Chief Information Security Officer (CISO)

Title: Chief Information Security Officer (CISO)

Location: Austin, TX / Morristown, NJ (hybrid)

Reports To: Chief Technology Officer

About Hippo:

Hippo was built on a promise: make homeownership effortless. Nearly a decade later, that mission still drives us. We use technology and data to help our customers stay ahead of problems and protect what matters most.


Today, that same tech-native approach powers our work beyond homeowners. Hippo operates as a diversified carrier platform, partnering with MGAs to deliver tailored program solutions that help them grow and deliver better customer experiences. Behind that work is a team that values ownership, curiosity, collaboration, and continuous improvement.


If you're energized by building what's next, we'd love to meet you.


About the Role:


Hippo is hiring a Chief Information Security Officer to lead cybersecurity strategy, security operations, and governance, risk, and compliance across the enterprise. You will be responsible for protecting Hippo's systems, data, and customers against an evolving threat landscape while ensuring the company meets its regulatory and compliance obligations as a publicly traded, multi-state insurance carrier.


This role owns Hippo's SOC 2 program, leads security operations, and drives compliance with applicable state and federal cybersecurity regulations. You will also own identity governance, privacy and data protection strategy, and third-party risk management. This is a high-visibility leadership role that requires equal fluency in security engineering, regulatory compliance, and executive communication.


About You:


You are a seasoned cybersecurity leader who has built and run security programs at a publicly traded, regulated company. You have navigated regulatory examinations and SOX audit cycles, and you can move seamlessly between a technical incident response scenario and a board presentation. You think in terms of risk, you quantify what you can, and you communicate what you can't with intellectual honesty.


You bring a builder's mindset to security. You understand that a great security program enables the business rather than slowing it down, and you know how to embed security into engineering culture without creating friction. Whether your background is in Insurtech, fintech, healthcare, or another heavily regulated sector, you understand multi-regulator environments and lead with clarity and high standards.


What You'll Do:

• Further develop and execute Hippo's enterprise cybersecurity strategy, aligned with business risk appetite and regulatory requirements
• Build and lead the security operations function, including threat detection, incident response, vulnerability management, and threat intelligence
• Own Hippo's SOC 2 program end-to-end, including control design, evidence collection, readiness assessments, and auditor engagement
• Lead the governance, risk, and compliance function, maintaining the cybersecurity risk register, policy framework, standards, and control library
• Drive compliance with applicable state and federal cybersecurity and insurance regulations
• Support SEC cybersecurity disclosure obligations in coordination with Legal and Finance
• Lead identity governance, including access certification, privileged access management policy, and separation of duties enforcement
• Own privacy and data protection compliance strategy, partnering with Legal on data handling, breach notification, and policyholder data protection
• Manage the third-party and vendor cybersecurity risk management program
• Report to the Board of Directors and Audit and Risk Committee on cybersecurity posture, risk trends, and incident activity
• Provide second-line oversight and security control design input to the SOX ITGC program
• Build and lead the security engineering function, owning secure design standards and threat modeling practices that ensure security is embedded from architecture through to deployment
• Build, mentor, and develop the cybersecurity team and drive a culture of security awareness across the organization
• Lead cybersecurity budgeting, roadmap planning, and technology rationalization
• Own disaster recovery and business continuity planning across the enterprise, working closely with the CIO and CTO to drive regular testing, validate recovery capabilities, and ensure organizational resilience is aligned to business and cybersecurity risk
• Own the enterprise Incident Response Plan, lead the Security Incident Response Team (SIRT) across the full incident lifecycle from detection and containment through recovery and post-incident review, define severity classifications and escalation paths, and ensure cross-functional stakeholders (Legal, Compliance, IT, and executive leadership) are engaged appropriately during active incidents
• Drive a continuous improvement program with outcomes tracked to remediation and reported to the Audit and Risk Committee
• Lead the enterprise response to supply chain vulnerabilities across open-source dependencies and third-party service providers, owning risk assessment, mitigation, and remediation

Must Haves:

• 10+ years of progressive experience in cybersecurity or information security, with at least 5 years in a senior security leadership role (CISO, VP of Security, or Head of Information Security)
• Experience at a regulated, publicly traded company, including direct involvement in SOX audit cycles
• Track record of building and managing security operations capabilities
• End-to-end ownership of a SOC 2 program, including control design, audit preparation, and remediation
• Experience with cybersecurity regulations in a regulated industry (financial services, insurance, or healthcare preferred)
• Strong GRC background with experience maintaining risk registers, policy frameworks, and control libraries
• Proven ability to present cybersecurity risk and incident information to boards of directors, audit committees, and regulators
• Experience managing third-party and vendor cybersecurity risk programs
• Excellent cross-functional leadership skills with a track record of partnering effectively with Legal, Finance, Internal Audit, and Engineering

Nice to Have:

• Experience in the insurance, Insurtech, or fintech industry
• Familiarity with privacy frameworks and data protection requirements (CCPA/CPRA, state breach notification laws)
• Relevant certifications such as CISSP, CISM, CRISC, or CISA
• Background in security engineering or application security in addition to GRC and security operations
• Experience managing cybersecurity programs across multi-entity corporate structures1

Benefits and Perks:

Hippo treats its team members with the same level of dedication and care as we do our customers, which is why we're fortunate to provide all of our Hippos with:

• Healthy Hippos Benefits - Multiple medical plans to choose from and 100% employer covered dental & vision plans for our team members and their families. We also offer a 401(k)-retirement plan, short & long-term disability, employer-paid life insurance, Flexible Spending Accounts (FSA) for health and dependent care, and an Employee Assistance Program (EAP)
• Equity -This position is eligible for equity compensation
• Training and Career Growth - Training and internal career growth opportunities
• Flexible Time Off - You know when and how you should recharge
• Little Hippos Program - We offer 12 weeks of parental leave for primary and secondary caregivers
• Hippo Habitat - Snacks and drinks available and catered lunches for onsite employees

Hippo is an equal opportunity employer, and we are committed to building a team culture that celebrates diversity and inclusion. Hippo's applicants are considered solely based on their qualifications, without regard to an applicant's disability or need for accommodation. Any Hippo applicant who requires reasonable accommodations during the application process should contact the Hippo's People Team to make the need for an accommodation known.


Hippo CCPA