Director GRC (Governance, Risk Management and Compliance)

Who We Are At Elemy: 

Elemy is a tech-forward provider of pediatric therapy across the United States. We believe that families, clinicians, and insurers all deserve a better healthcare experience, so we built one.

Backed by General Catalyst, Felicis Ventures, Founders Fund, & others. Our mission is to provide personalized, technology-empowered care for children with autism in the environment best suited to help them grow and thrive — the home. We’re looking to rapidly grow our team with values-driven, diverse, caring professionals to help us improve autism care. . 

About The Role: 

The Elemy Security and Trust team is committed to achieving and maintaining the trust of our customers. Integral to this mission is providing a robust security and compliance program that carefully considers data protection matters across all our products and offerings, including the data submitted by customers, partners, and employees to our services. Our business is built on trust and security and making sure all our customers trust us to offer great autism care while safeguarding their data.

In cloud first environments we have to assume that the perimeter is fluid, and we cannot assume safety. At Elemy we are embracing a modern Zero Trust posture where we continuously want to assess and identify that the right people have the right level of access to the right resources in the right context with the least performance impact and least friction for all involved. 

Do you have a passion for SaaS and cloud security? Are you skilled at managing the very foundation of a security program? We at Elemy need a Senior Director to organize, lead, and manage our Governance, Risk Management and Compliance team and help us protect us and our customers. 

In this role you will bring your leadership and governance expertise to bear and develop, own, manage and improve the underlying security program fundamentals at Elemy.  You will be responsible for the primary policy set that represents the company’s stated security posture, that is also achievable by the company without generating unnecessary compliance risk.  You will be responsible for the proper operation of our formal set of security controls - many of which will be implemented by groups outside the Security and Trust team, and thus you will need superlative skills in lateral stakeholder management.  You will also be responsible for the security Risk program, and manage all aspects of it, including development of a formal risk register, and development of a security risk program.  Additionally, you will be responsible for the operation of the security training program, which will be paired with other relevant training mandates for employees, such as on Compliance.  Finally, you will also be responsible for the operation of the Program Office for the Security and Trust team and thus you will ensure that all Security projects are managed successfully, as well as manage the budget for the team overall.

You must be comfortable working with cloud technologies and have solid experience in the breadth of security technologies. You must lead by example and have exemplary experience leading high performing teams.  You will be one of the most senior security leaders in the company, with the expectations and visibility that comes with that.

Candidates Will Be Expected To Demonstrate

In this role, you will be working with management, technical leaders and engineers, the compliance director, external auditors, senior leaders across the company and, at times, directly with our customers and partners.

• Technical Fluency - A passion for cybersecurity and technology, familiarity with infrastructure as software, container and microservices architectures.
• Advisory Skills - Giving direction, advice and support that helps grow the technical and collaboration skills of the individuals and teams with which they engage.
• Execution - Planning, coordination, managing dependencies and risks, diving deep when issues arise.
• Communications - This role requires someone who has very strong written and verbal skills, given the sheer number and diversity of touchpoints you will be interacting with across the company.

Responsibilities

• Providing leadership, guidance, and management of the Elemy Security & Trust GRC team..
• Help design and evolve the overall Elemy security program to continuously improve Elemy’s ability to operate securely and cost effectively. Partnering the leaders and topic experts in a number of different areas, to ensure that the plan has been thoroughly vetted and agreed by multiple stakeholders.
• On a periodic basis, driving updates to the policy foundation that continue to improve Elemy’s overall security program, again ensuring agreement from all relevant stakeholders.
• At least initially, while the team is in its formative stages,  getting hands on where needed to develop the initial security program.
• Identifying gaps in coverage of the Elemy security controls and working across teams to specify and deploy improvements that address these gaps.
• Working with leaders across the organization to create an enterprise risk view of risk, as well as instigate processes by which senior leaders can prioritize addressing them.
• Developing and implementing solutions to train all Elemy employees in security and compliance practices, and implement a company-wide program.
• Create a Program office within the Security and Trust team to oversee the successful implementation of all projects relevant to the team, and manage the departmental budget.

Qualifications & experience

• A minimum of 10 years of experience in a cloud security and information security engineering role. Specifically:
  • 8+ years of information security, and information technology experience
  • 5+ years managing technical teams
  • 5+ years in a technical leadership role.

• Cybersecurity related certifications (e.g., CISM, or CISSP, or GSEC, GCIH, CEH, GCIA, etc.) are a strong plus
• Experience with public cloud security architecture and solutions including but not limited to Network security, segmentation, micro-segmentation strategy, design, and implementation
• Understanding and delivery experience with leading security frameworks (i.e., National Institute of Standards and Technology (NIST) Cybersecurity (CSF), Zero Trust, etc.)
• Experience with design, implementation, configuration, and integration of security products from vendors such as Palo Alto Networks, ZScaler, Crowdstrike, Google BeyondCorp, Microsoft, Cisco, Fortinet, Okta, VMWare, Illumio, Guardicore, Hashicorp, cloud SIEMs like Sumo Logic or Splunk is a definite plus. 
• Experience creating, implementing, and managing technical information security controls including developing or leading security incident response processes and teams.
• Deep understanding as well as working knowledge of NIST 800-171 and the Cybersecurity Maturity Model Certification and of other security frameworks and processes - CIS, NIST, PCI/DSS, etc.
• Familiarity and experience with other compliance frameworks such as FedRAMP, FISMA, SOC, ISO, HIPAA, HITRUST, and GDPR/CCPA/Privacy Shield
• Substantial experience in managing internal enterprise security policy libraries.
• Demonstrated experience in running either security, or enterprise risk programs.
• Strong program management skills, and significant experience in budgeting/forecasting.
• Depth of experience with multiple security technologies such as Firewalls, Intrusion Detection/Prevention Systems, Vulnerability Scanning, WAF, Wireless LAN, NAC, DLP, DDoS Mitigation, WAN security, CASB, SIEM, Content Filtering, Cloud Security gateways, Secure Proxies, SSL crypto solutions, and automation.
• Good general understanding of key security/identity technology standards including authentication, federation and authorization frameworks and protocols, e.g. OAuth/OpenID/SAML 20.0/FIDO and commercial offerings such as Okta or Azure AD.
• Good knowledge of AWS services such as: CloudTrail, CloudWatch, GuardDuty, Inspector, AWS Certificate Manager, AWS WAF & Shield, Key Management Service (KMS), etc.
• Some experience with container technology security is a definite plus (Docker, Kubernetes, etc.).
• Some experience conducting cloud infrastructure security assessments.
• Experience working with SaaS cloud based applications in AWS or Azure.
• Have a strong demonstrated history of successful cross-organizational efforts.