Information Security Officer

Information Security Officer (ISO)

HITRUST is seeking an experienced Information Security Officer (ISO) to lead and continuously evolve our enterprise information security program in a cloud-first, Zero Trust environment. This role is accountable for protecting HITRUST's information assets, supporting our assurance obligations, and enabling secure business growth.

The Information Security Officer partners closely with Engineering leadership and business stakeholders to ensure security controls are risk-based, scalable, and aligned with modern cloud and SaaS architectures, while meeting regulatory and customer assurance expectations.

Duties & Responsibilities:

Security Strategy, Governance & Zero Trust Enablement

• Own and lead the enterprise information security program, including strategy, policies, standards, and operating procedures
• Define and operationalize Zero Trust security principles, including identity-centric access controls, least privilege, continuous verification, and explicit trust boundaries
• Align security strategy with business objectives, risk tolerance, and HITRUST assurance requirements
• Translate technical risks into clear business impact for executive leadership
• Monitor emerging cyber threats, cloud security risks, and regulatory changes, implementing proactive mitigations

Cloud-First & Modern Infrastructure Security

• Oversee security controls across cloud infrastructure, SaaS platforms, applications, and data environments
• Ensure secure design and operation of identity, access management, logging, monitoring, and encryption services
• Partner with Engineering to embed security into cloud architectures and software development lifecycles (secure-by-design)
• Oversee vulnerability management, security testing, and validation across infrastructure and applications

Security Operations & Incident Response

• Oversee security operations, including threat detection, security analytics, and continuous monitoring capabilities
• Lead incident response for security events, ensuring timely containment, eradication, and recovery
• Conduct post-incident root cause analysis and executive-level reporting
• Escalate and report significant security events to leadership and required stakeholders

Resilience, Business Continuity & Recovery

• Establish and maintain disaster recovery and business continuity procedures aligned to cloud-first architectures
• Conduct breach simulations, incident response exercises, and disaster recovery testing
• Ensure organizational readiness for security incidents and operational disruptions

Compliance, Assurance & Customer Trust

• Manage and continuously enhance a compliance-driven policy and control framework
• Lead or support security assurance activities, including HITRUST CSF, SOC, ISO, HIPAA, and customer-driven assessments
• Support completion of customer security questionnaires and due diligence requests
• Ensure security requirements are integrated into projects and initiatives, and that security milestones are met

Security Awareness & Culture

• Champion organization-wide security awareness and training initiatives
• Promote a culture of shared responsibility for protecting HITRUST information assets
• Support ongoing education and development related to cybersecurity and privacy best practices

Required Qualifications:

• Minimum of six (6) years of experience in information technology or information security
• Bachelor's degree in Information Technology, Computer Science, Cybersecurity, or a related discipline
• CISSP certification required; additional certifications (e.g., CEH, CCSP, CISM) are a plus
• Experience with forensic investigation and incident response
• Demonstrated experience leading or participating in security control assessments (e.g., HITRUST CSF, SOC, ISO, HIPAA)
• Strong understanding of cloud security models, identity-centric security, and Zero Trust concepts
• Experience with infrastructure and application security testing
• Strong analytical and organizational skills with the ability to manage multiple initiatives in a dynamic environment
• Excellent verbal, written, and interpersonal communication skills, including the ability to communicate security risk effectively to executives, engineering teams, and business stakeholders

About Us:

HITRUST is the leader in validated cybersecurity assurance used in third-party risk management and compliance. HITRUST delivers assurance and certification programs for the application and independent validation of security, privacy, and AI controls, harmonized across more than 60 authoritative standards and frameworks. Its threat-adaptive approach combines tiered, selectable assessments (e1, i1, r2, and AI), an ecosystem of over 100 independent assessment firms, centralized quality assurance, standardized reporting, and a powerful SaaS platform to enable consistent, defensible, and scalable assurance. HITRUST delivers the only assurance certification with defensible proof of security, demonstrated by a 99.62% breach-free rate among certified environments in the 2026 Trust Report. For nearly 20 years, HITRUST has defined the standard for trustworthy cybersecurity proof, helping organizations demonstrate measurable cybersecurity resilience across their enterprises and third-party ecosystems.

HITRUST is an equal opportunity employer that is committed to diversity and inclusion in the workplace.

We prohibit discrimination and harassment of any kind based on race, color, region, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state, or local laws.