Director, GRC, Data Protection
Phreesia
full-time
Posted on:
Location Type: Remote
Location: United States
Visit company websiteExplore more
Job Level
Tech Stack
About the role
- Lead and mature our governance, risk, and compliance program, aligned to NIST CSF 2.0 and our enterprise risk framework.
- Own overall strategy and execution for data security (encryption, backups, DSPM, data lifecycle controls) in close partnership with Product, Engineering, and Infrastructure.
- Serve as the primary infosec leader for PCI-DSS Level 1, HITRUST, SOC 2, and SOX ITGC coordination, ensuring evidence (including penetration testing), narratives, and controls are consistent and efficient.
- Partner with product and engineering teams to embed security into software development lifecycles, roadmap planning, and quarterly business reviews.
- Govern & guide Third Party Risk Management (TPRM) objectives.
- Act as a matrixed leader, influencing teams you don’t directly manage while providing clear, actionable guidance to executives, developers, and staff.
- Function as backup to the CISO for key decisions, stakeholders, and external meetings with customers, auditors, and regulators.
Requirements
- Bachelor's Degree required, advanced degree preferred
- Certifications CISSP, CISM, CISA, CRISC, PCI ISA/QSA, or similar preferred
- Experience in healthcare, health IT, payments, or other highly regulated data environments where PCI, HITRUST, SOX, and SOC 2 interact.
- Prior role as Head of GRC, or Security & Compliance lead for a Level 1 service provider or HITRUST-certified organization.
- 12+ years in information security, with 7+ years in leadership roles across at least two of: GRC, data security, security architecture/engineering, or security assurance.
- Significant experience in a product-driven, software development company (e.g., SaaS, cloud platform, or software publisher), working closely with Product Management and Engineering organizations.
- Deep, hands-on experience leading multiple full cycles of all of the following in a cloud/SaaS or otherwise regulated environment: PCI DSS Level 1 service provider RoC with a QSA (scoping, control design, evidence strategy, remediation management).
- HITRUST CSF readiness and certification/validated assessment.
- SOX ITGC engagement in a consultative/coordination capacity with Finance/Internal Audit (not necessarily full program ownership).
- SOC 2 Type II audits against the Trust Services Criteria.
- Strong technical fluency in: Data security architectures (encryption at rest/in transit, tokenization, KMS/HSM, DLP, logging/monitoring).
- Cloud and SaaS security concepts relevant to PCI/HITRUST/SOC 2 environments.
- Demonstrated ability to design and evaluate controls , not just document them, and to work directly with engineers on implementation details.
- Exceptional written and verbal communication skills, including direct experience presenting to senior executives and boards on security posture, risk, and audit outcomes.
- Proven effectiveness in a highly matrixed organization, influencing cross-functional stakeholders and resolving conflicting priorities.
Benefits
- 100% Remote work + home office expense reimbursements
- Competitive compensation
- Flexible PTO + 8 company holidays
- Monthly reimbursement for cell phone + internet + wellness
- 100% Paid 12-week parental leave to our U.S. employees, as well as a generous parental benefit to our employees in Canada
- Variety of insurance coverage for people (and pets!)
- Continuing education and professional certification reimbursement
- Opportunity to join an Employee Resource Group.
Applicant Tracking System Keywords
Tip: use these terms in your resume and cover letter to boost ATS matches.
Hard Skills & Tools
governancerisk managementcompliancedata securityencryptionpenetration testingsecurity architecturedata lifecycle controlscloud securitySOC 2 audits
Soft Skills
leadershipcommunicationinfluencingguidancecollaborationpresentationproblem-solvingstakeholder managementorganizational skillsmatrixed leadership
Certifications
CISSPCISMCISACRISCPCI ISAPCI QSA