Security & Compliance Analyst II

Headspace
Summary
Join Headspace as a Security & Compliance Analyst II and play a key role in enhancing our risk and security programs. You will oversee security, risk, compliance, and privacy programs, implementing and testing controls. Lead external audits (HITRUST, SOC 2, Cyber Essentials+), manage stakeholder communications, and track remediation plans. You will also triage and respond to customer security questionnaires, maintain the vendor risk management program, and partner with cross-functional teams on security reviews. Maintain security policies and procedures, support continuous improvement initiatives, and contribute to a dynamic and meaningful work environment. This role offers the opportunity to leverage cutting-edge technologies and make a significant impact on Headspace's security posture.
Requirements
- 3+ years of experience in a security, compliance, privacy, or risk-related role
- Bachelorβs degree in a related field (e.g., Information Security, Information Technology, Computer Science, etc. ) or equivalent practical experience in a security, compliance, or privacy-related role
- Foundational understanding of security, privacy, and compliance frameworks (e.g., SOC 2, HITRUST, HIPAA, ISO 27001 and NIST)
- Strong organizational and project management skills, with the ability to track multiple deadlines across audits, vendor reviews, and cross-functional initiatives
- Excellent written and verbal communication skills, especially in translating technical or policy-heavy material for varied audiences
- Comfortable working with SaaS tools such as Jira, Confluence, Google Workspace, and other GRC or project tracking systems
- Curiosity and initiative in learning security and risk concepts, with a growth mindset toward more technical domains
Responsibilities
- Own and provide oversight of programs across security, risk, compliance, and privacy at Headspace, helping implement and test controls in numerous security domains
- Lead day-to-day coordination of external audits, including HITRUST, SOC 2, and Cyber Essentials+, by gathering evidence, managing stakeholders, and tracking remediation plans to completion
- Triage, track, and respond to B2B customer security questionnaires, ensuring timely, accurate, and scalable delivery of assurance documentation while implementing on-going automation efforts
- Maintain and monitor the vendor risk management program, including onboarding reviews, risk assessments, reassessments, and supporting documentation workflows
- Partner with Product, Engineering, Legal, and IT teams to help conduct security reviews and embed privacy and compliance into the product development lifecycle
- Maintain security policies and procedures, ensuring they align with internal processes, audit frameworks, and regulatory requirements
- Support continuous improvement initiatives across GRC tooling, automation, and metrics/reporting infrastructure
Preferred Qualifications
- Experience in Healthcare or Health-Tech
- Exposure to external audits or assessments, including the ability to interface with auditors and communicate security/compliance requirements internally
- Prior experience at a Big 4 firm or within a structured audit environment is a plus
Benefits
- Comprehensive healthcare coverage
- Monthly wellness stipend
- Retirement savings match
- Lifetime Headspace membership
- Generous parental leave