Director of IT & Security, CISO

Overview Redox is on a mission to accelerate healthcare’s transformation with useful data. Redox Engine, a flexible interoperability platform, connects and powers real-time healthcare data exchange. With just one connection, data can be orchestrated across a growing network of 12,000+ systems and organizations, including 100+ electronic health record systems (EHRs). Redox processes over 1.2 billion messages per month across our health tech vendor, provider, payer, EHR, and life sciences customers. Opportunity & Impact Redox is seeking a hands-on Director of IT & Security, CISO to own enterprise security, cloud, and application security, and corporate IT. This role reports directly to the CTO and is a core member of the technology leadership team. You will lead security engineering, security operations, and corporate IT while partnering closely with Engineering, Platform, and Operations to embed security and reliability into how Redox builds and runs software. Success in this role means strong security posture, resilient internal systems, and an employee experience that just works—without slowing the business down. Job Responsibilities Security Strategy & Leadership: Own end-to-end information security strategy across cloud, application, infrastructure, and corporate environments. Define a pragmatic security roadmap aligned to business risk, regulatory requirements, and engineering velocity. Serve as the executive owner for security posture, risk management, and incident response. Act as a trusted advisor to the CTO and executive team on security, risk, and operational tradeoffs. Security Engineering & DevSecOps: Drive a DevSecOps-first operating model, embedding security into CI/CD pipelines, infrastructure as code, and developer workflows. Partner deeply with engineering leadership to make security scalable, automated, and measurable. Lead threat modeling, secure design reviews, and risk assessments for new platform initiatives. Champion policy-as-code, guardrails, and automation over manual process. Cloud, Application & Infrastructure Security: Own security architecture and operations for a primarily AWS-based environment. Lead application security programs, including secure SDLC, dependency scanning, SAST/DAST, penetration testing, and vulnerability management. Own identity and access management strategy with Okta as the backbone. Ensure strong detection, alerting, and response across endpoints and cloud workloads (e.g., CrowdStrike, RAD). Security Operations & Incident Response: Build and run effective security operations, including monitoring, investigation, incident response, and post-incident learning. Lead incident response for both security and IT incidents, serving as the calm point of accountability. Run tabletop exercises and continuously improve response playbooks. Manage vendor relationships, including CrowdStrike, Flashpoint, RAD, and Okta. Corporate IT & Enterprise Systems: Own corporate IT strategy and execution, focused on reliability, security, and employee productivity. Lead end-user computing, device management, endpoint security, identity lifecycle management, and access controls. Oversee IT systems, including identity, email, collaboration tools, endpoint management, and SaaS access governance. Drive automation and standardization across onboarding, offboarding, access management, and device lifecycle. Partner with People Ops, Legal, and Finance on IT processes, audits, and vendor management. Compliance, Risk & Healthcare Context: Own healthcare-related security and compliance programs (e.g., HIPAA, SOC 2). Translate regulatory requirements into practical, engineering-friendly controls. Lead third-party risk management and vendor security reviews. Support customer security reviews and serve as an executive point of contact on security matters. Team Leadership & Culture: Build, lead, and mentor a high-performing team spanning security engineering, security operations, and IT. Create a culture where security and IT are seen as enablers, not blockers. Establish clear ownership, measurable outcomes, and high operational standards. Be visible, decisive, and calm under pressure. Required Skills & Experience 10+ years in information security, IT, or related technical leadership roles, including 5+ years of people management, ideally in healthcare technology SaaS. Proven experience leading security engineering, security operations, and corporate IT in a cloud-native SaaS environment. Direct experience in healthcare or other highly regulated industries. Track record of successfully implementing DevSecOps practices. Deep hands-on experience securing AWS environments. Strong understanding of endpoint security, identity systems, and modern SaaS IT stacks. Practical knowledge of tools such as CrowdStrike, Okta, Flashpoint, RAD, and related platforms. Strong foundation in application security, cloud security, and infrastructure as code. Strong collaborator with engineering, platform, and operations teams. Clear, direct communicator who can articulate risk without theatrics. Comfortable making tradeoffs and prioritizing based on real-world risk. Builder mindset with a bias toward automation and scale. Preferred Skills & Experience Proven experience securing autonomous agentic loops and tool-calling frameworks. Deep understanding of Indirect Prompt Injection and designing "Human-in-the-Loop" guardrails for agent-driven actions. Technical expertise in securing the Model Context Protocol (MCP), specifically regarding context isolation, sandboxing, and identity propagation between LLMs and private data sources. Direct experience migrating security programs to Vanta or similar automated GRC platforms. Ability to architect "continuous compliance" by integrating cloud, identity, and developer tools for automated evidence collection. Hands-on application of the NIST AI RMF, OWASP Top 10 for LLMs, etc within a production environment. Software Platform / Tools Required: Crowdstrike, AWS, Okta Preferred: Vanta Compensation: $224,000 - $260,000 a year Benefits & Perks 100% remote first culture (must be based in the US) Unlimited Flexible Time Off 15+ Observed Holidays Rest & R^Charge days (guaranteed a 3-day weekend each month) R^Charge (6 weeks paid sabbatical + stipend) 401k match 50% for up to 8% on Day 1 Medical/Dental/Vision Benefits on Day 1 HSA & FSA, Life, Disability, Medical Travel & Employee Assistance Program Paid Parental Leave (16 weeks) Productivity Stipend & Wellness Fund Redox Issued MacBook Virtual and/or in-person Team & Company Events Stock Options Employee Referral Bonus Program About Redox Research shows that while men apply to jobs when they meet an average of 60% of the criteria, women and other marginalized folks tend to only apply when they check every box. So if you think you have what it takes, but don\'t necessarily meet every single point on the job description, please still get in touch. We would love to have a chat and see if you could be a great fit. What We Do Healthcare organizations and technology vendors connect to Redox once, then authorize what data they send to and receive from partners through a centralized hub. Redox\'s cloud-based platform is vendor and standards-agnostic and enables the secure and efficient exchange of healthcare data. This approach eradicates the need for point-to-point integrations and accelerates the discovery, adoption, and distribution of patient and provider-facing technology solutions. With hundreds of healthcare organizations and technology vendors exchanging data today, Redox represents the largest interoperable network in healthcare. Learn how you can leverage the Redox platform at EEO & Diversity Redox is an EEO company. We fully support the diversity of our team. As part of our ongoing work to build more diverse teams at Redox, you will be asked to complete a voluntary EEO survey when applying. This survey is anonymous, we cannot link your application record with your survey responses. We request that you complete this voluntary survey as we run monthly reports for each team which provides data for diversity in terms of gender and ethnic background in our Applicants and our Hired Redoxers. We take this data very seriously and appreciate your willingness and time to complete this step in the process. Successful candidates must be eligible to be employed in the U.S. and must reside & work in the continental U.S. Thank you for your interest in Redox!

#LI-TA1