including:Secure architecture standardsThreat modelingSAST/DAST and dependency scanningSecure code reviews and change managementPartner closely with Engineering, DevOps, and Product teams to enable “secure-by-design” pharmacy and healthcare applicationsDefine and enforce security controls for CI/CD pipelines and cloud-native environments (AWS/Azure/GCP)Incident Response & Security OperationsOwn incident response planning, tabletop exercises, breach response, and regulatory notification processesOversee vulnerability management, penetration testing, and continuous monitoring programsEnsure operational readiness for security events affecting pharmacy operations, customer systems, or patient dataCustomer, Sales & External Trust EnablementAct as executive security liaison for customers, payers, auditors, prospects, and partnersSupport enterprise sales cycles with security documentation, compliance narratives, and customer risk reviewsDrive trust differentiation through strong external assurance (HITRUST, SOC 2) without creating sales frictionLeadership & Team DevelopmentBuild and lead a high-performing security, GRC, and risk organizationMentor technical and non-technical stakeholders on healthcare cybersecurity best practicesFoster a culture where security enables innovation rather than blocks itRequired Qualifications10+ years of progressive experience in information security, including senior leadership rolesDeep hands-on experience leading HITRUST CSF and SOC 2 audits in healthcare or healthcare SaaS environmentsStrong understanding of:HIPAA / HITECHNIST 800-53 / NIST CSFSecure SDLC and DevSecOpsProven ability to operate effectively with engineering, audit, legal, and executive teamsPreferred QualificationsExperience in Pharmacy Management Systems (PMS), EHR, payer platforms, or healthcare SaaSFamiliarity with cloud security architectures and zero-trust modelsCISSP, CISM, CCSK, or similar certificationsExperience supporting large healthcare customers, PBMs, payers, and CMS-regulated environmentsWhat Success Looks LikeSuccessful and repeatable HITRUST and SOC 2 audit outcomesSecurity embedded into product lifecycle without slowing deliveryReduced customer security friction and accelerated enterprise salesStrong executive and Board-level visibility into cybersecurity risk