Security & Compliance Analyst II

Summary

Join Headspace as a Security & Compliance Analyst II and play a key role in enhancing our risk and security programs. You will oversee security, risk, compliance, and privacy programs, implementing and testing controls. Lead external audits (HITRUST, SOC 2, Cyber Essentials+), manage stakeholder communications, and track remediation plans. You will also triage and respond to customer security questionnaires, maintain the vendor risk management program, and partner with cross-functional teams on security reviews. Maintain security policies and procedures, support continuous improvement initiatives, and contribute to a dynamic and meaningful work environment. This role offers the opportunity to leverage cutting-edge technologies and make a significant impact on Headspace's security posture.

Requirements

• 3+ years of experience in a security, compliance, privacy, or risk-related role
• Bachelor’s degree in a related field (e.g., Information Security, Information Technology, Computer Science, etc. ) or equivalent practical experience in a security, compliance, or privacy-related role
• Foundational understanding of security, privacy, and compliance frameworks (e.g., SOC 2, HITRUST, HIPAA, ISO 27001 and NIST)
• Strong organizational and project management skills, with the ability to track multiple deadlines across audits, vendor reviews, and cross-functional initiatives
• Excellent written and verbal communication skills, especially in translating technical or policy-heavy material for varied audiences
• Comfortable working with SaaS tools such as Jira, Confluence, Google Workspace, and other GRC or project tracking systems
• Curiosity and initiative in learning security and risk concepts, with a growth mindset toward more technical domains

Responsibilities

• Own and provide oversight of programs across security, risk, compliance, and privacy at Headspace, helping implement and test controls in numerous security domains
• Lead day-to-day coordination of external audits, including HITRUST, SOC 2, and Cyber Essentials+, by gathering evidence, managing stakeholders, and tracking remediation plans to completion
• Triage, track, and respond to B2B customer security questionnaires, ensuring timely, accurate, and scalable delivery of assurance documentation while implementing on-going automation efforts
• Maintain and monitor the vendor risk management program, including onboarding reviews, risk assessments, reassessments, and supporting documentation workflows
• Partner with Product, Engineering, Legal, and IT teams to help conduct security reviews and embed privacy and compliance into the product development lifecycle
• Maintain security policies and procedures, ensuring they align with internal processes, audit frameworks, and regulatory requirements
• Support continuous improvement initiatives across GRC tooling, automation, and metrics/reporting infrastructure

Preferred Qualifications

• Experience in Healthcare or Health-Tech
• Exposure to external audits or assessments, including the ability to interface with auditors and communicate security/compliance requirements internally
• Prior experience at a Big 4 firm or within a structured audit environment is a plus

Benefits

• Comprehensive healthcare coverage
• Monthly wellness stipend
• Retirement savings match
• Lifetime Headspace membership
• Generous parental leave