Lead Security Analyst - GRC

At Collective Health, we’re transforming how employers and their people engage with their health benefits by seamlessly integrating cutting-edge technology, compassionate service, and world-class user experience design.

You’ll lead initiatives that address the company’s—and some of our industry’s—most sophisticated and meaningful security engineering challenges. You will build relationships across all parts of the business and drive multi-functional initiatives to continuously improve our security and privacy posture. You will be responsible for building and implementing controls that can scale and optimize as we move into a context-aware security environment.

What you'll do:

Governance & Compliance:

• Evaluate and implement security controls based on frameworks such as NIST, CIS, HIPAA, SOC 2, and HITRUST.
• Develop and maintain policies, procedures, and documentation (controls, narratives, matrices).
• Lead SOC 2 and HITRUST audit engagements, from audit planning through remediation.
• Coordinate and monitor third-party risk assessments and compliance reviews.
• Own and lead BCP (Business Continuity Planning) and BIA (Business Impact Assessments) efforts.
• Build and maintain security risk registry

Audit & Risk Management:

• Perform audit readiness assessments, and support internal/external audits.
• Partner with external auditors, control owners, and leadership to minimize business disruption.
• Track and drive remediation plans based on audit findings and compliance gaps.
• Maintain and communicate exception documentation for policy deviations.
• Educate and guide control/risk owners on their responsibilities.

Advisory & Communication:

• Act as a liaison between technical and non-technical stakeholders.
• Respond to security questionnaires, RFIs, and client compliance inquiries.
• Develop and deliver security awareness and training programs.
• Provide executive reporting on program status, risks, and overall health.

To be successful in this role, you'll need:

Required:

• 8+ years in cybersecurity, GRC, audit, or risk/compliance roles.
• Experience managing SOC 2 / HITRUST audits, especially in cloud-native environments.
• Strong working knowledge of security frameworks and regulatory requirements.
• Demonstrated policy, data management, and risk mitigation capabilities.
• Familiarity with GRC tools and audit processes.
• Excellent communication and cross-functional collaboration skills.

Preferred (Nice to Haves):

• • Big 4 accounting firm background.
  • Professional certifications: CISSP, CISA, CRISC, CISM, or similar.
    
    

Pay Transparency Statement 

This is a hybrid position based out of one of our offices: San Francisco, CA, Plano, TX, or Lehi, UT. Hybrid employees are expected to be in the office two days per week.#LI-hybrid 

The actual pay rate offered within the range will depend on factors including geographic location, qualifications, experience, and internal equity. In addition to the salary, you will be eligible for stock options and benefits like health insurance, 401k, and paid time off. Learn more about our benefits at https://jobs.collectivehealth.com/benefits/.

San Francisco, CA Pay Range$168,000—$210,000 USDLehi, UT Pay Range$134,500—$168,000 USDPlano, TX Pay Range$147,800—$185,500 USD

Why Join Us?

• Mission-driven culture that values innovation, collaboration, and a commitment to excellence in healthcare
• Impactful projects that shape the future of our organization
• Opportunities for professional development through internal mobility opportunities, mentorship programs, and courses tailored to your interests
• Flexible work arrangements and a supportive work-life balance

We are an equal opportunity employer and value diversity at our company. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status. Collective Health is committed to providing support to candidates who require reasonable accommodation during the interview process. If you need assistance, please contact recruiting-accommodations@collectivehealth.com.

Privacy Notice

For more information about why we need your data and how we use it, please see our privacy policy: https://collectivehealth.com/privacy-policy/.