Director of Information Security & GRC

Remote, USA

Full Time Executive-level / Director
Color logo
Color
From population genomics to high throughput COVID-19 testing, Color provides the technology & infrastructure for large scale health initiatives. Learn more.
Apply now Apply later

Named by Rock Health as the Best Digital Health Company to Work For, Color is a leading healthcare technology company. Color is building and delivering technology-enabled healthcare to millions of people. Through partnerships with public and private partners including governments, employers and health systems, Color’s infrastructure and software enables large populations to receive essential healthcare services directly where they live or work. This includes testing and telehealth services for preventive health and infectious disease management.
Since March 2020, Color has mobilized to address the pandemic by leveraging its platform to scale COVID-19 testing programs around the country. Color’s platform is used by more than 100 major employers, universities and public health institutions, such as the City of San Francisco, the State of California and PerkinElmer, community-based efforts in Oakland, and others, to deliver critical health programs. For more information about Color and its response to COVID-19, visit www.color.com.
By investing in the technology that ensures easy and affordable access to healthcare, Color is creating the infrastructure that will serve us for decades to come. Apply to join Color and do some of the most important work of your career. If you are not sure that you're 100% qualified, but are up for the challenge - we want you to apply!
As Color's Director of InfoSec & GRC, you will lead a team responsible for defining and implementing the company's overall security posture. You'll work with our CEO, Head of Engineering, and the rest of the leadership team to secure our third party tools, in-house code, production systems, data, and human processes. This is an exciting opportunity to drive security, compliance and privacy for a company with unique assets and challenges: a genetic testing product, sensitive health data, a full in-house clinical laboratory, and a wide range of other needs. You’ll be leading every day, but you'll also have opportunities to dive in and get hands on, applying threat modeling to on-site clinical health care, teaching engineers how to think like black hats, running fuzzers and scanners, and much more. Show us you have the risk-based security mindset and see everything as a system to be exploited...and protected!

How You’ll Contribute:

  • Own, lead, and improve our company's overall security & compliance program.
  • Work with other executive leaders to define and develop our overall privacy posture.
  • Help the entire Color engineering team learn and apply a security growth mindset to designing systems and writing code, showing there’s always more than one way to protect and safeguard what’s important to us.
  • Apply threat modeling as a primary tool to understand and secure our systems.
  • Risk assess, integrate, and manage third party security tools and processes.
  • Develop, integrate, and lead the security awareness program for Color employees.
  • Design and implement an information risk management program, applying measurable, repeatable risk management practices to drive priority for the InfoSec & Compliance program.
  • Design and drive a secure audit logging model for access to PHI (Personal Health Information).
  • Build a model to continually risk assess, analyze, and protect public datasets like Color Data from re-identification attacks, and other data compromise techniques.
  • Coordinate internal & external penetration tests, along with our vulnerability management program.
  • Develop and lead our Information Security Incident Response program.
  • Lead the triage, risk prioritization, and implementation with the Engineering team to fix issues that arise.
  • Evaluate, select, and help integrate modern security tools and services (e.g. CASB, UEBA) into our production and employee IT environments.
  • Help engineers run fuzzers, scanners, static analyses, and other tools on our code and systems to discover vulnerabilities.
  • Review and triage security disclosures from external researchers, as part of our responsible disclosure and bug bounty program.
  • Support and lead security compliance efforts, e.g. FISMA, HIPAA, SOC 2 as well as supporting Engineering with controls related to privacy requirements.
  • Build and maintain awareness & education resources for customers on our security posture and practices, as well as supporting our Sales team with questions that may arise.

Our Ideal Candidate Will Have:

  • You have a risk-based security mindset ingrained and see everything as a system to be exploited...and protected!
  • You understand that information security is a spectrum of risk vs cost, and that nothing is bulletproof or unbreakable.
  • You believe in craft and pragmatism: solving the problem at hand with the best tools for the job, whether that's custom code, third party tools, human processes, or watchful waiting.
  • You are excited about collaborating with product engineers, lab scientists, academic researchers, business teams, and others across Color.
  • You are an excellent communicator, verbally and in writing, working to translate security requirements and promote security education across a variety of audiences.
  • You have strong opinions (loosely held) about modern security practices and techniques, demonstrating a growth mindset, open to new ideas and ways to protect and safeguard what’s important to Color.
  • You are intrinsically motivated, able to execute independently, while being proactive about seeking input from colleagues.
  • You're confident in modern cloud environments like AWS and GCP, and with web app tools like Python and Django, Docker and containerization, data processing pipelines, etc.
  • You’ll have experience leading compliance efforts for frameworks such as FISMA, HIPAA, or SOC 2.
  • You enjoy teaching engineers - and everyone - about information security and compliance!

Nice to Have:

  • Experience in Digital Health or SaaS organizations operating in highly regulated industries.
  • Experience with the General Data Protection Regulation (GDPR) or California Consumer Privacy Act (CCPA).
  • Some experience with automating manual processes and workflows, and scripting.
  • Certifications from ISC2, ISACA, IAPP, or GIAC are a plus.
#LI-ML1#LI-CRE
Color is an equal opportunity employer. In accordance with anti-discrimination law, it is the purpose of this policy to effectuate these principles and mandates. Color prohibits discrimination and harassment of any type and affords equal employment opportunities to employees and applicants without regard to race, color, religion, sex, national origin, disability status, protected veteran status, or any other characteristic protected by law. Color conforms to the spirit as well as to the letter of all applicable laws and regulations.
COVID-19 Vaccination Requirement: Color requires anyone working onsite or visiting Color’s offices to confirm they are fully vaccinated against COVID-19 unless a medical or religious accommodation is timely requested and approved.  Please reach out if you have questions or concerns about this policy and how it may apply to your candidacy for a role with Color.
Job region(s): Remote/Anywhere North America
Job stats:  24  4  0
  • Share this job via
  • or

Explore more Information Security career opportunities