Director of Information Security & Compliance

Description

Job Title: Director of Information Security & Compliance

About Us

On a mission to deliver affordable, delightful healthcare for all, First Stop Health provides connected, whole-person virtual care to employers 24/7 through app, website, or phone in all 50 states. First Stop Health prioritizes an engaging and easy-to-use experience, setting people on healthier journeys through care at multiple stages.

First Stop Health offers a comprehensive benefits package that includes various health and medical coverage options, dental and vision coverage, disability and life coverage, making healthcare easily accessible. For those that choose to waive medical coverage a monthly medical waiver allowance will be provided.

First Stop Health offers a remote-first work environment and flexible paid time off, including Summer Fridays. Furthermore, the employer match 401k plan and monthly phone stipend demonstrate the company's commitment to employee financial well-being. The First Stop Health membership benefit is another added perk for employees and provides our virtual care solutions - Urgent Care, Mental Health, and Primary Care - from their very first day!

Job Description

We are seeking a Director of Information Security & Compliance to serve as First Stop Health’s first dedicated security leader. This is a hybrid role combining strategic program ownership with hands-on execution. You will develop and maintain a comprehensive information security and privacy program, reporting to the VP of IT and working closely with our virtual Chief Information Security Officer (vCISO) and cross-functional teams. You’ll drive both immediate technical improvements and long-term strategic initiatives, while influencing stakeholders at every level of the organization. This role offers significant growth opportunity, positioning the right candidate to potentially grow into our future CISO.

Key Responsibilities

Security Strategy & Leadership

• Develop and execute a comprehensive security and compliance strategy in collaboration with the vCISO
• Own the security roadmap aligned to business goals and regulatory requirements
• Chair the Security Committee, lead policy creation and refresh cycles, and drive company-wide security culture
• Influence executive stakeholders, translating technical risk into business terms
  
  

Regulatory Compliance & Risk Management

• Lead SOC 2 Type 2 and HIPAA compliance programs, including audit coordination, controls, and evidence collection
• Manage vendor due diligence, client security questionnaires, and third-party security reviews
• Conduct regular risk assessments, pen testing, access reviews, vulnerability scans, and patching reviews
• Maintain Business Associate Agreements (BAAs), Privacy Impact Assessments (PIAs), and support CCPA/CPRA compliance
  
  

Technical Security Operations

• Implement and manage identity and access management (SSO, conditional access, granular permissioning)
• Build and maintain SIEM platform, logging, and monitoring for improved visibility
• Deploy and operate security tooling: DLP, endpoint protection, vulnerability management
• Automate security processes such as account administration, onboarding/offboarding, and compliance workflows
• Coordinate incident response with IT, Engineering, Legal, and vCISO; lead tabletop exercises and after-action reviews
  
  

Security Engineering & DevSecOps

• Partner with engineering teams to embed security into the SDLC, CI/CD pipelines, and infrastructure as code
• Implement secure cloud architecture, container security, and automated compliance checks
• Drive secure coding practices, threat modeling, and security champion programs
  
  

Training & Awareness

• Design and deliver company-wide security training, including HIPAA, phishing simulations, and secure email handling
• Create guidelines for safe AI tool usage and foster a culture of security awareness across all teams
  
  

Immediate Priorities (First 90 Days)

• Implement SSO requirements for escalated roles and administrative access
• Fix logging infrastructure and establish comprehensive monitoring
• Redesign application permissioning from page-based to object-based granular model
• Deploy and configure SIEM platform for event monitoring and response
• Improve automated account administration and offboarding processes
• Advance DLP capabilities and endpoint protection
• Establish Conditional Access Policies and Intune device management for O365
• Launch security training and phishing simulation programs
• Complete security reviews for AI tools and critical vendor integrations
  
  

Requirements

• 7+ years of experience in information security roles, with a balance of compliance and technical expertise
• Proven experience with HIPAA, SOC 2, and healthcare privacy regulations
• Strong technical skills in cloud security (AWS), IAM, SIEM, DLP, vulnerability management, and security architecture
• Experience leading SOC 2 audits and evidence collection
• Ability to influence executives and cross-functional stakeholders; strong communication and project management skills
• Preferred certifications: CISSP, CISM, CISA, HCISPP, CCSP, or healthcare-specific equivalents
• Startup/SaaS and remote-first work experience highly valued
  
  

First Stop Health is committed to diversity, equity, inclusion, and belonging. Research shows that women, people of color and other historically underrepresented groups tend to only apply to jobs in which they meet all of the job requirements. Unsure if you check every box? Apply. We’d love to consider your unique experiences and how you could make First Stop Health even better.

To learn more about First Stop Health, visit https://www.firststophealth.com/ and if you require any assistance during the application process or have questions, please don't hesitate to contact our talent acquisition team via email at [email protected].