Senior Manager - Information Security, Governance, Risk, Compliance

About Stellar Health:

Historically, US Healthcare has relied on a fee-for-service reimbursement system where providers are paid based on the quantity of patient visits and procedures, rather than the quality of health outcomes.

At Stellar Health, we help primary care providers put patient health first. Our platform - a mix of technology, people, and analytics - supports providers at the point of care, delivering real-time patient information, activating practice staff, and empowering providers and care teams with incentives that reward the work they are already doing to keep patients healthy. Using the Stellar App, our web-based, point-of-care tool; practices receive a simple checklist of recommended actions that support the best quality care. Providers and care teams are then paid monthly for each action they complete, and Payors save money in reduced healthcare costs along the way.

Stellar is a US-based Health-tech backed by Top VCs (General Atlantic, Point72, & Primary Venture Partners)​​ with an established product & proven operating model. We’ve shown that we make a real difference for physician practices and their patients.

Stellar Health is looking for a Senior Manager - Information Security, Governance, Risk, and Compliance to help prioritize and drive our Information Security program and investments. This role will report to our Senior Director, IT & Security.

We are looking for an individual who is passionate about building, scaling, and maintaining security governance processes that are thoughtfully designed for both external users, customers, auditors, and teammates. You will have the autonomy and authority to approve or reject evidence submissions, accept low-risk exceptions, approve compensating controls, and close audits.

Stellar Health operates in the HealthTech space and is HITRUST R2 certified. This role will help ensure our security program is as effective, organized, and proactive as possible by:

• Reducing the effort to maintain and demonstrate our alignment to HITRUST by maximizing our use of Vanta to automate the collection of evidence, maintain up to date documentation, and deploy continuous testing of controls.

• Aligning with our cross-functional teams as they deliver on their controls and support our security processes, ensuring clarity and accountability for all parties.

• Leading our annual and ongoing risk assessment processes including the managing the risk register and mitigation plans

• Enabling company growth acceleration by facilitating the strategic and thoughtful completion of customer and vendor security reviews

• Overseeing incident response processes, supporting documentation, and corrective actions

• Deploying and managing the third-party vendor management program and processes.

• Oversees the selection and deployment of security related training across the enterprise

• Creating and managing dashboards and other materials that keep leadership informed and support Committee and Board meetings

How you'll make an impact:
Within your first month, you should have a solid foundation of our current security posture, controls, and security processes, what is working well and where there are gaps. You will use this foundation to build a longer term roadmap for our GRC efforts.

Additionally, you will:

• Support our interim HITRUST assessment with a focus on open items that could require remediation

• Review the current GRC tooling environment and produced a plan for enhancements

• Prioritize a list of improvements to the third party vendor management program

• Implement improvements to current evidence collection processes and/or automations

• Facilitated the interim HITRUST assessment with the external auditing firm

• Implemented 1-2 improvements to the GRC tooling environment

• Refresh our customer facing trust center

• Create a remediation plan for HITRUST gaps, if any, including timelines and commitments from business owners

• Establish a process to review high risk applications and systems with System Owners to ensure they align to any applicable security standards/controls and other security recommendations

What You'll Bring:

• 8-10 years of security program experience, with 4-5 years of direct experience building and implementing GRC tooling and processes

• Familiarity and experience helping design controls in AWS cloud environments and infrastructure that meet regulatory commitments

• Demonstrated experience with Vanta

• Demonstrated experience with security monitoring tools including:

  • Crowdstrike

  • Panther

  • DefectDojo

  • AWS native security tooling (Inspector, Config, SecurityHub)

• Experience leading audits of security frameworks (e.g. SOC 2 Type 2, ISO 27001, HITRUST). Preference given to those with HITRUST experience.

Perks & Benefits:

Stellar offers a carefully curated selection of wellness benefits and perks to our employees:

• Medical, Dental and Vision Benefits

• Flexible PTO

• Universal Paid Family and Caregiver Leave

• Wellhub+ Gym Memberships

• Pre-tax commuter benefits, HA, FSA plans

• Company sponsored One Medical memberships and Citibike memberships

• Medical Travel Benefits

• JOON, a flexible lifestyle spending account that gives our team a monthly stipend to spend on what matters most to them

• Stock Options & a 401k matching program

• A broad calendar of company sponsored social events that for our in-office and remote employees

• Company sponsored lunch for all NY HQ employees

Diversity is the key to our success. Stellar Health is an equal opportunity employer and we are open to all qualified applicants regardless of race, color, ancestry, religion, sex, national origin, sexual orientation, age, citizenship, marital status, disability, gender identity or expression, veteran status, or any other legally protected status.

We believe that diverse teams -and the different identities, cultures, and life experiences our team members bring to the table- enable us to create amazing products, find creative solutions to interesting problems, and build an inclusive working environment.

Stellar Health Employment Privacy Notice

At Stellar Health, your privacy and security as a job seeker is a priority no matter where you are in the interview process. As recruiting scams have become more prevalent, please take note of the following practices to ensure the legitimacy of any interaction with our team.

• Please note that any communication from our recruiters and hiring managers at Stellar Health about a job opportunity will only be made by a Stellar Health employee with an @stellar.health email address.

• Stellar Health does not utilize third-party agencies for recruitment services and does not conduct text message or chat-based interviews. Any other email addresses, agencies, or forums may be phishing scams designed to obtain your personal information.

• We will not ask you to provide personal or financial information, including, but not limited to, your social security number, online account passwords, credit card numbers, passport information, and other related banking information until we begin onboarding activities, which will be coordinated by a member of the Stellar Health People Ops Team with an @stellar.health email address.

If you are ever unsure whether you are in contact with a legitimate Stellar Health teammate, please contact people-team@stellar.health. If you believe you've been a victim of a phishing attack, please mark the communication as “spam” and immediately report it by contacting the U.S. Federal Trade Commission.