Director, GRC & Data Protection position at Phreesia.| Canada

_{Posted 20 Days Ago} bot

Phreesia Director, GRC & Data Protection

Experience: 12-years

Pattern: Remote

Country:

Copy Link Report

Associate

Remote Canada....Canada

Job Description: This role is open to candidates based in Canada and in the United States only. Candidates must be located in the Eastern or Central Time zones (ET/CT). Phreesia is looking for a Director, GRC & Data Protection to serve as the CISO’s operating partner and lead our GRC and data security programs in a highly product-driven, SaaS environment. This role is ideal for a deeply technical security leader who can move comfortably between audit rooms, architecture reviews, and executive updates— someone who can both design controls and roll up their sleeves to implement them. The Director, GRC & Data Protection will have overall responsibility and ownership for the design and implementation of Phreesia’s security governance, risk, compliance, and data protection architecture and associated strategy . A key objective of this role is to drive simplification, standardization, and security maturity across our products, platforms, and data environments, while enabling Phreesia’s continued growth. This individual’s primary responsibilities include leading, designing, and operationalizing security controls and processes across multiple regulatory and industry frameworks—such as PCI DSS (Level 1 service provider), HITRUST CSF, SOC 2, SOX ITGC, HIPAA, and NIST CSF —into a coherent, risk-based program. The Director, GRC & Data Protection will function as a key contributor to our target-state enterprise and data architectures , ensuring that data security requirements are considered early in the design of new products, platforms, and integrations. This includes informing architecture decisions for cloud services, data platforms, and SaaS applications, with a particular focus on protecting sensitive healthcare and payment data in line with evolving regulatory and customer expectations. This position will be responsible for collaborating with the Legal/Privacy, Product & Engineering, and Phreesia leadership on emerging challenges and opportunities. The Director, GRC & Data Protection will stay current on evolving regulations, security standards, and best practices in domains such as PCI DSS 4.0, HITRUST, SOC 2, and healthcare privacy/security, ensuring Phreesia’s governance program anticipates rather than reacts to changes. They will establish and maintain the governance processes, risk registers, and decision forums that guide business leaders toward informed, risk-aware choices about platforms, data usage, and third-party services. Success in this role requires strong teamwork with our CISO, Legal, Privacy, enterprise architects, Security Engineering, IT, and Product & Engineering leadership. The Deputy CISO will help these teams understand how governance and data security requirements translate into practical, engineering-grade controls and will ensure that control designs, evidence strategies, and remediation plans are both technically sound and auditable. Candidates for this role must be comfortable leading through both direct management and influence in a highly matrixed environment . You will lead GRC and data-security-focused personnel directly, while also driving outcomes through collaboration with engineering managers, product leaders, infrastructure teams, and internal/external audit stakeholders. This individual has hands-on experience designing, implementing , and communicating controls in restricted and regulated data environments , such as healthcare and payments, and is comfortable working across multiple frameworks and attestations simultaneously (PCI DSS, HITRUST, SOC 2, SOX ITGC, HIPAA/NIST). The ideal candidate will demonstrate strong analytical, interpersonal co mmunicatio n skills, and program management capabilities : able to interpret complex requirements, design practical controls, oversee implementation and testing, and present clear risk and status updates to senior executives and boards. They should be equally comfortable discussing data encryption and segmentation with engineers, explaining audit findings, and walking a customer’s security team through Phreesia’s control environment . Job Responsibilities  What you’ll do Lead and mature our governance, risk, and compliance program, aligned to NIST CSF 2.0 and our enterprise risk framework. Own overall strategy and execution for data security (encryption, backups, DSPM, data lifecycle controls) in close partnership with Product, Engineering, and Infrastructure. Serve as the primary infosec leader for PCI-DSS Level 1, HITRUST, SOC 2, and SOX ITGC coordination , ensuring evidence (including penetration testing ) , narratives, and controls are consistent and efficient. Partner with product and engineering teams to embed security into software development lifecycles , roadmap planning, and quarterly business reviews. Govern & guide Third Party Risk Management (TPRM) objectives. Act as a matrixed leader , influencing teams you don’t directly manage while providing clear, actionable guidance to executives , developers, and staff. Function as backup to the CISO for key decisions, stakeholders, and external meetings with customers, auditors, and regulators. Qualifications   Education   Bachelor's Degree required, advanced degree preferred Certifications   CISSP, CISM, CISA, CRISC, PCI ISA/QSA, or similar preferred Experience, Knowledge & Skills   Experience in healthcare, health IT, payments, or other highly regulated data environments where PCI, HITRUST, SOX, and SOC 2 interact. Prior role as Head of GRC, or Security & Compliance lead for a Level 1 service provider or HITRUST-certified organization. 12+ years in information security, with 7+ years in leadership roles across at least two of: GRC, data security, security architecture/engineering, or security assurance. Significant experience in a product-driven, software development company (e.g., SaaS, cloud platform, or software publisher), working closely with Product Management and Engineering organizations. Deep, hands-on experience leading multiple full cycles of all of the following in a cloud/SaaS or otherwise regulated environment: PCI DSS Level 1 service provider RoC with a QSA (scoping, control design, evidence strategy, remediation management). HITRUST CSF readiness and certification/validated assessment. SOX ITGC engagement in a consultative/coordination capacity with Finance/Internal Audit (not necessarily full program ownership). SOC 2 Type II audits against the Trust Services Criteria. Strong technical fluency in: Data security architectures (encryption at rest/in transit, tokenization, KMS/HSM, DLP, logging/monitoring). Cloud and SaaS security concepts relevant to PCI/HITRUST/SOC 2 environments. Demonstrated ability to design and evaluate controls , not just document them, and to work directly with engineers on implementation details. Exceptional written and verbal communication skills, including direct experience presenting to senior executives and boards on security posture, risk, and audit outcomes. Proven effectiveness in a highly matrixed organization , influencing cross-functional stakeholders and resolving conflicting priorities. Who We Are: At Phreesia, we’re looking for smart and passionate people to help drive our mission of creating a better, more engaging healthcare experience. We’re committed to helping healthcare organizations succeed in an ever-evolving landscape by transforming the way healthcare is delivered. Our SaaS platform digitizes appointment check-in and offers tools to engage patients, improve efficiency, optimize staffing, and enhance clinical care. Phreesia cares about our employees by providing a diverse and dynamic work environment. We’re a five-time winner of Modern Healthcare Magazine’s Best Places to Work in Healthcare award and we’ve been recognized on the Bloomberg Gender Equality Index. We are dedicated to continuously improving our employee experience by launching new programs and initiatives. If you thrive in a culture of recognition, value inclusivity, professional development, and growth opportunities, Phreesia could be a great fit! Top-rated Employee Benefits: 100% Remote work + home office expense reimbursements Competitive compensation Flexible PTO + 8 company holidays Monthly reimbursement for cell phone + internet + wellness 100% Paid 12-week parental leave to our U.S. employees, as well as a generous parental benefit to our employees in Canada Variety of insurance coverage for people (and pets!) Continuing education and professional certification reimbursement Opportunity to join an Employee Resource Group. Learn more here: https://www.phreesia.com/workforce/ We strive to provide a diverse and inclusive environment and are an equal opportunity employer.

Director, GRC & Data Protection job opportunity at Phreesia.

Saved Jobs

No Job Saved

Other Ai Matches