Chief Information Security Officer

As our CISO, you will be responsible for the overall security posture of the company, IT infrastructure, regulatory compliance, and product security. You will work cross-functionally with engineering, product, legal, and operations teams to embed security best practices across our organization and platform. You will also be responsible for building a culture of security awareness, ensuring compliance with healthcare regulations (e.g., HIPAA, SOC 2, HITRUST), and driving strategic IT initiatives that support our growing team.

You Will:

Security & Compliance Leadership

• Develop, implement, and maintain a comprehensive security strategy covering IT, compliance, and product security.
• Lead the company’s risk management initiatives, identifying and mitigating security threats to company assets, infrastructure, and product.
• Own and maintain security certifications and compliance programs (HIPAA, SOC 2, HITRUST).
• Oversee security audits, penetration testing, and risk assessments.
• Ensure security policies, controls, and best practices are integrated into the SDLC and IT operations.

IT & Infrastructure Security

• Oversee the IT team, ensuring secure, scalable, and efficient internal IT systems.
• Establish and enforce identity and access management (IAM) policies, endpoint security, and cloud security best practices.
• Ensure robust disaster recovery (DR) and business continuity (BCP) plans.
• Partner with the engineering team to secure cloud infrastructure.

Product & Application Security

• Build and scale a product security program to ensure security is embedded throughout the software development lifecycle (SDLC).
• Implement DevSecOps principles and tools to automate security testing and monitoring.
• Work closely with engineering and product teams to ensure secure architecture, encryption, authentication, and API security.
• Establish vulnerability management and incident response processes for product-related security threats.

Security Awareness & Incident Response

• Lead security training and awareness programs for employees to reduce human risks (e.g., phishing, social engineering).
• Develop and maintain a robust incident response plan and lead the company’s response to security incidents and breaches.
• Collaborate with legal, PR, and executive leadership to ensure transparent incident communication when needed.

We are looking for people who have:

Must-Have Qualifications:

• 15+ years in information security, IT security, or compliance roles, with 5+ years in a leadership role.
• Experience in a health tech, SaaS, or regulated industry (HIPAA, SOC 2, HITRUST, GDPR, etc.).
• Deep knowledge of cloud security, network security, application security, and DevSecOps principles.
• Proven ability to build and scale security programs from the ground up.
• Strong background in IT systems security, identity and access management (IAM), and infrastructure security.
• Hands-on experience with SIEM, endpoint security, vulnerability management, and IAM solutions.
• Excellent communication and stakeholder management skills, with experience presenting to executive leadership and board members.

Nice-to-Have Qualifications:

• Certifications: CISSP, CISM or equivalent.
• Experience working with third-party auditors, regulators, and legal teams.
• Familiarity with Zero Trust architecture and emerging security trends in health tech.

Security Alert:

1upHealth only uses email domains of First Name. Last Name@1up.health or no-reply@1up.health to communicate with prospects. You will never receive an email from a third-party email service such as gmail. In addition, we will never ask a candidate for employment to share personal information (such as banking information, social security numbers, passport, etc), purchase their own equipment, or pay to apply to an open position.