Nayya is seeking a Director of Security & IT to lead the security strategy, compliance programs, and IT operations for the benefits intelligence platform serving approximately 5 million employees. The role will serve as the single point of accountability for protecting sensitive health and financial data, maintaining regulatory compliance, and ensuring the reliability and security of internal technology systems.
Requirements
- Lead the design, implementation, and continuous improvement of a comprehensive security program spanning application security, infrastructure security, data protection, and incident response.
- Implement and manage vulnerability assessments, penetration testing, and security audits to identify and mitigate risks across IT infrastructure and systems.
- Develop and maintain security policies, procedures, and controls aligned to SOC 2 Type II and HIPAA Security Rule requirements.
- Coordinate response to security incidents, including root cause analysis, containment, remediation, and legal reporting requirements.
- Own identity and access management (IAM) strategy, ensuring least-privilege access controls across production systems, cloud environments, and internal tools.
- Implement encryption, access control, audit logging, and other technical safeguards to meet HIPAA security requirements for data at rest, in transit, and during processing.
- Own SOC 2 Type II compliance initiatives, including audit preparation, controls documentation, evidence collection, and remediation of findings.
- Ensure compliance with HIPAA Privacy and Security Rules across Nayya's handling of PHI, including technical safeguards and organizational policies.
- Develop and maintain a risk management framework that identifies, evaluates, and prioritizes security and compliance risks, ensuring alignment with applicable regulations.
- Conduct regular risk assessments and vulnerability scans to proactively address potential compliance gaps.
- Prepare for and manage regulatory audits, customer security assessments, and external inspections related to data security and privacy.
- Stay current on emerging trends in healthcare data privacy regulations (HIPAA, HITECH, state-level requirements) and assess their impact on company policies and procedures.
- Oversee day-to-day IT operations, ensuring all systems, networks, and applications function effectively and securely with minimal downtime.
- Lead the internal IT help desk function, ensuring timely resolution of technical issues with clear escalation protocols and service level agreements (SLAs).
- Manage IT asset lifecycle, including procurement, tracking, maintenance, and compliance with company policies.
- Ensure effective onboarding and offboarding processes for IT systems, with a focus on security awareness and HIPAA compliance training.
- Evaluate and manage relationships with cloud providers, vendors, and third-party services to ensure they meet HIPAA and SOC 2 security and privacy requirements.
- Conduct due diligence and security assessments of third-party vendors, ensuring alignment with Nayya's data protection and compliance standards.
- Negotiate and manage contracts and SLAs to ensure third-party vendors meet security, compliance, and privacy expectations.
- Partner closely with the VP of Engineering on cloud security, infrastructure hardening, disaster recovery, and production access controls.
- Work with Legal, Finance, and People teams to ensure security and data privacy strategies align with business operations and legal obligations.
- Serve as the primary security and compliance liaison for enterprise customers, partners, and prospects during due diligence and procurement processes.
- Act as a strategic advisor to senior leadership on security investments, balancing risk mitigation against operational constraints and business priorities.
- Provide regular reports to the executive team on the status of security initiatives, compliance posture, and audit results.
- Lead, mentor, and develop a team of security, IT, and compliance professionals.
- Foster a culture of continuous improvement to stay ahead of cybersecurity threats and regulatory changes.
- Provide training to team members and the broader organization on security best practices, with emphasis on HIPAA compliance and PHI protection.
Benefits
- Generous Paid Time Off
- 401k Matching
- Retirement Plan
- Visa Sponsorship
