We areCONNECTING HEALTH AND WEALTH.Come be part of remarkable.
How you can make a difference
As a Senior Program Manager for Security Governance, Risk, and Compliance (GRC), you will report to the Director of Security GRC. You will be part of a team working to identify, evaluate, and report on cybersecurity risks in a manner that meets HealthEquity's internal, regulatory, and client contract requirements.
You will work closely with Security, Internal Audit, Enterprise Risk Management, external auditors, and all technology stakeholders across the company to perform security assessments and ensure timely execution of projects and programs while mitigating any security risks against applicable frameworks (e.g., HITRUST, FedRAMP, PCI, NIST CSF, SOX, SOC I/II, HIPAA).
You will be responsible for developing and implementing effective security policies, procedures, and frameworks to ensure the protection of our company's information assets. You will be delivering subject matter expertise and guidance to ensure HealthEquity's technologies, processes, business development, platforms, and systems are consistent with HealthEquity's security policies and applicable law. With guidance, you will oversee remediation, corrective action plans, and ongoing monitoring to address findings resulting from audits, assessments, compliance reviews, and self-identified issues.
You will be encouraging security best practices through consistent analysis, feedback, and follow-through with a variety of internal teams. You'll need Strong analytical and problem-solving skills, with the ability to assess complex security risks and develop effective strategies, the ability to articulate technical concepts to both technical and non-technical audiences, and a strong background in security program management, risk assessment, and compliance frameworks.
What you'll be doing
- Develop an understanding of HealthEquity business processes and systems to support the Security GRC team.
- Conduct comprehensive risk assessments and vulnerability analyses to identify potential security risks and recommend appropriate mitigation strategies. This will require leading and influencing cross-functional teams and stakeholders at all levels of the company.
- Guide external assessors in conducting NIST CSF, HITRUST, PCI DSS, FedRAMP, and other assessments. Act as a liaison between assessors and internal teams to ensure clear communication and timely completion of evidentiary requests. Participate in control walkthroughs, assist in gathering audit evidence requests, and coordinate follow-up requests. Oversee exception remediation and monitoring.
- In conjunction with Attack Surface Management and Vulnerability Management teams, plan and support penetration tests, vulnerability scans, and remediation actions required by compliance programs, including PCI DSS and FedRAMP.
- Develop and implement security metrics and key performance indicators (KPIs) to measure the effectiveness of security controls, risk mitigation strategies, and compliance efforts. Regularly analyze and report on security metrics to senior management, identifying trends, areas of improvement, and actionable insights.
- Lead and support information-gathering efforts related to HealthEquity's complex data environment and apply new or changing security practices to new and existing processes and controls.
- Manage identification and rollout of scalable innovative technologies to support security governance, including developing usage policies and guidelines, audit, and control processes.
- Maintain "auditor-ready" toolkits for response to audits, assessments, and regulator inquiries.
- Drive continuous improvement efforts by identifying opportunities for enhancing security governance, risk management, and compliance practices.
What you will need to be successful
- Bachelor's Degree, focus on information security, information technology, or related discipline is preferred.
- 5+ years of professional experience in a role involving Information Security GRC, IT Compliance, IT Audit, legal, or privacy, preferably in a technology setting or highly regulated industry.
- Experience with O365 applications (Word, PowerPoint, Excel)
- Additional Education/Certification preferred but not required, e.g. CIPP or CIPM, CDPSE, CISSP, CISM, CISA, CCSA
- Experience interacting with and working directly with/for internal/external business partners.
- Able to work collaboratively in a fast-paced technology environment, where willingness to learn and adapt is critical.
- At least one certification from ISO 27001 Lead Auditor, CISA, HIPAA Expert, SOX Expert Certification (Preferred) or applicable project management certifications.
- Strong level of knowledge in at least one of industry standards and best practices such as SOC1, SOC2 Type II, ISO/IEC 27001 Certification, HIPAA Compliance, HITRUST, and PCI/DSS
- Strong exposure to and knowledge of Information Technologies and IT security best practices
- Strong working experience in establishing information security risk management, governance, compliance and audits in different regions and business units from scratch and achieve maturity over next 2 years.
- Ability to work autonomously or as part of a team, within targets and deadlines
- Excellent written and verbal communication skills.
- Experience influencing others to take action.
#LI-Remote
This is a remote position.
#LI-Remote
This is a remote position.
Salary Range$109500.00 To $141,000.00 / yearBenefits & PerksThe compensation range describes the typical minimum or maximum base pay range for this position. The actual compensation offer is determined based on job-related knowledge, education, skills, experience, and work location. This position will be eligible for performance-based incentives as part of the total compensation package, in addition to a full range of benefits including:
- Medical, dental, and vision
- HSA contribution and match
- Dependent care FSA match
- Uncapped paid time off
- Adventure accounts
- Paid parental leave
- 401(k) match
- Personal and healthcare financial literacy programs
- Ongoing education& tuition assistance
- Gym and fitness reimbursement
- Wellness program incentives
Why work for HealthEquity
HealthEquity has a vision that by2030 we will make HSAs as wide-spread and popular as retirement accounts. We are passionate about providing a solution that allows American families to connect health and wealth. Join us and discover a work experience where the person is valued more than the position. Click here to learn more.
Come be your authentic self
HealthEquity, Inc. is an equal opportunity employer that is committed to inclusion and diversity. We take affirmative action to ensure equal opportunity for all applicants without regard to race, age, color, religion, sex, sexual orientation, gender identity, national origin, status as a qualified individual with a disability, veteran status, or other legally protected characteristics. HealthEquity is a drug-free workplace. For more information about our EEO policy, or about HealthEquity's applicant disability accommodation, drug-free-workplace, background check, and E-Verify policies, please visit our Careers page.
HealthEquity is committed to your privacy as an applicant for employment. For information on our privacy policies and practices, please visit HealthEquity Privacy.
Employment Type: FULL_TIME