Director, Security & Risk in at Equality Health

Position Title: Director, Security & Risk

Reports To: VP, Workforce Technology, Strategy & Transformation

Classification: Exempt

Places of Work: Remote

People Leader: No

About the Organization:

Equality Health is an integrated, holistic, and tech-enabled healthcare delivery system focused on improving the health and wellness of diverse populations. Founded in 2015, Equality Health aims to improve access to value-based care for people who have long struggled with navigating the traditional one-size-fits-all U.S. healthcare system. The mission of the company is to provide high-quality care that improves and enhances lives regardless of race, ethnicity, age, or income.

Through its supplemental care management services and proprietary technology platform, CareEmpower™, Equality Health helps managed care plans and health systems improve outcomes and lower costs for diverse populations while simultaneously facilitating the transition to risk-based accountability. Equality Health supports over 800,000 members and more than 4,000 practice sites and continues to scale rapidly.

In 2021, Equality Health partnered with General Atlantic, a leading global growth equity firm, to help drive continued expansion and fuel the next phase of growth as a leading value-based primary care network serving the Medicaid, Medicare and ACA Exchange populations. This strategic investment will enable Equality Health to pursue further geographic expansion, technological innovation and product development while furthering its mission of increasing access to care, lowering costs and improving outcomes for underserved individuals, families and communities.

About the Role:

The Director, Security & Risk owns the enterprise security program end-to-end—strategy, roadmap, execution, and continuous improvement. This leader assesses the current posture, monitors industry and threat trends, and drives the must-do initiatives that protect every layer of the environment (cloud, network, endpoints, identity, apps, data). The role is both strategic and hands-on: you’ll shape policy and governance while leading SOC/IR workflows, vulnerability management, IAM, third-party risk, and security awareness. You’ll partner closely with IT/Cloud, Clinical, Data/Analytics, and Compliance, translating risk into clear business terms for executives and the board.

Key Responsibilities:

Strategy & Governance

• Assess security posture against NIST CSF/HIPAA and peer benchmarks;maintaina multi‑year strategy and roadmap.
• Publish and enforce policies/standards; ensure audit readiness and version control.

Risk Management & Compliance

• Run periodic risk assessments;maintainrisk register with accountable owners and due dates.
• Coordinate HIPAA/HITECH compliance with Privacy/Compliance; manage findings to closure.

Security Operations & Engineering

• Own SIEM content, telemetry coverage, and alert fidelity; manage IDS/IPS and SOC workflows (internal + MSSP).
• Lead vulnerability management (scan cadence, SLAs, change control alignment) and drive remediation with system owners.
• Engineer andoptimizecontrols: firewalls, EDR/XDR, DLP, email security, CASB/SSE, secure web gateway.

Identity, Access, and Data

• Enforce MFA, privileged access controls, joiner/mover/leaver processes, and periodic access reviews.
• Oversee DLP policies (M365/Netskope) and data classification/handling standards.

Incident Response, Continuity, and Resilience

• Maintain IR playbooks; run tabletops and post‑mortems; coordinate forensics and legal/comms as needed.
• Own BC/DR testing cadence; document results and drive improvements.

Awareness & Culture

• Deliver security awareness (phishing simulations, targeted training) and coaching for secure‑by‑default patterns.

Third‑Party / Vendor Security

• Execute TPRM lifecycle, contract security terms, and ongoing monitoring (see Vendor Security Assessment section).
• Own the Third‑Party Risk Management (TPRM) program: intake, inherent risk scoring, due diligence, onboarding, continuous monitoring, and offboarding.
• Assess vendors handling PHI/PII/PCI with right‑sized depth: SIG/SIG Lite questionnaires, SOC 2 Type II and/or ISO 27001 audit reports, HITRUST where applicable.
• Validate security controls: encryption at rest (AES‑256) and in transit (TLS 1.2+), key management (KMS/HSM), vulnerability management cadence, patch SLAs, EDR/AV,loggingand monitoring coverage.
• Review application and SDLC security: SAST/DAST results, dependency/OSS scanning (SCA), SBOM availability, pen testreportsand remediation proof.
• Identity & Access: SSO (SAML/OIDC), SCIM provisioning, MFA enforcement, role‑based access, admin activity logging, least privilege.
• Data Handling & Privacy: data flow diagrams, data residency,subprocessorlists, dataretentionand secure deletion on termination; DPAs/BAAs in place with breach notification timelines.
• Resilience: documented BCP/DR with tested RTO/RPO; uptime SLAs; incident response plans and evidence of exercises.
• Compliance & Contracting: ensure BAAs (HIPAA), DPAs/CCPA/CPRA, SCCs if applicable; right‑to‑audit, evidence requests, andremediationSLAs embedded in contracts.
• Ongoing Monitoring: cadence forevidencerefresh (e.g., annual SOC 2, pen test summaries), security scorecards, and triggers for reassessment after incidents or major changes.
• Exit Strategy: data return and deletion procedures,assistanceduring transition, certificate of destruction, and survival clauses for security obligations.

Budgeting

• Own annual plan and budget; develop board‑level reporting with KPIs/OKRs and control coverage metrics.

Architecture & Projects

• Provide security architecture reviews and design patterns for new systems, integrations, and clinical solutions.
• Embed security in delivery pipelines and change management; ensure separation of duties and approvals.

Continuous Improvement

• Track emerging threats and best practices; iterate roadmap and mentor the team.

Required Skills & Qualifications:

• Experience: 10+ years in information security with 5+ years leading teams or programs (operations, engineering, or GRC).
• Roadmap Ownership: 3+ years owning a security roadmap tied to businessobjectives, budgets, and measurable outcomes.
• Healthcare: Hands-on HIPAA/HITECH experience; familiarity with HITRUST or mapping NIST CSF to HIPAA safeguards.
• Frameworks: Practicalexpertisein NIST CSF, NIST 800-53, ISO 27001; third-party risk practices (SIG/SIG Lite, SOC 2).
• Cloud: AWS security (IAM, KMS, Security Hub,GuardDuty, VPC, WAF/Shield, key rotation, least privilege).
• Identity: Enterprise IAM/MFA/SSO (Microsoft Entra ID/Azure AD or Okta); strong least-privilege and access review discipline.
• Detection & Response: SIEM (Microsoft Sentinel and/or Splunk) content design/tuning, UEBA, runbooks, dashboarding.
• Endpoint & Email Security: EDR/XDR (Microsoft Defender for Endpoint/CrowdStrike/etc.), hardening/baselines; email security with Mimecast (policies, impersonation protection, URL/attachment sandboxing).
• SSE/CASB & DLP: Operational experience with Netskope (policies, DLP, inline controls, app governance, shadow IT) and M365/Azure Purview DLP.
• Network & Data Protection: Next‑gen firewalls (Palo Alto/Fortinet), IDS/IPS, segmentation/zero trust, TLS 1.2+; key management and encryption at rest (AES‑256)and intransit.
• Vulnerability & Patch: Tenable/Qualys/Rapid7; risk-based prioritization (EPSS/CVSS + asset criticality) with defined SLAs across OS, apps, and cloud.
• Incident Response & Resilience: IR playbooks, tabletop exercises,forensicscoordination, BC/DRtestingand improvement cycles.
• Automation: PowerShell and/or Python for enrichment, response, and reporting.
• Communication: Executive-level storytelling; board-ready risk reporting and KPI/OKR management.
• Leadership: Proven ability to run multi‑workstream programs and drive change across IT, Security, Clinical, and Compliance.
• Education/Certs:Bachelor’sin CS/IT/Cyber or equivalent; CISSP or CISMrequired(maintainedand in good standing).

Tooling Requirements

• Netskope SSE/CASB: Policy design and operations (DLP dictionaries, exact data match, inline controls, app risk, Shadow IT discovery, inline/blocking policies, coaching pages).
• Mimecast: Inbound/outbound policies, impersonation protection, DMARC/DKIM/SPF alignment, URL/attachment sandboxing, secure messaging, business email compromise countermeasures.
• Microsoft 365 Defender Suite: Defender for Endpoint, Defender for Office 365, Defender for Identity, MDOtuningand reporting.
• Microsoft Sentinel: Data connectors, parser/normalization, analytics rules, UEBA, hunting queries, workbooks, automation (Logic Apps).
• AWS Security: IAM least privilege, KMS key lifecycle,GuardDuty/Security Hub/WAF/Shield, VPC security, CloudTrail/Configloggingand retention, S3 bucket policies and encryption.

Preferred Skills & Qualifications:

• HITRUST (CCSFP) or ISO 27001 implementation/audit experience.
• HCISPP, CCSP, CISA, or product certs (Palo Alto, Microsoft Defender/Sentinel, Netskope, Mimecast).
• Kubernetes security, container scanning, andIaCscanning (Terraform +Checkov) experience.
• Experience managing $1M+ security portfolios and multi‑vendor MSSP ecosystems.
• Developed KPI/OKR programs (MTTD/MTTR, patch compliance, control coverage, phishing risk) with trend reporting.

Equality Health provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state, or local laws.

This policy applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation, and training.