Director of Information Security

Groups Recover Together was founded in 2014 to make treatment for opioid addiction respectful, accessible and affordable. We empower our members to regain control of their lives through a combination of community support, outpatient weekly group therapy and medication to manage withdrawal using buprenorphine and naltrexone. Today we serve ~1X,000 members weekly via virtual care and a network of offices across 15+ states and growing.

We embrace innovation in our vision of tech enabled care delivery and are developing a cutting edge care delivery and member experience platform.

The Director of Information Security will lead all security efforts within our IT organization, ensuring that the company's systems, data, and operations meet rigorous security and compliance standards. This role requires a strategic leader with deep expertise in healthcare compliance and a thorough understanding of state and federal privacy regulations including, but not limited to, HIPAA, HITECH, and 42 CFR Part 2. . You'll be responsible for shaping and executing security policies, overseeing risk management, and leading initiatives to protect against security threats in a complex, highly regulated environment. This position will report directly to the VP of Technology.

Develop and Lead Security Strategy : Define and implement a comprehensive security strategy that aligns with regulatory requirements, including HIPAA, and supports the organization's business goals.
• Governance and Compliance: Establish and maintain policies, procedures, and protocols to ensure compliance with healthcare regulations (HIPAA, HITECH), data protection laws, and industry best practices. Sit on the Compliance Committee and report on the status of the information security program and key initiatives.
• Risk Assessment and Management: Lead security risk assessments, vulnerability testing, and remediation efforts across all systems, ensuring early identification and mitigation of potential threats.
• Incident Response: Design and maintain incident response procedures. Act as the primary leader in case of a security breach, coordinating containment, investigation, and reporting efforts. Perform regular disaster recovery/business continuity tests to ensure organizational readiness.
• Security Awareness: Develop and implement security training programs for all employees to foster a security-first culture and promote best practices.
• Collaboration with IT and Product Teams: Work closely with IT, Product, and Development teams to integrate security requirements into system design, development, and deployment processes.
• Third-Party and Vendor Management: Evaluate and manage security risks associated with third-party vendors, tools, and partnerships. Conduct regular audits of vendor compliance with security requirements.
• Team Leadership and Development: Build, mentor, and lead a high-performing security team. Foster a collaborative, innovative, and supportive team environment.

• Education: Bachelor's degree in Information Security, Computer Science, or a related field. Advanced degrees or relevant certifications (e.g., CISSP, CISM, CHPS, CISA) are a plus.
• Experience: 8+ years of experience in IT security, with at least 3 years in a leadership role in a healthcare or highly regulated industry. Experience in a venture-backed environment is advantageous.
• HIPAA Expertise: In-depth knowledge of HIPAA and HITECH regulations and compliance requirements is mandatory.
• Technical Proficiency: Familiarity with network security, cloud infrastructure (e.g., Azure, AWS), and security best practices for on-premise, hybrid, and cloud-based systems. Strong understanding of cybersecurity threats, risks, and best practices, including cloud and on-premises security.
• Regulatory Knowledge: Solid understanding of healthcare regulatory environments and standards, including NIST, HITRUST, SOC 2, and PCI-DSS compliance.
• Risk Assessments: Experience in conducting risk assessments and audits.
• Communication and Leadership: Proven ability to communicate complex security topics to technical and non-technical audiences. Strong leadership and interpersonal skills, with experience building and developing high-performing teams.