Senior Security and Compliance Lead

The Senior Security and Compliance Lead owns the strategy, execution, and continuous improvement of the organization's information security and regulatory compliance programs. This leader is accountable for protecting the company, customer, and employee data; maintaining the organization's security posture across cloud environments; and ensuring that the business meets its legal, contractual, and industry-standard obligations.

The role combines hands-on technical leadership with executive-level program management. The Lead builds and leads the security and compliance function, partners across Engineering, Product, and Operations, and reports to the CTO.

Responsible for establishing and maintaining the organization's IT governance framework, risk management methodologies, and cybersecurity compliance programs. Develops enterprise policies and control frameworks while ensuring alignment with regulatory requirements and security standards such as ISO 27001, SOC 2, NIST, and HISTRUST. Conducts risk assessments, manages third-party risk evaluations, and facilitates cybersecurity audits. Creates and maintains security policies, develops security awareness training programs, and serves as the liaison between business, IT, and regulatory bodies to translate compliance requirements into actionable governance strategies.

What you’ll do

Security Strategy & Leadership

• Define and own the multi-year information security strategy and roadmap aligned to business objectives.
• Build, mentor, and lead the security and compliance team, including security engineers, analysts, and GRC (governance, risk management, and compliance) staff.
• Establish and report on security KPIs, KRIs, and program maturity metrics.
• Manage the security and compliance budget, vendor relationships, and tooling investments.

Governance, Risk & Compliance (GRC)

• Own the enterprise risk management program: identify, assess, prioritize, and track remediation of security risks.
• Lead audit readiness and certification efforts (e.g., SOC 2 Type II, ISO 27001, HIPAA, HITRUST, GDPR, CCPA).
• Develop, maintain, and enforce security policies, standards, and procedures.
• Manage relationships with external auditors, assessors, and regulators; coordinate evidence collection and remediation.
• Oversee third-party and vendor risk management and customer security questionnaire responses.
• Partner with other functions on data privacy obligations, breach notification readiness, and cross-functional compliance matters.

Security Operations & Engineering

• Direct security operations, including monitoring, detection, vulnerability management, and patching.
• Own the incident response program — preparation, detection, containment, eradication, recovery, and post-incident review.
• Oversee identity and access management, encryption, network security, and cloud security posture management.
• Champion "security by design" and shift-left practices within the software development lifecycle.
• Lead business continuity and disaster recovery planning, testing, and continuous improvement.

Awareness & Culture

• Design and administer security awareness, training, and phishing simulation programs across the organization.
• Foster a “security is everyone’s responsibility” culture — serve as the internal champion and go-to escalation point for security matters.
• Act as a calm, credible communicator during security events, translating technical risk into clear business language for executives, customers, and the board.
• Other Duties as Assigned

What you’ll bring

• 5+ years in cybersecurity with demonstrated program ownership. You’ve driven initiatives end-to-end, influenced without authority, and been accountable for outcomes, whether or not you carried a management title.
• Familiar with and can demonstrate knowledge and ownership of regulatory compliance, such as SOC 2, HIPAA, HITRUST, GDPR.
• Strong working knowledge of cloud security (Azure, AWS, or GCP), IAM, network security, encryption, and secure SDLC.
• Proven track record leading incident response and managing breaches end-to-end including communication with executives and external stakeholders.
• Experience building and leading teams and managing cross-functional security initiatives
• Ability to translate technical risk into business terms for executives, the board, and customers.
• Bachelor's degree in Computer Science, Information Security, or equivalent practical experience.
• US Residents only. Must reside in the continental U.S., be authorized to work without sponsorship, and not reside in California.

Additional Preferred Qualifications

• Nice to have one or more of the following certifications or equivalent: CISSP, CISM, CCSP, CISA, ISO 27001 Lead Auditor/Implementer, Cloud security certs (AZ-500 / AWS Security Specialty).
• Experience in a regulated or high-trust industry (healthcare, digital health, fintech, SaaS handling sensitive data).
• Familiarity with infrastructure-as-code and securing CI/CD pipelines.
• Experience scaling a compliance program from initial certification through annual renewals where you built the program.
• Master's degree in a relevant field.

Compensation

• The expected salary range for this position is $145,000 - $185,000 annually. Actual compensation will be based on a candidate’s skills, qualifications, and years of relevant experience. In addition to the base salary, this role offers a bonus 10%, an opportunity, OTE of $159,000K - $203,500K. Bonus compensation will depend on individual performance and company performance.

What You’ll Get

• Smart, intellectually curious, creative, supportive, and overall awesome colleagues!
• We are 100% fully remote! Work from anywhere in the U.S. with reliable Wi-Fi, within PST–EST time zones. Employees must be physically located in the U.S.; working outside the U.S. requires prior approval from leadership.
• Medical, dental, and vision benefits
• Discounted pet insurance
• Unlimited PTO after 60 days of employment
• 401(k) after six months with company match   
• Competitive salary
• Fast-track career advancement with a high-growth, Great Place to Work™ certified organization 
• rater8 is a “bring your own device” company, enabling you to work on your preferred operating system; we offer a WFH stipend to offset costs per company guidelines

About rater8

rater8, the healthcare industry’s leader in reputation management, helps medical practices establish pervasive online visibility. The rater8 Visibility Engine (raVE) effortlessly gathers authentic reviews and real-time feedback from verified patients to drive sustainable practice growth, all with the support of award-winning customer service. 

Based in the United States, rater8 is a rapidly growing healthtech innovator, serving over 25,000 providers at practices and hospitals of all sizes and specialties, and providing unlimited career growth and pay opportunities for its employees.

rater8 is proud to be an equal opportunity workplace and is an affirmative action employer. We are committed to equal opportunity regardless of race, color, ancestry, religion, gender, gender identity, parental or pregnancy status, national origin, sexual orientation, age, citizenship, marital status, disability, or Veteran status.