Director of Information Security

ECP is a market-leading SaaS software solution that enables senior living communities to better care for their residents. ECP is used in over 8,000 communities. We're looking to further expand by increasing the number of customers that use our software and increasing the scope of how we serve our customers by developing and releasing new products. ECP is seeking a Director of Information Security to lead and execute our cybersecurity and compliance strategy. This is a hands-on role responsible for ensuring the confidentiality, integrity, and availability of our systems and customer data within the context of healthcare regulations (HIPAA) and SOC 2 Type II compliance. The ideal candidate brings a blend of technical expertise, regulatory understanding, and practical execution, partnering closely with our Infrastructure and IT teams to strengthen our security posture across the company. You’ll manage annual audits, harden systems, guide best practices, and foster a culture of security awareness. This position reports to the VP of Engineering and collaborates cross-functionally with DevOps, Infrastructure, Compliance, and IT. Note: We are open to remote candidates located in the U.S.

Cybersecurity:

• Develop and execute ECP’s information security strategy, aligned with business goals and risk tolerance.
• Maintain and evolve SOC 2 Type II compliance, including evidence gathering, documentation, and audit coordination.
• Ensure compliance with HIPAA and other healthcare data protection standards.
• Establish, implement, and maintain security policies, procedures, and standards consistent with regulatory and customer expectations.
• Manage third-party risk and vendor security assessments.
• Lead the incident response program, including detection, investigation, communication, and remediation.
• Oversee vulnerability management, penetration testing, and security monitoring.
• Partner with Infrastructure and DevOps teams to secure servers, cloud environments (AWS/Azure), and CI/CD pipelines.
• Integrate secure development lifecycle (SDLC) practices into engineering workflows.
• Stay current on emerging security threats, technologies, and frameworks, and advise leadership accordingly.

IT & Platform Security:

• Collaborate with internal IT to harden employee laptops and mobile devices, ensuring encryption, endpoint protection, and compliance with policy.
• Manage and optimize the company’s mobile device management (MDM) platform.
• Support and guide internal IT in maintaining secure onboarding/offboarding and access management processes.
• Coordinate internal penetration testing efforts and develop recommendations for infrastructure hardening.
• Assist with network and system security, including identity management and monitoring.
• Develop and lead employee security and HIPAA awareness training programs.
• Maintain visibility into and tracking of vulnerabilities and remediation efforts.
• Bachelor’s degree in Computer Science, Information Security, or a related field (or equivalent experience).

5+ years of experience in information security, infrastructure security, or a related role.

• Prior experience in a SaaS or healthcare technology environment required.

Demonstrated experience leading SOC 2 Type II audits and ensuring HIPAA compliance. Strong understanding of AWS cloud security, identity and access management, and data protection best practices. Hands-on experience with endpoint management, laptop hardening, and mobile device management (MDM) tools. Strong troubleshooting, analytical, and problem-solving skills. Excellent communication skills with the ability to work effectively across technical and non-technical teams. Ability to thrive in a collaborative, fast-paced environment.

Preferred:

• Certifications such as CISSP, CISM, CISA, Security+, or HCISPP (Healthcare Information Security & Privacy Practitioner).
• Familiarity with frameworks such as NIST CSF, CIS Controls, or ISO 27001.
• Experience scripting or automating security tasks (Python, PowerShell, Bash).