Senior Security and Compliance Lead

The Senior Security and Compliance Lead owns the strategy, execution, and continuous improvement of the organization's information security and regulatory compliance programs. This leader is accountable for protecting the company, customer, and employee data; maintaining the organization's security posture across cloud environments; and ensuring that the business meets its legal, contractual, and industry-standard obligations.

The role combines hands-on technical leadership with executive-level program management. The Lead builds and leads the security and compliance function, partners across Engineering, Product, and Operations, and reports to the CTO.

Responsible for establishing and maintaining the organization's IT governance framework, risk management methodologies, and cybersecurity compliance programs. Develops enterprise policies and control frameworks while ensuring alignment with regulatory requirements and security standards such as ISO 27001, SOC 2, NIST, and HISTRUST. Conducts risk assessments, manages third-party risk evaluations, and facilitates cybersecurity audits. Creates and maintains security policies, develops security awareness training programs, and serves as the liaison between business, IT, and regulatory bodies to translate compliance requirements into actionable governance strategies.

What you’ll do

Security Strategy & Leadership

• Define and own the multi-year information security strategy and roadmap aligned to business objectives.
• Build, mentor, and lead the security and compliance team, including security engineers, analysts, and GRC staff.
• Establish and report on security KPIs, KRIs, and program maturity metrics.
• Manage the security and compliance budget, vendor relationships, and tooling investments.

Governance, Risk & Compliance (GRC)

• Own the enterprise risk management program: identify, assess, prioritize, and track remediation of security risks.
• Lead audit readiness and certification efforts (e.g., SOC 2 Type II, ISO 27001, HIPAA, HITRUST, GDPR, CCPA).
• Develop, maintain, and enforce security policies, standards, and procedures.
• Manage relationships with external auditors, assessors, and regulators; coordinate evidence collection and remediation.
• Oversee third-party and vendor risk management and customer security questionnaire responses.
• Partner with other functions on data privacy obligations, breach notification readiness, and cross-functional compliance matters.

Security Operations & Engineering

• Direct security operations, including monitoring, detection, vulnerability management, and patching.
• Own the incident response program — preparation, detection, containment, eradication, recovery, and post-incident review.
• Oversee identity and access management, encryption, network security, and cloud security posture management.
• Champion 'security by design' and shift-left practices within the software development lifecycle.
• Lead business continuity and disaster recovery planning, testing, and continuous improvement.

Awareness & Culture

• Design and administer security awareness, training, and phishing simulation programs across the organization.
• Foster a 'security is everyone’s responsibility' culture — serve as the internal champion and go-to escalation point for security matters.
• Act as a calm, c