Director of Security, GRC

Aledade, a public benefit corporation operating the largest network of independent primary care in the country, is seeking a Director of Governance, Risk & Compliance (GRC) to lead and scale its enterprise GRC program. Reporting directly to the CISO, this role builds out a cohesive framework for risk management, compliance, and certifications while ensuring security, privacy, and governance practices align with regulatory, contractual, and audit expectations.

The Director manages a growing team and owns Aledade's risk program, GRC platforms (including Vanta), and policy framework. The leader is accountable for driving compliance certifications (SOC 2, HIPAA, SOX/ITGC, HITRUST, CPRA), partnering across Security, IT, Product, and Legal to ensure evidence is ready for external audits, and ensuring governance enables both innovation and protection of sensitive patient data.

Key duties include owning the enterprise risk management framework and risk registry with reporting to leadership and the Audit Committee, leading audit preparedness and execution, overseeing the Vanta Trust platform, and developing policies aligned with NIST, ISO 27001, HIPAA, and the AI RMF.

Qualifications

• 10+ years of experience in GRC, Information Security, or related fields, with at least 5 years in leadership roles
• Strong knowledge of risk frameworks and regulatory requirements including SOC 2, HIPAA, SOX/ITGC, HITRUST, and CPRA
• Demonstrated experience preparing organizations for external audits and regulatory certifications
• Hands-on experience with GRC platforms (e.g., Vanta, OneTrust, Archer)
• Preferred: CISA, CISM, CRISC, or CISSP certifications