Information Security GRC Lead
Lirio applies the psychology of human behavior and the power of advanced machine learning to help healthcare and energy enterprises drive individuals toward positive behavior change at scale. Lirio delivers mass personalization by harnessing behavioral intelligence to surface the right message to the right person to drive the right action at the right time.
We are looking for an Information Security Governance, Risk, and Compliance Lead to start our GRC Team, understand where we are, and lead the company to its next iteration. GRC has broad exposure across the business and the team and has a proven track record of compliance achievements as we’ve matured as an organization.
We want the GRC Team to be the experts on communicating technical risk and be able to set security strategy with our partners in engineering, product, and IT. As a candidate, we want you to be motivated and able to achieve this goal, and we’ll support you in growing and mentoring our team to help you get there. This position reports directly to the Director of information Security.
- Continuously improve and build our formal standards, policies, and procedures.
- Support and build our technical compliance program and maintain our certifications.
- Support and build upon our vendor security assessment program.
- Work with Security Director on inbound security assessments for health services and energy services.
- Work with Security Team to appropriately manage regulatory risk.
- Support and coordinate on-site security audits related to ISO27001, AICPA SOC 2, HIPAA, and HITRUST for compliance audits and certification.
- Assess and communicate risk and risk appetite with our core partners in engineering, product, and IT.
- Develop and run our risk assessment program.
- Review all system-related information security plans throughout Lirio’s network to ensure alignment between security and privacy practices.
- Find, build, and oversee adoption of our GRC tool.
- Evangelize the use of risk assessment company-wide.
- Bachelor’s/master’s degree in Computer Science, Cyber Security, Information Security, Engineering, Information Technology, Finance, Business, etc.
- Security governance and control design (e.g. ISO27001, NIST 800-53).
- Strong regulatory knowledge (HIPAA, GDPR).
- 5+ years of security audit standards (e.g. SOC2).
- 5+ years of industry security standards (e.g. HITRUST, PCI).
- HITRUST CSF Certification a plus.
- CISSP, CISA, or similar certification desired.
- Exposure to security and compliance issues related to cloud and/or SaaS services.
- Experience with implementing and working GRC program desired.
- Risk assessment experience.
- Leadership and strategy skills—ability to set and communicate security strategy and lead and mentor teams.
- Excellent written and verbal communication.
- Demonstrated ability to work independently, manage deadlines, understand third-party expectations, meet concurrent deadlines, organize time and priorities, and work well as a dedicated member of a team.