Precise. Personal. Proven. The most comprehensive mental health care for teams and families everywhere.
Vice President, Information Security
Location
United States
Posted
4 days ago
Salary
$250K - $288.5K / year
Seniority
Lead
Job Description
Vice President, Information Security
Spring Health
• Develop and execute the enterprise information security vision, strategy, and multi-year roadmap. • Serve as a trusted advisor to executive leadership and the Board on cybersecurity risks, trends, and investments. • Establish security objectives, metrics, and reporting mechanisms aligned with business priorities. • Drive a security culture across the organization that enables innovation while maintaining appropriate risk controls, including effectively communicating risks and changes in the risk landscape to leadership, the Board, and key stakeholders in clear, business-relevant terms. • Own the enterprise information security risk management program, including formal risk assessments, risk registers, and risk treatment plans. • Ensure compliance with applicable frameworks and regulations, including SOC 2, ISO 27001, HIPAA, HITRUST, PCI DSS, GDPR, and CCPA. • Oversee security audits, risk assessments, policy development, and remediation initiatives. • Manage the Business Associate Agreement (BAA) program across the customer and vendor ecosystem. • Maintain and test the enterprise Incident Response and Business Continuity programs. • Drive continuous improvement of security controls and risk management practices. • Oversee security operations, threat detection, vulnerability management, and incident response functions. • Own the security operations center (SOC) function, including SIEM strategy, threat intelligence, and endpoint detection and response. • Lead the organization's response to security incidents, including executive communication, regulatory notification obligations, and post-incident review. • Direct penetration testing, security assessments, and resilience exercises. • Partner with Engineering and Product leadership to embed security throughout the software development lifecycle (SDLC), including threat modeling, secure code review, and automated security testing. • Provide strategic direction for the design and implementation of secure enterprise and cloud infrastructure, ensuring security architecture principles are embedded in platform design, data flows, and technology decisions across the organization. • Provide security architecture review and guidance for new products, features, and third-party integrations. • Oversee vulnerability management, penetration testing, and remediation programs across the platform and infrastructure. • Build, mentor, and develop high-performing security teams. • Manage security budgets, technology investments, and vendor relationships. • Lead third-party risk management and vendor security assessment programs. • Demonstrated ability to work closely with leadership across the organization, including Engineering, Legal, Privacy, Product, Sales, IT, HR, and others, serving as a trusted partner who enables the business rather than a barrier to it. • Serve as the executive point of contact for cyber insurance underwriters, external auditors, and regulatory examiners.
Job Requirements
- 12+ years of progressive experience in Information Security, with at least 5 years in a senior leadership role.
- Demonstrated experience building and leading multi-functional security teams, including risk/compliance, application security, and/or security operations disciplines.
- Demonstrated ability to communicate security risk to executive and board-level audiences, translating technical issues into business and financial impact.
- Deep working knowledge of HIPAA and hands-on experience managing compliance programs in a covered entity or business associate environment.
- Experience with HITRUST CSF, SOC 2, ISO 27001, and other comparable third-party security certification programs.
- One or more recognized industry certifications relevant to a role at this level (CISSP, CISM, CCISO, CRISC, or CISA).
- Experience building partnerships across the organization, enabling innovation in a safe and risk-aware way — a track record of being a business enabler, not a gatekeeper.
- Experience managing client-facing security responsibilities, including enterprise security reviews, vendor assessments, and RFP responses.
- Experience owning or contributing to incident response programs, including regulatory breach notification obligations.
- Strong working knowledge of cloud security principles and modern SaaS architecture security requirements.
- Track record of partnering effectively with executive leadership, boards, auditors, regulators, and customers.
- Deep knowledge of security operations, threat management, vulnerability management, and incident response.
- Strong expertise in cloud security, application security, identity and access management, and security architecture.
- Strategic mindset with strong business and risk management acumen.
- Ability to balance security requirements with customer experience, innovation, and business objectives.
Benefits
- Health, Dental, Vision benefits start on your first day at Spring. You and your dependents also receive access to One Medical accounts HSA and FSA plans are also available, with Spring contributing up to $1K for HSAs, depending on your plan type.
- Employer sponsored 401(k) match of up to 2% for retirement planning
- A yearly allotment of no cost visits to the Spring Health network of therapists, coaches, and medication management providers for you and your dependents.
- We offer competitive paid time off policies including vacation, sick leave and company holidays.
- At 6 months tenure with Spring, we offer parental leave of 18 weeks for birthing parents and 16 weeks for non-birthing parents.
- Access to Noom, a weight management program—based in psychology, that’s tailored to your unique needs and goals.
- Access to fertility care support through Carrot, in addition to $4,000 reimbursement for related fertility expenses.
- Access to Wellhub, which connects employees to the best options for fitness, mindfulness, nutrition, and sleep in one subscription
- Access to BrightHorizons, which provides sponsored child care, back-up care, and elder care
- Up to $1,000 Professional Development Reimbursement a year.
- $200 per year donation matching to support your favorite causes.
Related Guides
Related Categories
Related Job Pages
More Security Engineer Jobs
Senior Security Controls & Compliance Engineer
UP.LabsTransforming the moving world, one startup at a time
Role Description UP.Labs is a venture studio that builds and launches vertical AI enterprise SaaS companies with corporate partners in transportation, mobility, logistics, and industrial markets. We are hiring a Senior Security Controls & Compliance Engineer on a 6+ month contract to build, implement, and operate the security control foundation across multiple venture applications. This is a hands-on security execution role. We are not looking for someone who documents gaps, manages a compliance tool, and routes work to engineering. We need an operator who can understand enterprise customer security requirements, identify the controls required, implement or configure those controls directly, and verify they are operating effectively. You will prepare our venture applications for SOC 2 readiness while supporting enterprise customer data, information security, and TPRM requirements. Because our ventures are built alongside large corporate partners, the security bar is set by real enterprise buyers from day one, not by an internal checklist. The goal is a repeatable security baseline that each venture application can inherit, operate against, and carry forward as it matures or spins out into an independent company. What You'll Own - Build, implement, and operate security and compliance controls across multiple venture applications and supporting systems. - Translate enterprise customer security, data handling, and TPRM requirements into practical technical controls, operational workflows, evidence requirements, and remediation plans. - Create a reusable security control baseline that can be applied across current and future venture applications. - Select, configure, and operate a compliance automation platform (evaluating options such as Vanta, Drata, or Secureframe), including evidence integrations across cloud, GitHub, identity providers, ticketing, device management, and productivity tools. - Implement identity and access controls: SSO, MFA, role-based access, least privilege, access review workflows, and offboarding evidence. - Implement secure SDLC controls: branch protection, required code reviews, code scanning, dependency scanning, secret scanning, vulnerability management, and release/change management evidence. - Implement cloud security controls: IAM policies, encryption settings, logging, monitoring, backups, network restrictions, and security alerting. - Implement operational security workflows: vendor review, risk review, change management, policy attestation, incident response evidence, exception tracking, and recurring control reviews. - Maintain a centralized control library mapped to SOC 2 Trust Services Criteria, customer-specific requirements, and relevant frameworks (ISO 27001, NIST CSF, CIS Controls). - Support SOC 2 readiness end to end: control mapping, evidence requirements, gap tracking, audit prep, and control verification. - Identify launch-blocking security gaps and close them directly where possible. - Partner with product engineering only where application-specific code, architecture, or deeper infrastructure changes are required, writing clear technical requirements and acceptance criteria for that work. - Support customer security questionnaires, audits, evidence requests, and enterprise security reviews with accurate technical detail. - Track control gaps, remediation status, launch blockers, and compliance risk for leadership. - Produce a repeatable security implementation playbook that future ventures can inherit, and support the handoff of a venture's security posture when it spins out. What Success Looks Like - Enterprise customer requirements are translated into implemented controls, not just documented gaps. - Each venture application has a working security baseline across identity, cloud, source control, CI/CD, logging, monitoring, evidence, and operational processes. - SOC 2 readiness is actively tracked with clear control ownership, evidence collection, and operating cadence. - Compliance tooling is selected, configured, and producing useful evidence across the required systems. - Engineering teams are engaged only when product-specific implementation is required, not overloaded with generic security tasks. - Security launch blockers are identified early, prioritized clearly, and remediated quickly. - Customer security reviews, audits, and questionnaires are handled with accurate technical detail and supporting evidence. - Leadership has clear visibility into control maturity, launch risk, audit readiness, and open remediation items. - A reusable security control baseline and playbook exists that can be applied to new ventures and carried forward as they spin out. Qualifications - 7+ years in security engineering, cloud security, DevSecOps, security operations, security compliance, or GRC, including hands-on control implementation in cloud/SaaS environments. - At least one full SOC 2 readiness-through-audit cycle owned or driven end to end. - Demonstrated ability to configure and operate security and compliance systems directly, not just document requirements. - Strong command of security controls, audit evidence, policy requirements, control testing, and control operation. - Proven experience translating enterprise customer security requirements into practical technical controls. - Hands-on experience with identity and access controls (SSO, MFA, RBAC, least privilege, access reviews, offboarding). - Hands-on experience with secure SDLC controls (source control permissions, code review, branch protection, vulnerability management, dependency and secret scanning, change management evidence). - Hands-on experience with cloud security controls (IAM, encryption, logging, monitoring, backups, network restrictions, alerting). - Experience standing up and operating a compliance automation / GRC platform (e.g., Vanta, Drata, Secureframe) from scratch. - Familiarity with our core stack: GitHub, Jira or Linear, Okta, Google Workspace, Slack, and a major cloud provider (AWS, Azure, or GCP). - Strong written communication for policies, procedures, audit documentation, technical requirements, and customer-facing security responses. - Ability to operate independently in an ambiguous, fast-moving venture environment and deliver on a compressed timeline. Preferred Qualifications - Experience supporting enterprise customers with strict security, data handling, or TPRM requirements. - Experience in venture-backed startups, enterprise SaaS, or venture studio environments. - Experience carving a company's security posture out of a parent or shared-services environment during a spin-out or standalone build. - Familiarity with SOC 2 Trust Services Criteria, ISO 27001, NIST CSF, or CIS Controls. - Experience with GitHub security features, CI/CD security controls, vulnerability management tools, and cloud security monitoring. - Relevant certifications: CISSP, CISM, CISA, CRISC, ISO 27001 Lead Implementer, AWS Security Specialty, or Security+.
Online Adjunct Professor – Cyber Security
Bryant & Stratton CollegeBryant & Stratton College: A Career-Focused, Private, Nonprofit College Built Different to Serve Our Students.
• Prepare course(s) assigned in Blackboard with required elements by the designated deadline. • Provide approximately 12-14 hours per week of instruction over the course of five days each week, per course. • Facilitate discussion, grading student work, checking email, engaging in personalized retention efforts and outreach to support student success. • Respond to all outreach (email, text, calls, etc.) from students, supervisors, colleagues, etc. within 48-hours. • Facilitate discussion with substantive, high-quality posts, higher-order questioning, and supplemental resources. • Ensure the grade book is updated each week no later than Thursday at 11:59 pm, ET for Weeks 1-6, and 9 am ET Thursday after the last day of class for Weeks 7 and 7.5. • Follow the college’s plagiarism policy to promote academic integrity in all courses.
Security Engineer
ECS Tech IncAll candidates must meet the following criteria: Must be a US Citizen, no dual Citizenships. Must be able to secure a Public trust clearance. Must be able to work across multiple programs across the Federal and DOD space. The core values that ECS looks for in an engagement manager include: Teamwork, Respect, Accountability, Integrity, and Leadership.
Role Description Everforth ECS is seeking a Security Engineer to work in our Portland, OR office or remotely. Note: This position is contingent upon contract award. The Security Engineer supports the design, implementation, configuration, and maintenance of cybersecurity technologies, controls, and secure infrastructure capabilities across enterprise systems and security operations environments. This role helps ensure that systems, applications, networks, endpoints, and cloud environments are protected, monitored, hardened, and aligned with organizational security requirements. The ideal candidate has hands-on experience implementing and supporting security tools, troubleshooting technical security issues, applying secure configuration standards, and collaborating with SOC analysts, system administrators, network engineers, control assessors, and program stakeholders to improve the organization's security posture. Key Responsibilities - Security Engineering & Implementation - Implement, configure, maintain, and support cybersecurity technologies, tools, platforms, and technical security controls. - Assist with engineering secure solutions for enterprise systems, networks, endpoints, cloud environments, applications, and operational support platforms. - Support security architecture decisions by providing implementation input, technical feasibility analysis, and operational considerations. - Apply security engineering practices across the system lifecycle, including planning, deployment, configuration, testing, operations, and sustainment. - System Hardening & Secure Configuration - Apply secure configuration baselines, hardening standards, and technical control requirements to servers, endpoints, network devices, applications, and cloud services. - Review system configurations, permissions, authentication settings, logging settings, encryption settings, and access controls for alignment with security requirements. - Support implementation of vulnerability remediation, configuration changes, patching activities, and risk reduction measures in coordination with system owners. - Validate that security controls are operating as intended and support remediation when control gaps or technical weaknesses are identified. - Security Tool Support & Integration - Support deployment, tuning, and sustainment of tools such as SIEM, EDR, vulnerability scanners, firewalls, IDS/IPS, email security, identity security, logging, and monitoring platforms. - Integrate security tools with enterprise systems, data sources, ticketing systems, dashboards, identity platforms, and incident response workflows. - Troubleshoot tool performance, connectivity, data collection, alerting, agent health, policy enforcement, and integration issues. - Coordinate with SOC analysts, Splunk engineers, threat hunters, and system administrators to ensure security tooling supports monitoring, investigation, and response requirements. - Vulnerability, Risk & Remediation Support - Analyze vulnerability scan results, configuration findings, security alerts, and control weaknesses to support prioritization and remediation planning. - Work with technical teams to identify root causes, validate remediation options, and confirm closure of vulnerabilities or security findings. - Support risk treatment activities by documenting technical constraints, compensating controls, residual risk, and remediation status. - Assist control assessors and assessment leads by providing technical evidence, configuration details, screenshots, logs, and implementation explanations. - Incident Response & Operational Support - Provide technical engineering support during security incidents, investigations, containment activities, eradication efforts, and recovery actions. - Assist with log collection, tool validation, endpoint or network containment actions, access changes, system isolation, and forensic preservation activities as directed. - Develop and maintain scripts, queries, automation, and repeatable procedures to improve security operations and engineering response efficiency. - Participate in after-action reviews and support implementation of technical improvements based on incident lessons learned. - Documentation, Standards & Continuous Improvement - Develop and maintain technical documentation, configuration standards, diagrams, implementation guides, runbooks, and operational procedures. - Support change management, configuration management, asset documentation, and security engineering governance processes. - Recommend improvements to security tools, engineering processes, baselines, automation, monitoring coverage, and technical control implementation. - Stay current with emerging threats, security technologies, hardening guidance, and engineering best practices relevant to enterprise security environments. Qualifications - U.S. Citizenship with ability to obtain and maintain a DOE “L” clearance after start. - 3-5 years of experience in cybersecurity engineering, security operations, systems administration, network administration, cloud security, or related technical security roles. - Hands-on experience implementing, configuring, or supporting security tools, technical controls, secure configurations, and enterprise security technologies. - Working knowledge of Windows, Linux, networking, identity and access management, endpoint security, logging, vulnerability management, and common security architectures. - Experience applying security requirements, hardening standards, vulnerability remediation guidance, and configuration baselines across technical environments. - Ability to troubleshoot technical security issues involving systems, networks, applications, integrations, agents, logs, policies, and monitoring tools. - Familiarity with cybersecurity frameworks, standards, and best practices such as NIST, CIS Controls, DISA STIGs, ISO 27001, or organizational security baselines. - Strong documentation, communication, collaboration, and problem-solving skills.
Role Description The Security Specialist – Level III will lead enterprise AWS and hybrid cloud security for the USDA FPAC Cloud Platform. This role will: - Design and govern cloud security architecture. - Establish and enforce security controls. - Support compliance activities. - Lead security operations across AWS and hybrid environments. Qualifications - Bachelor’s degree in Cybersecurity, Information Technology, Computer Science, Engineering, or related field; Master’s degree preferred. - Minimum 10 years of AWS security experience. - Must have one of the following certifications: - AWS Certified Security – Specialty - AWS Solutions Architect certification. - Expert-level knowledge of AWS security services and enterprise cloud security governance. - Demonstrated experience in cloud security architecture, zero-trust design, and zero-trust compliance leadership. - Experience supporting federal or enterprise compliance frameworks, including FISMA, NIST SP 800-53, and FedRAMP. - Experience with vulnerability management, incident response, audit support, and continuous monitoring. - Excellent written and verbal communication skills. - Ability to obtain and maintain required USDA suitability/public trust credentials; highly desirable candidate already has USDA clearance. Requirements - Current or prior experience supporting USDA, FPAC, or other federal civilian agency cloud environments. - Highly desirable: current or recent USDA/FPAC public trust or suitability clearance and active HSPD-12 PIV card, or prior adjudicated clearance that can be reactivated. - Preferred Certifications (Any One): - CISSP - CCSP Key Responsibilities - Design and govern enterprise AWS security architecture across cloud and hybrid environments. - Lead implementation of cloud security controls, logging, encryption, identity and access management, and network security. - Support and oversee FISMA, NIST SP 800-53, FedRAMP, and USDA security compliance requirements. - Lead continuous monitoring, vulnerability management, remediation tracking, and audit support. - Support ATO activities, security assessments, penetration testing, and incident response. - Implement and enforce zero-trust and secure-by-design principles across cloud and hybrid environments. - Provide security guidance to DevSecOps, platform, and operations teams. - Prepare and maintain required security documentation, reports, and compliance artifacts. Benefits - Competitive compensation and benefits packages including paid vacation, medical, dental, vision, matching 401(k) plan, tuition/training reimbursement, and Long & Short-Term Disability.



