Manager, Security

Manager, Security Overview

The Manager, Security (Governance, Risk & Compliance) plays a critical role in protecting Wayspring’s mission and reputation by ensuring we are trusted, audit‑ready, and confident in how we safeguard data. This leader owns our healthcare compliance and security assurance programs — including HIPAA, HITRUST, and vendor risk — and serves as the clear point person for how we demonstrate security to clients, partners, auditors, and regulators. More than checking boxes, this role helps turn our security posture into a true business advantage by accelerating client trust, enabling sales, and strengthening Wayspring’s long‑term regulatory foundation.

This is a high‑impact, hands‑on role for someone who enjoys building smart, scalable programs and reducing friction across the organization. You’ll work closely with teams across Legal, IT, Engineering, Compliance, and the business to embed security into real workflows — not just policies on paper. With ownership of key audits, automation strategy, and future GRC growth, this role offers the opportunity to shape how compliance works at Wayspring as we scale, while making a measurable difference in how quickly and confidently we serve members and partners. This role reports to the VP, Architecture & Security and partners closely with Legal and Compliance to support enterprise regulatory and contractual obligations through effective security and technology governance.

Open to candidates located in one of the following areas:

• Nashville, TN (and surrounding areas)
• Rochester, NY
• Buffalo, NY

Why Wayspring?

We are passionate about breaking barriers alongside those facing substance use disorder. Whether you’re in the field or in the corporate office – our mission is felt, and your impact is recognized. There is no inner circle, and we all have a seat at the table. Leaders are accessible and silos are avoided. We respect your craft and love to be challenged. We invest not only in our mission, but in each other. Internal promotions and cross departmental training are the norm – you grow, we grow.

Investment in your growth: Wayspring provides an annual learning and certification budget that can be used for conferences (e.g., HIMSS, HITRUST Collaborate, RSA), training, and industry certifications (e.g., CISSP, CISM, CRISC, HITRUST CCSFP maintenance). We are eager to support your continued development in this role.

Responsibilities of the Manager, Security

• Runs client security due-diligence as a sales-enablement function. Owns the questionnaire response process, pre-fill library, and SLA commitments so that security accelerates deal velocity. Partners with Business Development and Account Management to turn our security posture into a competitive advantage
• Owns Third-Party Risk Management (TPRM) and vendor risk. Build and operate the vendor intake, review, re-assessment, and offboarding process; set risk tiers; integrate with Procurement and Legal workflows
• Owns the GRC platform and evidence automation strategy. Drives continuous control monitoring, automated evidence collection, and measurable reductions in manual compliance work
• Develops, maintains, and enforces Wayspring’s information security policies and procedures, ensuring they reflect actual organizational practice
• Owns the company-wide security awareness program—phishing simulations, annual training, and role-based training for high-risk populations (executives, engineering, clinical operations)
• Owns and manages Wayspring’s HITRUST certification lifecycle end-to-end: scoping, readiness, full and interim assessments, evidence collection, gap remediation, and auditor coordination
• Leads PCI DSS compliance for the scope relevant to Wayspring’s member payment processing, applying right-sized controls (e.g., SAQ-aligned where appropriate) that match the risk profile
• Drives concrete outcomes against Wayspring’s stated security commitments: close findings on defined timelines, track attestation coverage, and report posture metrics to the VP, Architecture & Security
• Partners with Legal, Compliance, HR, and IT & Infrastructure to embed compliance into business processes from the start

Management Practices & Expectations

• Remains actively engaged in the healthcare regulatory and compliance landscape (e.g., OCR enforcement trends, HIPAA/HICCUP, HITRUST CSF updates, state privacy laws) to anticipate changes rather than react to them
• Ensures compliance activities meet security, reliability, and cost expectations, so compliance creates durable business value beyond audit outcomes
• Drives automation and leverage to reduce manual compliance burden for every team at Wayspring
• Uses AI-assisted tools to accelerate policy drafting, evidence analysis, questionnaire responses, and compliance research, while remaining accountable for decisions
• Builds and maintain strong relationships with external auditors, assessors, and regulatory bodies
• Represent Wayspring’s compliance posture credibly to clients, prospects, regulators, and executive stakeholders

Ownership & Accountability

• Accountable for Wayspring’s compliance posture across HITRUST, HIPAA, and the in-scope portion of PCI DSS
• Accountable for timely, accurate, high-quality completion of client security questionnaires and due-diligence requests
• Accountable for third-party and vendor risk across the organization
• Owns the integrity and currency of all security policies, procedures, and training programs
• Owns building and developing GRC capacity, including future hiring as the program scales

The following expectations apply to every technical leader, with scope, impact, and accountability increasing at higher levels:

• Security comes first. Leaders are accountable for ensuring their teams operate with strong security, privacy, and compliance awareness.
• Leaders own outcomes, not just activity. Delivery, quality, reliability, and sustainability are core responsibilities.
• Functional leadership matters. Leaders actively guide technical direction, standards, and decision-making within their domain.
• Systems and teams are treated as products. Processes, team structures, and delivery mechanisms are intentionally designed and continuously improved.
• Automation and leverage are expected. Leaders push teams to reduce manual work and improve scalability through tooling and process improvement.
• Cross-functional collaboration is essential. Leaders partner effectively across disciplines to deliver outcomes.
• AI tools are used to increase effectiveness. Leaders may use AI-assisted tools to support planning, analysis, documentation, and communication, while remaining accountable for decisions.

Requirements and Preferred Qualifications

• 5+ years of experience in information security governance, risk, and compliance, with at least 2 years in a healthcare or health-tech environment
• Direct, hands-on experience leading at least one HITRUST certification cycle (CSF assessments and evidence lifecycle)
• Strong working knowledge of HIPAA requirements and how they apply in a clinical services environment
• Experience owning client security questionnaire responses and external audit engagements
• Experience operating a modern GRC platform (continuous control monitoring and automated evidence collection), with the judgment to select or transition platforms as the program matures
• Demonstrated ability to write, maintain, and operationalize security policies and procedures
• Strong communication skills with the ability to translate compliance requirements into business-friendly language for non-technical stakeholders

Preferred

• Experience building or running a Third-Party Risk Management program
• Familiarity with the narrow-scope application of PCI DSS to member payment processing in a healthcare context
• Experience partnering directly with Business Development and Account Management on security-as-sales-enablement
• Experience in substance use disorder, behavioral health, or Medicare-adjacent healthcare environments
• Relevant certifications: CISSP, CISM, CRISC, HCISPP, HITRUST CCSFP, or equivalent

Our goal is to foster a workplace where everyone feels a true sense of belonging, is supported, and empowered to thrive. We actively seek different backgrounds, perspectives, and experiences—because we believe that drives better performance and innovation. We’re committed to identifying and removing barriers for the communities we serve.

Benefit Summary

Creating a great employee experience takes more than just perks—but let’s be real, those matter too. Here’s how we’re building a company where you, your family, your pets, and your passions can thrive.

• Comprehensive Medical, Dental and Vision Insurance options – including options for your pets!
• Company funded HSA + Monthly Gym Allowance
• Paid parental leave – all parents included!
• Company paid short term disability, long term disability and life insurance
• 401k with company match
• Premium Employee Assistance Program, inclusive of counseling sessions
• Pardon and Expungement Scholarship Program
• Company Contributions to Future Minded Savings (HSA and Emergency savings fund)
• Generous PTO package (accrual policy based on years of service) and an additional 10 paid company holidays
• Company 2 week paid sabbatical program!
• Provider Benefits include ASAM training and membership + $2,500 CEU annual stipend and more!