Director of Governance, Risk, and Compliance

Summary

Join Pomelo Care's growing information security team as the Director of Information Security Governance, Risk, and Compliance (GRC). This strategic role requires a focus on GRC, process improvement, scalability, and automation to align security with business objectives. You will lead risk management efforts, ensure compliance with relevant regulations (HIPAA, CCPA, CPRA, HITRUST, SOC 2, NIST-800, GDPR), and develop security awareness programs. The position involves collaborating with stakeholders, contributing to the overall security strategy, and managing a team of security professionals. This is a pivotal role in strengthening Pomelo Care's security foundation. The company offers a fast-paced, mission-driven environment with opportunities for growth and learning.

Requirements

• 9+ years experience in information security (or 6 years experience and relevant bachelor’s degree), with a focus on GRC
• Strong understanding of governance, risk management, and compliance frameworks
• Experience in collaborating with and influencing key stakeholders and ensuring security strategies align with business objectives
• Strong technical background including full stack software development, system architecture and security fundamentals such as PKI, SAML, JWT, HMAC as well as MITRE ATT&CK and D3FEND frameworks and OWASP top ten mitigations
• Relevant certifications (e.g. CISSP, CISM) required
• Exceptional communication skills and the ability to convey complex security concepts to non-technical stakeholders

Responsibilities

• Develop and maintain an information security governance framework
• Establish and enforce security policies, standards, and procedures
• Provide guidance on security best practices and industry standards
• Collaborate with leadership to ensure security strategies align with business objectives
• Lead the security team’s risk management efforts
• Conduct risk assessments to identify and evaluate security risks
• Develop and implement risk mitigation strategies and action plans
• Monitor and report on risk metrics and trends to senior management
• Ensure the organization's compliance with relevant laws, regulations, certifications, assessments and industry standards including HIPAA, CCPA, CPRA, HITRUST, SOC 2, NIST-800, GDPR, among others
• Conduct regular compliance assessments and audits
• Collaborate with legal and regulatory affairs to address compliance requirements
• Stay abreast of changes in relevant laws and regulations affecting security
• Contribute to the development of the organization's overall security strategy
• Provide strategic direction for security initiatives and projects
• Collaborate with other departments to integrate security into business processes
• Assess emerging technologies and trends for their impact on security
• Oversee the development and delivery of security awareness programs
• Conduct training sessions for employees on security policies and procedures
• Foster a security-conscious culture throughout the organization
• Assess and manage security risks associated with third-party vendors
• Develop and maintain a vendor risk management program
• Ensure third-party compliance with security standards
• Provide regular updates and reports on security, risk, and compliance to senior management
• Communicate security strategies and priorities to all stakeholders
• Act as a liaison between technical security teams and executive leadership
• Build, recruit, lead and manage a team of security professionals
• Foster a collaborative and high-performing security team
• Provide mentorship and professional development opportunities
• Identify opportunities for process improvement within the security GRC function
• Stay informed about industry trends and best practices
• Implement continuous improvement initiatives to enhance security posture

Benefits

• Competitive healthcare benefits
• Generous equity compensation
• Unlimited vacation
• Membership in the First Round Network (a curated and confidential community with events, guides, thousands of Q&A questions, and opportunities for 1-1 mentorship)