Director of Information Security

firsthand supports individuals living with SMI (serious mental illness). Our holistic approach includes a team of peer recovery specialists, benefits specialists and clinicians. Our teams focus on meeting each individual where they are and walking with them side by side as a trusted guide and partner on their journey to better health.
firsthand's team members use their lived experience to build trust with these individuals and support them in reconnecting to the healthcare they need, while minimizing inappropriate healthcare utilization. Together with our health plan partners, we are changing the way our society supports those most impacted by SMI.
We are cultivating a team of deeply passionate problem-solvers to tackle significant and complex healthcare challenges with us. This is more than a job—it's a calling. Every day, you will engage in work that resonates with purpose, gain wisdom from motivated colleagues, and thrive in an environment that celebrates continuous learning, creativity, and fun.

At firsthand, the Director of Information Security will collaborate with key stakeholders within our IT, software and growth teams in order to ensure we provide secure solutions to our employees commensurate with the requirements of our insurance company partners and HITRUST.
This role will be responsible for managing a high performing compliance and security effort utilizing well understood practices and healthy team collaboration. In this role, you will work cross-functionally to assess the current software, office and hardware portfolio and implement solutions to ensure that assets are protected. You will lead the effort to maintain our HITRUST certification and utilize SAAS solutions such as Vanta, Trend Vision One and external contractors to be most effective. You will report to firsthand’s CTO. This role is remote friendly.

As Director of Information Security you will:

• Security of Data Assets: Oversee security and risk practices to ensure the organization is as protected against internal and external threats to the extent possible.
• Security Risk Management: Manage the ongoing risk assessment function to identify the greatest threats to the organization and recommend approaches. Oversee strategies to assess, prioritize, and mitigate risks to physical and virtual assets.
• Vendor Management: Assess and manage the security risks associated with third-party SAAS vendors. Establish security requirements and standards for vendor contracts, conduct security assessments of vendors, and monitor ongoing compliance.
• Growth: Assess language in contracts with insurance company and proactively flag particularly arduous requirements.
• Incident Management: Supervise incident investigations and disposition.
• Security Controls: Develop and implement security controls, policies & procedures, and enforcement.
• Compliance: Working with legal, ensure the company complies with local, state, and national regulations in areas of security and privacy.
• Innovation: Continually research best practices, industry trends, and vendor solutions to ensure the organization is functioning with an optimal approach, knowledge, and toolsets.
• Documentation & Knowledge Sharing: Maintain appropriate documentation of incidents, risk assessments, and education. Must be intimately familiar with, and author of company policies and procedures related to technology and security.
• Disclosures: Assist in the analysis and reporting of Privacy and Security disclosures.
• Budgeting: Provide input into annual organizational budget planning and manage the execution of approved security department budget, for the technologies, contracts, and professional services required each year.

You will be a good fit if you have:

• A combination of technical expertise, leadership skills, business and industry knowledge, and soft skills to effectively manage the security function for our customer.
• Legal & Regulatory: Knowledge and strong understanding of relevant legal and regulatory requirements, such as Health Insurance Portability and Accountability Act (HIPAA), Service Organization Control (SOC) standards, NIST, and HITRUST.
• Security Management: Knowledge and experience in information security management frameworks, policy and procedure development, information security assessments, audits, threat and detection.
• Risk Management: Knowledge of risk analysis methodologies and how to apply them.
• Infrastructure: Strong working knowledge of virtual infrastructures to understand and identify cybersecurity threats and how to mitigate them.
• Controls: Knowledge of technology as it relates to privacy and security controls.
• Balance: Knowledge of how to balance the needs of security with the workflow and needs of company employees, customers, and vendor partners.
• Strategic Thinking: The ability to align security efforts with the organization’s strategic goals and objectives.

The experience you bring to this role includes:

• Information Security Experience: Minimum of seven years of experience in information security, quality control, risk management, regulatory compliance, corporate compliance, healthcare compliance, privacy compliance or workplace safety compliance roles. Employment history must demonstrate increasing levels of responsibility.
• Leadership Experience: At least 2 years of experience leading projects, and/or providing strategic guidance.
• Industry Experience: A minimum of 5 years’ experience in healthcare
• Certification in one or more of the following is required: CISSP, CISA, CISM, CRISC or comparable. If not currently held, the candidate must successfully complete certification within the first year of employment.

Benefits 
For full-time employees, our compensation package includes base, equity (or a special incentive program for clinical roles) and performance bonus potential. Our benefits include physical and mental health, dental, vision, 401(k) with a match, 16 weeks parental leave for either parent, 15 days/year vacation in your first year (this increases to 20 days/year in your second year and beyond), and a supportive and inclusive culture.
Vaccination Policy
Employment with firsthand is contingent upon attesting to medical clearance requirements, which include, but may not be limited to: evidence of vaccination for/immunity to COVID-19, Hepatitis B, Influenza, MMR, Chickenpox, Tetanus and Diphtheria. All employees of firsthand are required to receive these vaccinations on a cadence/frequency as advised by the CDC, whereas not otherwise prohibited by state law.
New hires may submit for consideration a request to be exempted from these requirements (based on a valid religious or medical reason) via forms provided by firsthand. Such requests will be subject to review and approval by the Company, and exemptions will be granted only if the Company can provide a reasonable accommodation in relation to the requested exemption. Note that approvals for reasonable accommodations are reviewed and approved on a case-by-case basis and availability of a reasonable accommodation is not guaranteed.
Unfortunately, we are not able to offer sponsorship at this time.