Director of Information Security

ECP is a market-leading SaaS software solution that enables senior living communities to better care for their residents. ECP is used in over 8,000 communities. We're looking to further expand by increasing the number of customers that use our software and increasing the scope of how we serve our customers by developing and releasing new products.ECP is seeking a Director of Information Security to lead and execute our cybersecurity and compliance strategy. This is a hands-on role responsible for ensuring the confidentiality, integrity, and availability of our systems and customer data within the context of healthcare regulations (HIPAA) and SOC 2 Type II compliance.The ideal candidate brings a blend of technical expertise, regulatory understanding, and practical execution, partnering closely with our Infrastructure and IT teams to strengthen our security posture across the company. You'll manage annual audits, harden systems, guide best practices, and foster a culture of security awareness.This position reports to the VP of Engineering and collaborates cross-functionally with DevOps, Infrastructure, Compliance, and IT.Note: We are open to remote candidates located in the U.S.Cybersecurity:Develop and execute ECP's information security strategy, aligned with business goals and risk toleranceMaintain and evolve SOC 2 Type II compliance, including evidence gathering, documentation, and audit coordinationEnsure compliance with HIPAA and other healthcare data protection standardsEstablish, implement, and maintain security policies, procedures, and standards consistent with regulatory and customer expectationsManage third-party risk and vendor security assessmentsLead the incident response program, including detection, investigation, communication, and remediationOversee vulnerability management, penetration testing, and security monitoringPartner with Infrastructure and DevOps teams to secure servers, cloud environments (AWS/Azure), and CI/CD pipelinesIntegrate secure development lifecycle (SDLC) practices into engineering workflowsStay current on emerging security threats, technologies, and frameworks, and advise leadership accordinglyIT & Platform Security:Collaborate with internal IT to harden employee laptops and mobile devices, ensuring encryption, endpoint protection, and compliance with policyManage and optimize the company's mobile device management (MDM) platformSupport and guide internal IT in maintaining secure onboarding/offboarding and access management processesCoordinate internal penetration testing efforts and develop recommendations for infrastructure hardeningAssist with network and system security, including identity management and monitoringDevelop and lead employee security and HIPAA awareness training programsMaintain visibility into and tracking of vulnerabilities and remediation effortsRequirementsBachelor's degree in Computer Science, Information Security, or a related field (or equivalent experience)5+ years of experience in information security, infrastructure security, or a related rolePrior experience in a SaaS or healthcare technology environment requiredDemonstrated experience leading SOC 2 Type II audits and ensuring HIPAA complianceStrong understanding of AWS cloud security, identity and access management, and data protection best practicesHands-on experience with endpoint management, laptop hardening, and mobile device management (MDM) toolsStrong troubleshooting, analytical, and problem-solving skillsExcellent communication skills with the ability to work effectively across technical and non-technical teamsAbility to thrive in a collaborative, fast-paced environmentPreferred:Certifications such as CISSP, CISM, CISA, Security+, or HCISPP (Healthcare Information Security & Privacy Practitioner)Familiarity with frameworks such as NIST CSF, CIS Controls, or ISO 27001Experience scripting or automating security tasks (Python, PowerShell, Bash)