• own and drive execution of multiple key security initiatives • collaborate with leadership to shape the team’s roadmap • mentor junior team members in the Security team • collaborate with engineering, IT, and product teams • champion continuous improvement in Security Engineering • lead PCI-DSS Compliance initiative • design, implement, and maintain security controls • contribute to threat modeling, risk assessments, and incident response • develop and refine internal security policies, standards, and tools • support and lead security awareness efforts • continuously evaluate emerging threats, technologies, and practices

Role Description The Director, Security & Risk owns the enterprise security program end-to-end—strategy, roadmap, execution, and continuous improvement. This leader assesses the current posture, monitors industry and threat trends, and drives the must-do initiatives that protect every layer of the environment (cloud, network, endpoints, identity, apps, data). The role is both strategic and hands-on: you’ll shape policy and governance while leading SOC/IR workflows, vulnerability management, IAM, third-party risk, and security awareness. You’ll partner closely with IT/Cloud, Clinical, Data/Analytics, and Compliance, translating risk into clear business terms for executives and the board. Key Responsibilities - Strategy & Governance - Assess security posture against NIST CSF/HIPAA and peer benchmarks; maintain a multi-year strategy and roadmap. - Publish and enforce policies/standards; ensure audit readiness and version control. - Risk Management & Compliance - Run periodic risk assessments; maintain risk register with accountable owners and due dates. - Coordinate HIPAA/HITECH compliance with Privacy/Compliance; manage findings to closure. - Security Operations & Engineering - Own SIEM content, telemetry coverage, and alert fidelity; manage IDS/IPS and SOC workflows (internal + MSSP). - Lead vulnerability management (scan cadence, SLAs, change control alignment) and drive remediation with system owners. - Engineer and optimize controls: firewalls, EDR/XDR, DLP, email security, CASB/SSE, secure web gateway. - Identity, Access, and Data - Enforce MFA, privileged access controls, joiner/mover/leaver processes, and periodic access reviews. - Oversee DLP policies (M365/Netskope) and data classification/handling standards. - Incident Response, Continuity, and Resilience - Maintain IR playbooks; run tabletops and post-mortems; coordinate forensics and legal/comms as needed. - Own BC/DR testing cadence; document results and drive improvements. - Awareness & Culture - Deliver security awareness (phishing simulations, targeted training) and coaching for secure-by-default patterns. - Third-Party / Vendor Security - Execute TPRM lifecycle, contract security terms, and ongoing monitoring. - Own the Third-Party Risk Management (TPRM) program: intake, inherent risk scoring, due diligence, onboarding, continuous monitoring, and offboarding. - Assess vendors handling PHI/PII/PCI with right-sized depth: SIG/SIG Lite questionnaires, SOC 2 Type II and/or ISO 27001 audit reports, HITRUST where applicable. - Validate security controls: encryption at rest (AES-256) and in transit (TLS 1.2+), key management (KMS/HSM), vulnerability management cadence, patch SLAs, EDR/AV, logging and monitoring coverage. - Review application and SDLC security: SAST/DAST results, dependency/OSS scanning (SCA), SBOM availability, pen test reports and remediation proof. - Identity & Access: SSO (SAML/OIDC), SCIM provisioning, MFA enforcement, role-based access, admin activity logging, least privilege. - Data Handling & Privacy: data flow diagrams, data residency, subprocessorlists, data retention and secure deletion on termination; DPAs/BAAs in place with breach notification timelines. - Resilience: documented BCP/DR with tested RTO/RPO; uptime SLAs; incident response plans and evidence of exercises. - Compliance & Contracting: ensure BAAs (HIPAA), DPAs/CCPA/CPRA, SCCs if applicable; right-to-audit, evidence requests, and remediation SLAs embedded in contracts. - Ongoing Monitoring: cadence for evidence refresh (e.g., annual SOC 2, pen test summaries), security scorecards, and triggers for reassessment after incidents or major changes. - Exit Strategy: data return and deletion procedures, assistance during transition, certificate of destruction, and survival clauses for security obligations. - Budgeting - Own annual plan and budget; develop board-level reporting with KPIs/OKRs and control coverage metrics. - Architecture & Projects - Provide security architecture reviews and design patterns for new systems, integrations, and clinical solutions. - Embed security in delivery pipelines and change management; ensure separation of duties and approvals. - Continuous Improvement - Track emerging threats and best practices; iterate roadmap and mentor the team. Qualifications - Experience: 10+ years in information security with 5+ years leading teams or programs (operations, engineering, or GRC). - Roadmap Ownership: 3+ years owning a security roadmap tied to business objectives, budgets, and measurable outcomes. - Healthcare: Hands-on HIPAA/HITECH experience; familiarity with HITRUST or mapping NIST CSF to HIPAA safeguards. - Frameworks: Practical expertise in NIST CSF, NIST 800-53, ISO 27001; third-party risk practices (SIG/SIG Lite, SOC 2). - Cloud: AWS security (IAM, KMS, Security Hub, GuardDuty, VPC, WAF/Shield, key rotation, least privilege). - Identity: Enterprise IAM/MFA/SSO (Microsoft Entra ID/Azure AD or Okta); strong least-privilege and access review discipline. - Detection & Response: SIEM (Microsoft Sentinel and/or Splunk) content design/tuning, UEBA, runbooks, dashboarding. - Endpoint & Email Security: EDR/XDR (Microsoft Defender for Endpoint/CrowdStrike/etc.), hardening/baselines; email security with Mimecast (policies, impersonation protection, URL/attachment sandboxing). - SSE/CASB & DLP: Operational experience with Netskope (policies, DLP, inline controls, app governance, shadow IT) and M365/Azure Purview DLP. - Network & Data Protection: Next-gen firewalls (Palo Alto/Fortinet), IDS/IPS, segmentation/zero trust, TLS 1.2+; key management and encryption at rest (AES-256) and in transit. - Vulnerability & Patch: Tenable/Qualys/Rapid7; risk-based prioritization (EPSS/CVSS + asset criticality) with defined SLAs across OS, apps, and cloud. - Incident Response & Resilience: IR playbooks, tabletop exercises, forensics coordination, BC/DR testing and improvement cycles. - Automation: PowerShell and/or Python for enrichment, response, and reporting. - Communication: Executive-level storytelling; board-ready risk reporting and KPI/OKR management. - Leadership: Proven ability to run multi-workstream programs and drive change across IT, Security, Clinical, and Compliance. Requirements - Education/Certs: Bachelor’s in CS/IT/Cyber or equivalent; CISSP or CISM required (maintained and in good standing). Tooling Requirements - Netskope SSE/CASB: Policy design and operations (DLP dictionaries, exact data match, inline controls, app risk, Shadow IT discovery, inline/blocking policies, coaching pages). - Mimecast: Inbound/outbound policies, impersonation protection, DMARC/DKIM/SPF alignment, URL/attachment sandboxing, secure messaging, business email compromise countermeasures. - Microsoft 365 Defender Suite: Defender for Endpoint, Defender for Office 365, Defender for Identity, MDO tuning and reporting. - Microsoft Sentinel: Data connectors, parser/normalization, analytics rules, UEBA, hunting queries, workbooks, automation (Logic Apps). - AWS Security: IAM least privilege, KMS key lifecycle, GuardDuty/Security Hub/WAF/Shield, VPC security, CloudTrail/Config logging and retention, S3 bucket policies and encryption. Preferred Skills & Qualifications - HITRUST (CCSFP) or ISO 27001 implementation/audit experience. - HCISPP, CCSP, CISA, or product certs (Palo Alto, Microsoft Defender/Sentinel, Netskope, Mimecast). - Kubernetes security, container scanning, and IaC scanning (Terraform + Checkov) experience. - Experience managing $1M+ security portfolios and multi-vendor MSSP ecosystems. - Developed KPI/OKR programs (MTTD/MTTR, patch compliance, control coverage, phishing risk) with trend reporting. Company Description Equality Health is an integrated, holistic, and tech-enabled healthcare delivery system focused on improving the health and wellness of diverse populations. Founded in 2015, Equality Health aims to improve access to value-based care for people who have long struggled with navigating the traditional one-size-fits-all U.S. healthcare system. The mission of the company is to provide high-quality care that improves and enhances lives regardless of race, ethnicity, age, or income. Through its supplemental care management services and proprietary technology platform, CareEmpower™, Equality Health helps managed care plans and health systems improve outcomes and lower costs for diverse populations while simultaneously facilitating the transition to risk-based accountability. Equality Health supports over 800,000 members and more than 4,000 practice sites and continues to scale rapidly. In 2021, Equality Health partnered with General Atlantic, a leading global growth equity firm, to help drive continued expansion and fuel the next phase of growth as a leading value-based primary care network serving the Medicaid, Medicare and ACA Exchange populations. This strategic investment will enable Equality Health to pursue further geographic expansion, technological innovation and product development while furthering its mission of increasing access to care, lowering costs and improving outcomes for underserved individuals, families and communities.

• Own end-to-end sales motions: prospecting, qualification, scoping, proposal development, negotiation, and close. • Build and execute a territory plan that expands new logo acquisition and grows revenue across existing enterprise accounts. • Position the full suite of offensive security services—pen testing, red teaming, cloud security testing, and managed offensive capabilities. • Maintain a strong pipeline with 3x+ quota coverage and predictable forecasting. • Lead consultative discussions with CISOs, engineering leaders, AppSec teams, and procurement stakeholders. • Partner with technical SMEs and consulting leads to shape solutions aligned to client risk, maturity, and regulatory requirements. • Establish multi-threaded relationships within accounts to improve deal velocity and renewal rates. • Deliver compelling client presentations, statements of work, and value-based proposals. • Work closely with the consulting delivery team to scope engagements accurately and ensure high customer satisfaction. • Align with marketing on targeted campaigns, regional events, and ABM programs. • Provide field intelligence and competitive insights back to product, delivery, and leadership teams. • Achieve or exceed quarterly and annual bookings targets. • Maintain accuracy of CRM data, forecasting, and pipeline metrics. • Drive healthy mix of services revenue: net-new logos, expansion, and multi-project programs.

• Preparazione degli apparati e avviamento delle infrastrutture. • Installazione fisica e configurazione (base e avanzata). • Gestione di migrazioni e commissioning di infrastrutture di media complessità. • Attività di MACD (Move, Add, Change, Delete) e troubleshooting di 2° livello presso i clienti. • Ottimizzazione delle performance e risoluzione dei problemi per garantire i livelli di servizio (SLA).