Hitrust Security Assessor Jobs (NOW HIRING)

Manager, SecurityOverview

TheManager, Security (Governance, Risk & Compliance)plays a critical role in protectingWayspring'smission and reputation by ensuring we are trusted,audit-ready, and confident in how we safeguard data. This leader owns our healthcare compliance and security assurance programs - including HIPAA, HITRUST, and vendor risk - and serves as the clearpointperson for how wedemonstratesecurity to clients, partners, auditors, and regulators. More than checking boxes, this role helps turn our security posture into a true business advantage by accelerating client trust, enabling sales, and strengtheningWayspring'slong-termregulatory foundation.

This is ahigh-impact,hands-onrole for someone who enjoys building smart, scalable programs and reducing friction across the organization.You'llwork closely with teams across Legal, IT, Engineering, Compliance, and the business to embed security into real workflows - not just policies on paper. With ownership of key audits, automation strategy, and future GRC growth, this role offers the opportunity to shape how compliance works at Wayspring as we scale, while making a measurable difference in how quickly and confidently we serve members and partners.This role reports to the VP, Architecture &Securityand partners closely with Legal and Compliance to support enterprise regulatory and contractual obligations through effective security and technology governance.

Why Wayspring?

We are passionate about breaking barriers alongside those facing substance usedisorder. Whetheryou'rein the field or in the corporate office - our mission is felt, and your impact is recognized. There is no inner circle, and we all have a seat at the table. Leaders are accessible and silos are avoided. We respect your craft and love to be challenged. We invest not only in our mission, but in each other. Internal promotions and cross departmental training are the norm- you grow, we grow.

Investment in your growth: Wayspring provides an annual learning and certification budget that can be used for conferences (e.g., HIMSS, HITRUST Collaborate, RSA), training, and industry certifications (e.g., CISSP, CISM, CRISC, HITRUST CCSFP maintenance). We are eager to support your continued development in this role.

Responsibilitiesof theManager, Security

• Runsclient securitydue-diligenceas a sales-enablement function. Ownsthe questionnaire response process, pre-fill library, and SLA commitments so that security acceleratesdealvelocity. Partnerswith Business Development and Account Management to turn our security posture into a competitive advantage
• OwnsThird-Party Risk Management (TPRM) and vendor risk. Build andoperate the vendor intake, review, re-assessment, and offboarding process; set risk tiers; integrate with Procurement and Legal workflows
• Ownsthe GRC platform and evidence automation strategy. Drives continuous control monitoring, automated evidence collection, and measurable reductions in manual compliance work
• Develops,maintains, andenforcesWayspring's information security policies and procedures, ensuring they reflect actual organizational practice
• Owns the company-wide security awareness program-phishing simulations, annual training, and role-based training for high-risk populations (executives, engineering, clinical operations)
• OwnsandmanagesWayspring's HITRUST certification lifecycle end-to-end: scoping, readiness, full and interim assessments, evidence collection, gap remediation, and auditor coordination
• LeadsPCI DSS compliance for the scope relevant toWayspring'smember payment processing, applying right-sized controls (e.g., SAQ-aligned whereappropriate) that match the risk profile
• Drivesconcrete outcomes againstWayspring's stated security commitments: close findings on defined timelines, track attestation coverage, and report posture metrics to the VP, Architecture & Security
• Partnerswith Legal, Compliance, HR, and IT & Infrastructure to embed compliance into business processes from the start

Management Practices & Expectations

• Remainsactively engaged in the healthcare regulatory and compliance landscape (e.g., OCR enforcement trends, HIPAA/HICCUP, HITRUST CSF updates, state privacy laws) toanticipate changes rather than react to them
• Ensures compliance activities meet security, reliability, and cost expectations, so compliance creates durable business value beyond audit outcomes
• Drives automation and leverage to reduce manual compliance burden for every team at Wayspring
• UsesAI-assisted tools to accelerate policy drafting, evidence analysis, questionnaire responses, and compliance research, whileremaining accountable for decisions
• Buildsandmaintain strong relationships with external auditors, assessors, and regulatory bodies
• Represent Wayspring'scompliance posture credibly to clients, prospects, regulators, and executive stakeholders

Ownership & Accountability

• Accountable forWayspring'scompliance posture across HITRUST, HIPAA, and the in-scopeportion of PCI DSS
• Accountable for timely,accurate, high-quality completion of client security questionnaires and due-diligence requests
• Accountable for third-party and vendor risk across the organization
• Owns the integrity and currency of all security policies, procedures, and training programs
• Owns building and developing GRC capacity, including future hiring as the program scales

The following expectations apply to every technical leader, with scope, impact, and accountability increasing at higher levels:

• Security comes first. Leaders are accountable for ensuring their teamsoperate with strong security, privacy, and compliance awareness.
• Leaders own outcomes, not just activity. Delivery, quality, reliability, and sustainability are core responsibilities.
• Functional leadership matters. Leaders actively guide technical direction, standards, and decision-making within their domain.
• Systems and teams are treated as products. Processes, team structures, and delivery mechanisms are intentionally designed and continuously improved.
• Automation and leverage are expected. Leaders push teams to reduce manual work and improve scalability through tooling and process improvement.
• Cross-functional collaboration is essential. Leaders partner effectively across disciplines to deliver outcomes.
• AI tools are used to increase effectiveness. Leaders may use AI-assisted tools to support planning, analysis, documentation, and communication, while remainingaccountable for decisions.

RequirementsandPreferred Qualifications

• 5+ years of experience in information security governance, risk, and compliance, with at least 2 years in a healthcare or health-tech environment
• Direct, hands-on experience leading at least one HITRUST certification cycle (CSF assessments and evidence lifecycle)
• Strong working knowledge of HIPAA requirements and how they apply in a clinical services environment
• Experience owning client security questionnaire responses and external audit engagements
• Experience operating a modern GRC platform (continuous control monitoring and automated evidence collection), with the judgment to select or transition platforms as the program matures
• Demonstrated ability to write, maintain, and operationalize security policies and procedures
• Strong communicationskills with the ability to translate compliance requirements into business-friendly language for non-technical stakeholders

Preferred

• Experience building or running a Third-Party Risk Management program
• Familiarity with the narrow-scope application of PCI DSS to member payment processing in a healthcare context
• Experience partnering directly with Business Development and Account Management on security-as-sales-enablement
• Experience in substance use disorder, behavioral health, or Medicare-adjacent healthcare environments
• Relevant certifications: CISSP, CISM, CRISC, HCISPP, HITRUST CCSFP, or equivalent

Our goal is to foster a workplace where everyone feels a true sense of belonging, is supported, and empowered to thrive. We actively seek different backgrounds, perspectives, and experiences-because we believe that drives better performance and innovation.We'recommitted toidentifyingand removing barriers for the communities we serve.

Benefit Summary

Creatinga greatemployee experience takes more than justperks-butlet'sbereal,those matter too.Here'showwe're building a company where you, your family, your pets, and your passions can thrive

• Comprehensive Medical, Dental and VisionInsurance options - including options for your pets!
• Company funded HSA +Monthly Gym Allowance
• Paid parental leave - all parents included!
• Company paid short term disability, long term disability and life insurance
• 401k with company match
• Premium Employee Assistance Program, inclusive of counseling sessions
• Pardon and Expungement Scholarship Program
• Company Contributions to Future Minded Savings (HSA and Emergency savings fund)
• Generous PTO package (accrual policy based on years of service) and an additional10 paid company holidays
• Company 2 week paid sabbatical program!
• Provider Benefits include ASAM training and membership + $2,500 CEU annual stipend and more!