• Codify and execute the security roadmap for the organization, prioritizing the further hardening of critical systems (payment infrastructure, donor data stores, authentication flows, API integrations) and ensuring compliance with applicable laws (e.g., data privacy and security). • Partner directly with PDE leadership to embed security controls into the development lifecycle: threat modeling, secure code review, vulnerability management, and CI/CD pipeline security tooling (SAST, DAST, SCA) • Own the security incident response plan end-to-end: detection, containment, investigation, notification, remediation, and post-incident review • Work with IT to drive identity and access management improvements, including role-based access controls, MFA enforcement, endpoint security, and session management • Develop a deep understanding of fraud vectors in the fundraising and payments space—stolen cards, synthetic identities, friendly fraud, campaign abuse—and help us build systems that adapt as threats evolve. • Manage vendor security risk assessments for third-party tools, integrations, and sub-processors, with continuous monitoring rather than annual check-ins • Own the penetration testing program: vendor relationships, testing cadence, findings translation into engineering tickets, and remediation tracking to closure • Develop and deliver security awareness training for all employees, with targeted modules for PDE, CX, and leadership audiences • Lead SOC 2 Type II certification end-to-end: gap analysis, control design, evidence collection, remediation tracking, auditor coordination, and ongoing maintenance • Build the roadmap toward ISO 27001 certification as the security program matures • Serve as primary owner of our GRC platform (Vanta): driving task completion, monitoring compliance gaps, triaging findings, and ensuring remediation owners are accountable • Manage all external auditor and certification body relationships • Build and maintain evidence repositories that support continuous (not just point-in-time) compliance • Prepare board-ready compliance status reports and risk summaries quarterly • With the General Counsel’s guidance, own all required licenses, registrations, and regulatory filings across US jurisdictions, including state charitable fundraising platform registrations and other licenses • Manage the Trust Center: content accuracy, access approvals, and customer-facing compliance documentation

• Experiência comprovada com segurança de sistemas e infraestrutura; • Habilidades "hands-on" para configurar e manter ferramentas de segurança, incluindo firewall, WAFs, sistemas de detecção e prevenção de intrusões (IDS/IPS), antivírus, api gateway e monitoramento de redes; • Monitoramento e investigação de alertas em ferramentas como SIEM e EDR; • Análise de eventos e tentativa de exploração de aplicações e infraestrutura; • Gestão e tratamento de vulnerabilidades (identificação, priorização e acompanhamento de correções); • Análise de código sob a perspectiva de segurança; • Participação em processos de due diligence de segurança em fornecedores; • Apoio na resposta a incidentes e investigação de possíveis comprometimentos; • Habilidade para desenvolver e documentar políticas, diretrizes e manuais de segurança; • Proposição de melhorias em processos e controles.

• Lead all aspects of enterprise information security, including threat detection, incident response, vulnerability management, and continuous monitoring. • Establish and mature a comprehensive Governance, Risk, and Compliance (GRC) framework aligned to healthcare industry standards (e.g., NIST, HITRUST, ISO 27001). • Continuously assess enterprise risk posture, prioritizing cybersecurity risks in alignment with clinical, operational, and financial risk frameworks. • Design and implement strategies to protect sensitive patient data, including Protected Health Information (PHI), Personally Identifiable Information (PII), and clinical data. • Ensure compliance with healthcare data security and privacy regulations, including HIPAA and HITECH, as well as state-specific privacy laws. • Oversee data governance, encryption, identity management, and secure data exchange across clinical systems (EHR/EMR), patient platforms, and third-party partners. • Own and manage IT risk, compliance, and IT General Controls (ITGC) programs in support of SOX and healthcare regulatory requirements. • Partner with internal audit, compliance, legal, and finance teams to ensure audit readiness and timely remediation of control deficiencies. • Maintain compliance with standards such as HIPAA, HITRUST, SOC 2, PCI-DSS (as applicable), and other healthcare-specific regulatory frameworks. • Lead security architecture across enterprise infrastructure, including cloud, hybrid, and on-premise environments supporting clinical and digital health platforms. • Drive secure cloud transformation initiatives, ensuring appropriate controls across IaaS, PaaS, and SaaS environments. • Partner with engineering, IT, and DevOps teams to implement DevSecOps practices and secure software development lifecycle (SDLC). • Lead enterprise incident response strategy, including preparedness, detection, containment, and recovery from cyber incidents. • Build, lead, and scale a high-performing information security organization, including security operations, risk, IT compliance functions. • Serve as a key advisor to executive leadership, the Board, and Audit/Compliance Committees on cybersecurity risk and strategy. • Drive enterprise-wide security awareness and training programs to foster a culture of security and compliance.

• Audit WordPress setup, hosting, plugins, forms, integrations, tracking tools, and user access. • Identify HIPAA, privacy, and security gaps related to PHI handling, encryption, access control, backups, logging, and third-party vendors. • Assess risks involving CRMs, analytics tools, email platforms, payment tools, APIs, and form builders. • Review overall website security posture and identify vulnerabilities or misconfigurations. • Provide a concise audit report with findings, risk levels, and prioritized remediation steps.