Director, IT Security & Compliance - Remote

Job Summary

The Director of IT Security Compliance is responsible for leading and managing enterprise-wide security compliance, IT audit, and third-party risk management initiatives. This role ensures alignment with industry standards and regulatory requirements while overseeing certification efforts, audit processes, vendor risk evaluations, and continuous improvement of compliance programs. The Director will work cross-functionally to support business objectives while maintaining a strong security, audit, and compliance posture.

Essential Job Functions

Certification & Audit Management

• Lead and manage all external certification audit processes, including ISO 27001, HITRUST, and SOC 1 / SOC 2.
• Serve as the primary point of contact for external auditors, certification bodies, and IT audit firms.
• Oversee IT audit readiness activities, including control design, documentation, and evidence management.
• Coordinate internal stakeholders to ensure timely and successful audit execution.
• Respond to client‑driven audits and due diligence requests across all business lines.

IT Audit Oversight & Governance

• Lead internal and external IT audit engagements, including planning, scoping, execution support, and reporting.
• Ensure alignment of IT controls with audit frameworks (e.g., SOC, ISO, HITRUST, NIST).
• Partner with Internal Audit and external auditors to facilitate efficient audit cycles.
• Review audit results, assess control effectiveness, and provide strategic recommendations.
• Establish and maintain audit documentation standards, including policies, procedures, and control narratives.

Third-Party Risk Management (TPRM)

• Define and lead the enterprise third-party risk management program.
• Establish processes to assess and tier vendor risk based on data sensitivity, access, and business impact.
• Evaluate vendor risk through:
  • Business owner–completed risk assessments
  • Vendor‑provided certifications (e.g., SOC 2, HITRUST)
  • Independent vendor security scorecards
• Leverage GRC tools to calculate and track inherent risk and residual risk for all vendors.
• Review vendor control environments and identify gaps against organizational and regulatory requirements.
• Partner with business owners to ensure appropriate risk acceptance, mitigation, or remediation strategies are implemented.
• Monitor vendor risk posture continuously and reassess critical vendors on a defined cadence.
• Support procurement and legal teams in embedding security and compliance requirements into vendor contracts.

Corrective Action & Findings Management

• Define, implement, and manage the internal corrective action plan (CAP) process.
• Track and drive remediation of findings from:
  • IT audits (internal and external)
  • Client audits
  • Penetration tests
  • Risk assessments
  • Vendor risk assessments
• Ensure timely closure of identified gaps and maintain appropriate audit‑ready documentation.

Risk Assessment & Compliance Processes

• Develop, implement, and oversee internal risk assessment processes aligned with certification and audit requirements.
• Evaluate IT general controls (ITGCs), application controls, and security controls.
• Identify control gaps and provide remediation strategies aligned with audit expectations.

Continuous Improvement

• Define and execute strategies for continuous improvement of compliance, audit, and third‑party risk processes.
• Enhance control frameworks, documentation quality, and audit efficiency.
• Monitor evolving regulatory, audit, and industry requirements.

Client & RFP Support

• Respond to external audit requests, security questionnaires, and RFPs across all business units.
• Translate audit and compliance posture into clear, client‑facing responses.
• Partner with sales, legal, and operational teams to support business growth.

Access Management Oversight

• Execute and oversee the quarterly user access review process.
• Ensure compliance with ITGC access control requirements.
• Validate adherence to least privilege and segregation of duties (SoD).

KPI Development & Performance Management

• Define, implement, and monitor KPIs for compliance, audit, and third-party risk processes.
• Develop dashboards to track audit readiness, vendor risk posture, control effectiveness, and remediation progress.
• Provide regular reporting to executive leadership and stakeholders.

Qualifications

• Bachelor’s degree in Information Security, Information Technology, Accounting, or related field (or equivalent experience).
• 10+ years of experience in IT security, compliance, IT audit, and/or third-party risk management.
• Strong hands‑on experience with:
  • SOC 1 / SOC 2
  • ISO 27001
  • HITRUST
  • IT General Controls (ITGCs)
  • Third‑party/vendor risk management frameworks
• Proven experience managing IT audits and vendor risk assessments.
• Proven experience managing security compliance teams.
• Experience with GRC platforms and risk scoring methodologies (inherent vs. residual risk).
• Strong understanding of control environments and risk mitigation strategies.
• Excellent communication and stakeholder management abilities.
• Ability to manage multiple priorities, audits, and vendor relationships simultaneously.
• Detail‑oriented with strong documentation and evidence management discipline.

Preferred

• Professional certifications such as:
  • CISA (Certified Information Systems Auditor)
  • CISSP, CISM, or CRISC
• Experience working with internal audit teams or public accounting firms.
• Experience in healthcare or other regulated industries.
• Familiarity with vendor risk tools and security rating platforms (e.g., BitSight, SecurityScorecard).
• Familiarity with IT development and operations management tools (e.g. JIRA, WIZ, MEND, OneTrust, CrowdStrike).

Sharecare and its subsidiaries are Equal Opportunity Employers and E-Verify users. Qualified applicants will receive consideration for employment without regard to race, color, sex, national origin, sexual orientation, gender identity, religion, age, equal pay, disability, genetic information, protected veteran status, or other status protected under applicable law.